PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

Overview

TiEtwAgent - ETW-based process injection detection

msbuild

This project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode visibility.

The project depends on the microsoft/krabsetw library for ETS setup and consumption.

An accompanying blog post can be found here: https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection

gif

Adding new detections

Detection functions can be easily added in DetectionLogic.cpp, and called from detect_event(GenericEvent evt) for any source event type. Support for new event fields can be easily added by appending their name to the map in GenericEvent class declaration.

Setup instructions

Assuming you do not have a Microsoft-trusted signing certificate:

  • Put your machine in the test signing mode with bcdedit
  • Generate a self-signed certificate with ELAM and Code Signing EKU
  • Sign TiEtwAgent.exe and your ELAM driver with the certificate
  • ./TiEtwAgent install
  • net start TiEtwAgent
  • Look for logs, by default in C:\Windows\Temp\TiEtwAgent.txt

TODO

  • PPL Service, event parsing
  • First detection
  • Detection lifecycle
  • Risk based lifecycle

PS. If you do not want to write an ELAM driver, you can get one from https://github.com/pathtofile/PPLRunner/tree/main/elam_driver

Special thanks to @pathtofile for the post here: https://blog.tofile.dev/2020/12/16/elam.html

You might also like...
Security product hook detection

HookDump EDR function hook dumping Please refer to the Zeroperil blog post for more information https://zeroperil.co.uk/hookdump/ Building source In o

You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery
You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery

YOLT You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery As of 24 October 2018 YOLT has been superceded by SIMRDWN YOLT is an

WhyNotWin11 - Detection Script to help identify why your PC isn't Windows 11 ready
WhyNotWin11 - Detection Script to help identify why your PC isn't Windows 11 ready

Detection Script to help identify why your PC isn't Windows 11 ready

Sqrt OS is a simulation of an OS scheduler and memory manager using different scheduling algorithms including Highest Priority First (non-preemptive), Shortest Remaining Time Next, and Round Robin.
Sqrt OS is a simulation of an OS scheduler and memory manager using different scheduling algorithms including Highest Priority First (non-preemptive), Shortest Remaining Time Next, and Round Robin.

A CPU scheduler determines an order for the execution of its scheduled processes; it decides which process will run according to a certain data structure that keeps track of the processes in the system and their status. A process, upon creation, has one of the three states: Running, Ready, Blocked (doing I/O, using other resources than CPU or waiting on unavailable resource).

Remote Download and Memory Execute for shellcode framework
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

A fast image processing library with low memory needs.

libvips : an image processing library Introduction libvips is a demand-driven, horizontally threaded image processing library. Compared to similar lib

Bytehound - a memory profiler for Linux
Bytehound - a memory profiler for Linux

Bytehound - a memory profiler for Linux Features Can be used to analyze memory leaks, see where exactly the memory is being consumed, identify tempora

WAFer is a C language-based software platform for scalable server-side and networking applications. Think node.js for C programmers.

WAFer WAFer is a C language-based ultra-light scalable server-side web applications framework. Think node.js for C programmers. Because it's written i

Comments
  • Is this still working ?

    Is this still working ?

    The service is running and in process explorer I can see it is marked as PsProtectedSignerAntimalware-Light but nothing is in C:\Windows\Temp\TiEtwAgent.txt, the file doesn't even exist.

    Is everything logged, I triggered a Meterpreter payload on the machine hoping that would force event generations and have the logfile created. It didn't work. Any debug logs ? dbgview or other ?

    Here is the output I am getting:

    C:\Users\pussinboots\Desktop>TiEtwAgent.exe install
    TiEtwSensor: Installing the Early Launch Anti-Malware drivers
    TiEtwSensor: Opening driver file: elam_driver.sys
    TiEtwSensor: ELAM driver has been installed successfully
    TiEtwSensor: Installing the agent service
    TiEtwSensor: Service 'TiEtwAgent' already exists
    
    C:\Users\pussinboots\Desktop>TiEtwAgent.exe uninstall
    TiEtwSensor: Uninstalling the service
    TiEtwSensor: ControlService(Stop) Error: 5
    

    It appears I can not remove it anymore. Does a process need to be PPL to uninstall it ?

    Awesome project though ! Thanks so much for sharing !!

    good first issue question 
    opened by pussinboots1992 5
  • System error 577?

    System error 577?

    Hello,

    I have been trying to make this work. I am successfully installing the service but when I do net start TiEtwAgent I am getting the issue in the below screenshot

    image

    This is Windows 10 pro 19044.1237, obvsiouly in testsigning mode.

    opened by trickster0 3
C/C++ Windows Process Injector for Educational Purposes.

ProcessInjector C/C++ Windows Process Injector for Educational Purposes. What does this software do? This is a simple process injector that uses the C

Berat Çağrı Eroğlu 8 May 3, 2022
POCs for Shellcode Injection via Callbacks

Callback_Shellcode_Injection POCs for Shellcode Injection via Callbacks. Working APIs 1, EnumTimeFormatsA Works 2, EnumWindows Works 3, EnumD

Chaitanya Haritash 316 Nov 11, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 154 Nov 28, 2022
Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

null 76 Dec 1, 2022
Applications based on Wi-Fi CSI (Channel state information), such as indoor positioning, human detection

ESP-CSI The main purpose of this project is to show the use of ESP-WIFI-CSI. The human body detection algorithm is still being optimized. You can get

Espressif Systems 304 Nov 30, 2022
Panda - is a set of utilities used to research how PsExec encrypts its traffic.

Panda Panda - is a set of utilities used to research how PsExec encrypts its traffic. Shared library used to inject into lsass.exe process to log NTLM

Pavel 11 Jul 17, 2022
Hybrid Detect demonstrates CPU topology detection using multiple intrinsic and OS level APIs.

Hybrid Detect Hybrid Detect demonstrates CPU topology detection using multiple intrinsic and OS level APIs. First, we demonstrate usage of CPUID intri

null 35 Nov 28, 2022
A 2D collision detection and physics library written in C.

A 2D collision detection and physics library written in C. WARNING: This library is in an early alpha stage, use it at your own risk. Documentation —

c-krit 84 Nov 30, 2022
PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

wowInjector Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious

Sheng-Hao Ma 145 Nov 9, 2022
PoC for generating a bunch of C structs

janet-generate-structs PoC for generating a bunch of C structs Currently not possible to run as-is on other machines. trystuff.janet -- uses jpm's cge

null 6 Feb 10, 2022