{"id":507,"date":"2013-09-18T09:01:32","date_gmt":"2013-09-18T09:01:32","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=507"},"modified":"2013-09-18T09:09:18","modified_gmt":"2013-09-18T09:09:18","slug":"malware-ideas-and-concepts-rattling-in-my-head","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2013\/09\/malware-ideas-and-concepts-rattling-in-my-head\/","title":{"rendered":"Malware Ideas and concepts rattling in my head"},"content":{"rendered":"

Hello again loyal readers.<\/p>\n

I’ve had a lot of ideas rattling around in my head lately. Malware related things. For example, what if someone used Gopher for C&C? Who the hell uses gopher anymore?
\n\"gopher\"<\/a>
\nThe API’s for handling gopher, while deprecated, are still around. Though you would probably have to load it from an older Wininet.dll with LoadLibrary() from XP box.<\/p>\n

The API’s are still referenced \/ documented<\/a>.
\nMaybe I’ll get bored one day and make use of it.<\/p>\n

Then I have this idea for a conceptual malware attack using a little known Win32 API called SetProcessShutdownParameters. What it does is change the order in which the calling process gets shut down. Here is where my idea comes into play:<\/p>\n

What if the antivirus program doesn’t call SetProcessShutdownParameters()’s dwLevel to be shut down last in the shutdown range? Theoretically malware could set the shutdown range to be shutdown AFTER the AV, but BEFORE the OS. All processes start at shutdown level 0x280 (640 in decimal) before modification. This would present a window of opportunity for a piece of malicious code to execute after the AV has been closed. No reporting of this event would occur in the case of something like a Host Based Intrusion Detection System. The malware would need only sleep until the system is shutdown – I’ve already shown how this would be done with window hooks. <\/p>\n

Here is the code for messing with the function:<\/p>\n

<\/p>\n

\n
#include <windows.h><\/span>\r\n#include <stdio.h><\/span>\r\n\r\nint<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[])\r\n{\t\r\n\tSetProcessShutdownParameters(134<\/span>,0<\/span>);\r\n\tDWORD iLevel, iFlags;\r\n\tGetProcessShutdownParameters(&<\/span>iLevel, &<\/span>iFlags);\r\n\tprintf("Shutdown params level: 0x%X <\/span>\\t<\/span> Flags: 0x%X<\/span>\\r\\n<\/span>"<\/span>,iLevel, iFlags);\r\n\treturn<\/span> 0<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
Caveat? Applications that run in the system security context are not shut down by the OS, instead they are notified of shutdown \/ logoff events via the callback function installable via SetConsoleCtrlHandler()’s callback function.I haven’t had a chance to test this theory yet on an AV, but hope to do so in the coming weeks. <\/p>\n
Happy Cracking!
\n\"1375869774481\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Hello again loyal readers. I’ve had a lot of ideas rattling around in my head lately. Malware related things. For example, what if someone used Gopher for C&C? Who the hell uses gopher anymore? The API’s for handling gopher, while deprecated, are still around. Though you would probably have to load it from an older […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6],"tags":[48,67],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/507"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=507"}],"version-history":[{"count":7,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/507\/revisions"}],"predecessor-version":[{"id":516,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/507\/revisions\/516"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=507"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=507"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=507"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}