PoC memory injection detection agent based on ETW, for offensive and defensive research purposes

Overview

TiEtwAgent - ETW-based process injection detection

msbuild

This project was created to research, build and test different memory injection detection use cases and bypass techniques. The agent utilizes Microsoft-Windows-Threat-Intelligence event tracing provider, as a more modern and stable alternative to Userland-hooking, with the benefit of Kernel-mode visibility.

The project depends on the microsoft/krabsetw library for ETS setup and consumption.

An accompanying blog post can be found here: https://blog.redbluepurple.io/windows-security-research/kernel-tracing-injection-detection

gif

Adding new detections

Detection functions can be easily added in DetectionLogic.cpp, and called from detect_event(GenericEvent evt) for any source event type. Support for new event fields can be easily added by appending their name to the map in GenericEvent class declaration.

Setup instructions

Assuming you do not have a Microsoft-trusted signing certificate:

  • Put your machine in the test signing mode with bcdedit
  • Generate a self-signed certificate with ELAM and Code Signing EKU
  • Sign TiEtwAgent.exe and your ELAM driver with the certificate
  • ./TiEtwAgent install
  • net start TiEtwAgent
  • Look for logs, by default in C:\Windows\Temp\TiEtwAgent.txt

TODO

  • PPL Service, event parsing
  • First detection
  • Detection lifecycle
  • Risk based lifecycle

PS. If you do not want to write an ELAM driver, you can get one from https://github.com/pathtofile/PPLRunner/tree/main/elam_driver

Special thanks to @pathtofile for the post here: https://blog.tofile.dev/2020/12/16/elam.html

Issues
  • Is this still working ?

    Is this still working ?

    The service is running and in process explorer I can see it is marked as PsProtectedSignerAntimalware-Light but nothing is in C:\Windows\Temp\TiEtwAgent.txt, the file doesn't even exist.

    Is everything logged, I triggered a Meterpreter payload on the machine hoping that would force event generations and have the logfile created. It didn't work. Any debug logs ? dbgview or other ?

    Here is the output I am getting:

    C:\Users\pussinboots\Desktop>TiEtwAgent.exe install
    TiEtwSensor: Installing the Early Launch Anti-Malware drivers
    TiEtwSensor: Opening driver file: elam_driver.sys
    TiEtwSensor: ELAM driver has been installed successfully
    TiEtwSensor: Installing the agent service
    TiEtwSensor: Service 'TiEtwAgent' already exists
    
    C:\Users\pussinboots\Desktop>TiEtwAgent.exe uninstall
    TiEtwSensor: Uninstalling the service
    TiEtwSensor: ControlService(Stop) Error: 5
    

    It appears I can not remove it anymore. Does a process need to be PPL to uninstall it ?

    Awesome project though ! Thanks so much for sharing !!

    good first issue question 
    opened by pussinboots1992 5
C/C++ Windows Process Injector for Educational Purposes.

ProcessInjector C/C++ Windows Process Injector for Educational Purposes. What does this software do? This is a simple process injector that uses the C

Berat Çağrı Eroğlu 8 May 3, 2022
POCs for Shellcode Injection via Callbacks

Callback_Shellcode_Injection POCs for Shellcode Injection via Callbacks. Working APIs 1, EnumTimeFormatsA Works 2, EnumWindows Works 3, EnumD

Chaitanya Haritash 297 Jun 21, 2022
Beacon Object File (BOF) for remote process injection via thread hijacking

cThreadHijack ___________.__ .______ ___ .__ __ __ ___\__ ___/| |_________ ____ _____

Connor McGarr 137 Jun 15, 2022
Section Mapping Process Injection (secinject): Cobalt Strike BOF

Section Mapping Process Injection (secinject): Cobalt Strike BOF Beacon Object File (BOF) that leverages Native APIs to achieve process injection thro

null 69 Jun 23, 2022
Applications based on Wi-Fi CSI (Channel state information), such as indoor positioning, human detection

ESP-CSI The main purpose of this project is to show the use of ESP-WIFI-CSI. The human body detection algorithm is still being optimized. You can get

Espressif Systems 123 Jun 15, 2022
Panda - is a set of utilities used to research how PsExec encrypts its traffic.

Panda Panda - is a set of utilities used to research how PsExec encrypts its traffic. Shared library used to inject into lsass.exe process to log NTLM

Pavel 10 Dec 28, 2021
Hybrid Detect demonstrates CPU topology detection using multiple intrinsic and OS level APIs.

Hybrid Detect Hybrid Detect demonstrates CPU topology detection using multiple intrinsic and OS level APIs. First, we demonstrate usage of CPUID intri

null 25 Jun 13, 2022
A 2D collision detection and physics library written in C.

A 2D collision detection and physics library written in C. WARNING: This library is in an early alpha stage, use it at your own risk. Documentation —

c-krit 73 Jun 27, 2022
PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)

wowInjector Inject payload to WOW64(Windows 32 on Windows 64) process via exploit 32-bit thread snapshot. This trick makes us possible to do malicious

Sheng-Hao Ma 134 Jun 27, 2022
PoC for generating a bunch of C structs

janet-generate-structs PoC for generating a bunch of C structs Currently not possible to run as-is on other machines. trystuff.janet -- uses jpm's cge

null 6 Feb 10, 2022
Security product hook detection

HookDump EDR function hook dumping Please refer to the Zeroperil blog post for more information https://zeroperil.co.uk/hookdump/ Building source In o

zeroperil 140 Jun 24, 2022
You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery

YOLT You Only Look Twice: Rapid Multi-Scale Object Detection In Satellite Imagery As of 24 October 2018 YOLT has been superceded by SIMRDWN YOLT is an

CosmiQ Works 595 Jun 20, 2022
WhyNotWin11 - Detection Script to help identify why your PC isn't Windows 11 ready

Detection Script to help identify why your PC isn't Windows 11 ready

Robert C. Maehl 5.8k Jul 3, 2022
Sqrt OS is a simulation of an OS scheduler and memory manager using different scheduling algorithms including Highest Priority First (non-preemptive), Shortest Remaining Time Next, and Round Robin.

A CPU scheduler determines an order for the execution of its scheduled processes; it decides which process will run according to a certain data structure that keeps track of the processes in the system and their status. A process, upon creation, has one of the three states: Running, Ready, Blocked (doing I/O, using other resources than CPU or waiting on unavailable resource).

Abdallah Hemdan 18 Apr 15, 2022
Remote Download and Memory Execute for shellcode framework

RmExecute Remote Download and Memory Execute for shellcode framework 远程下载并内存加载的ShellCode框架,暂不支持X64 参(抄)考(袭)项目 windows下shellcode提取模板的实现 主要抄袭来源,直接使用这位大佬

null 38 Jun 26, 2022
Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

hasherezade 1.4k Jun 24, 2022
A fast image processing library with low memory needs.

libvips : an image processing library Introduction libvips is a demand-driven, horizontally threaded image processing library. Compared to similar lib

libvips 6.7k Jul 1, 2022
Bytehound - a memory profiler for Linux

Bytehound - a memory profiler for Linux Features Can be used to analyze memory leaks, see where exactly the memory is being consumed, identify tempora

Koute 2.8k Jun 26, 2022
WAFer is a C language-based software platform for scalable server-side and networking applications. Think node.js for C programmers.

WAFer WAFer is a C language-based ultra-light scalable server-side web applications framework. Think node.js for C programmers. Because it's written i

Riolet Corporation 692 Jun 3, 2022