Pages

Monday, August 14, 2017

DoublePulsar SMB implant detection from Volatility

In the last months there have been various groups of attackers as well as script kiddies that have been using the FuzzBunch Framework to compromise systems.

In a recent incident while I was analyzing a memory dump It took me some time to identify that the infection vector was EternalBlue. Once I found the ring 0 shellcode (related to DoublePulsar) I was able to approach the analysis more easily. To expedite this process for future analysis I have developed a dummy plugin to make easy to find this implant.

The plugin is not based on Yara rules. It just dumps the array of functions pointers SrvTransaction2DispatchTable from the srv.sys driver and checks that all of them points to the binary address space (take a look at the nice Zerosum0x0 analysis). Note that although the plugin dumps the whole table it would really only be necessary to verify that the SrvTransactionNotImplemented symbol points to the correct place.

The plugin resolves SrvTransaction2DispatchTable by getting the .pdb path from the debug directory section and downloads it from http://msdl.microsoft.com/download/symbols (or the server you provide with the SYMBOLS option). Once it gets the symbol offset it just dumps the array of pointers. If SrvTransactionNotImplemented (entry 14) points to an "unknown" location possibly your are dealing with DoublePulsar. It that case volshell and dis() will clear up any doubts.

Let see an example. The following image comes from a Windows 7 SP1 x64 host which has been attacked with EternalBlue + DoublePulsar:


By checking the code at the "UNKNOWN" location we can verify that we are dealing with DoublePulsar. Note the operation opcodes 0x23 (ping), 0xc8 (exec), 0x77 (kill).


In the previous case the symbol file has been downloaded from Microsoft. If your host does not have Internet connection you can provide the pdb file through the PDB_FILE option. I usually use Radare to get this.


To run the plugin be sure to have the following dependencies:
  •     construct: (pip install construct==2.5.5-reupload)
  •     pdbparse:  (pip install pdbparse)
  •     pefile: (pip install pefile)
  •     requests: (pip install requests)
  •     cabextract:  (apt-get install cabextract)
Here the full scene:


The plugin code is available in https://github.com/BorjaMerino/DoublePulsar-Volatility

2 comments:

  1. how did you know the opcode for ping? is there a database somewhere? great entry!

    ReplyDelete
  2. Hi,
    take a look at the Zerosum0x0 analysis (Step 5): https://zerosum0x0.blogspot.com.es/2017/04/doublepulsar-initial-smb-backdoor-ring.html

    There you can find the opcodes used by the payload.
    Regards

    ReplyDelete