Book Image

Windows APT Warfare

By : Sheng-Hao Ma
5 (2)
Book Image

Windows APT Warfare

5 (2)
By: Sheng-Hao Ma

Overview of this book

An Advanced Persistent Threat (APT) is a severe form of cyberattack that lies low in the system for a prolonged time and locates and then exploits sensitive information. Preventing APTs requires a strong foundation of basic security techniques combined with effective security monitoring. This book will help you gain a red team perspective on exploiting system design and master techniques to prevent APT attacks. Once you’ve understood the internal design of operating systems, you’ll be ready to get hands-on with red team attacks and, further, learn how to create and compile C source code into an EXE program file. Throughout this book, you’ll explore the inner workings of how Windows systems run and how attackers abuse this knowledge to bypass antivirus products and protection. As you advance, you’ll cover practical examples of malware and online game hacking, such as EXE infection, shellcode development, software packers, UAC bypass, path parser vulnerabilities, and digital signature forgery, gaining expertise in keeping your system safe from this kind of malware. By the end of this book, you’ll be well equipped to implement the red team techniques that you've learned on a victim's computer environment, attempting to bypass security and antivirus products, to test its defense against Windows APT attacks.

Related Content you might be interested in

Current Title:

Small book image
Windows APT Warfare
Sheng-Hao Ma
Mar, 2023 | 258 pages
No titles found
Table of Contents (17 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
Download a free PDF copy of this book
1
Part 1 – Modern Windows Compiler
Part 1 – Modern Windows Compiler
Free Chapter
2
Chapter 1: From Source to Binaries – The Journey of a C Program
Chapter 1: From Source to Binaries – The Journey of a C Program
The simplest Windows program in C
C compiler – assembly code generation
Assembler – transforming assembly code into machine code
Compiling code
Windows linker – packing binary data into PE format
Running static PE files as dynamic processes
Summary
3
Chapter 2: Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing
Chapter 2: Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing
Sample programs
The memory of the static contents of PE files
PE Parser example
Dynamic file mapping
PE infection (PE Patcher) example
tinyLinker example
Examples of process hollowing
PE files to HTML
Summary
4
Chapter 3: Dynamic API Calling – Thread, Process, and Environment Information
Chapter 3: Dynamic API Calling – Thread, Process, and Environment Information
Sample programs
Function calling convention
Thread Environment Block (TEB)
Process Environment Block
Examples of process parameter forgery
Examples of enumerating loaded modules without an API
Examples of disguising and hiding loaded DLLs
Summary
5
Part 2 – Windows Process Internals
Part 2 – Windows Process Internals
6
Chapter 4: Shellcode Technique – Exported Function Parsing
Chapter 4: Shellcode Technique – Exported Function Parsing
Sample programs
EATs in PE
Examples of a DLL file analyzer
Examples of writing shellcode in x86
A shellcode generator in Python
Summary
7
Chapter 5: Application Loader Design
Chapter 5: Application Loader Design
Import Address Table in PE
Import API analyzer example
Examples of IAT hijack
DLL side-loading example
Summary
8
Chapter 6: PE Module Relocation
Chapter 6: PE Module Relocation
Relocation table of PE
tinyLoader example
Summary
9
Part 3 – Abuse System Design and Red Team Tips
Part 3 – Abuse System Design and Red Team Tips
10
Chapter 7: PE to Shellcode – Transforming PE Files into Shellcode
Chapter 7: PE to Shellcode – Transforming PE Files into Shellcode
The open source project pe_to_shellcode analysis
Summary
11
Chapter 8: Software Packer Design
Chapter 8: Software Packer Design
What is a software packer?
Packer builder
Stub – the main program of an unpacker
Examples of software packers
Summary
12
Chapter 9: Digital Signature – Authenticode Verification
Chapter 9: Digital Signature – Authenticode Verification
Authenticode digital signatures
Signature verification
Examples of mock signatures
Examples of bypassing hash verification
Examples of signature steganography
Getting signed by abusing path normalization
Summary
13
Chapter 10: Reversing User Account Control and Bypassing Tricks
Chapter 10: Reversing User Account Control and Bypassing Tricks
UAC overview
RAiLaunchAdminProcess callback
Two-level authentication mechanism
Elevated privilege conditions
Examples of bypassing UAC
Summary
14
Index
Index
Why subscribe?
15
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts
Download a free PDF copy of this book
Appendix – NTFS, Paths, and Symbols
Appendix – NTFS, Paths, and Symbols
Win32 and NT path specification

C compiler – assembly code generation

What is intriguing to understand in the previous section is the reason the compiler understands this C code. First, the main task for the compiler is to convert the C code into assembly code according to the C/C++ calling convention, as shown in Figure 1.1:

Figure 1.1 – x86 calling convention

Figure 1.1 – x86 calling convention

Important note

For convenience and practicability, the following examples will be presented with x86 instructions. However, the methods and principles described in this book are common to all Windows systems, and the compiler examples are based on GNU Compiler Collection (GCC) for Windows (MinGW).

As different system functions (and even third-party modules) have the expected in-memory access to the memory level of the assembly code, there are several mainstream application binary interface (ABI) calling conventions for ease of management. Interested readers can refer to Argument Passing and Naming Conventions by Microsoft (https://docs.microsoft.com/en-us/cpp/cpp/argument-passing-and-naming-conventions).

These calling conventions mainly deal with several issues:

  • The position where the parameters are placed in order (e.g., on a stack, in a register such as ECX, or mixed to speed up performance)
  • The memory space occupied by parameters if parameters are need to be stored
  • The occupied memory to be released by the caller or callee

When the compiler generates the assembly code, it will recognize the calling conventions of the system, arrange the parameters in memory according to its preference, and then call the memory address of the function with the call command. Therefore, when the thread jumps into the system instruction, it can correctly obtain the function parameter at its expected memory address.

Take Figure 1.1 as an example: we know that the USER32!MessageBoxA function prefers WINAPI calling conventions. In this calling convention, the parameter content is pushed into the stack from right to left, and the memory released for this calling convention is chosen by the callee. So after pushing 4 parameters into the stack to occupy 16 bytes in the stack (sizeof(uint32_t) x 4), it will be executed in USER32!MessageBoxA. After executing the function request, return to the next line of the Call MessageBoxA instruction with ret 0x10 and release 16 bytes of memory space from the stack (i.e., xor eax, eax).

Important note

The book here only focuses on the process of how the compiler generates single-chip instructions and encapsulates the program into an executable file. It does not include the important parts of advanced compiler theory, such as semantic tree generation and compiler optimization. These parts are reserved for readers to explore for further learning.

In this section, we learned about the C/C++ calling convention, how parameters are placed in memory in order, and how memory space is released when the program is finished.

Previous Section
End of Section 3
Next Section