From 91321119c9a8101edf644e4f6343f040348d3c04 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Mon, 13 Oct 2025 06:40:26 +0000 Subject: [PATCH] Add content from: Crystal Kit --- src/windows-hardening/av-bypass.md | 58 ++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/src/windows-hardening/av-bypass.md b/src/windows-hardening/av-bypass.md index 0d21e991acf..e61919334c7 100644 --- a/src/windows-hardening/av-bypass.md +++ b/src/windows-hardening/av-bypass.md @@ -975,8 +975,66 @@ rmdir "C:\ProgramData\Microsoft\Windows Defender\Platform\5.18.25070.5-0" > [!TIP] > Note that This technique does not provide privilege escalation by itself; it requires admin rights. +## API/IAT Hooking + Call-Stack Spoofing with PIC (Crystal Kit-style) + +Red teams can move runtime evasion out of the C2 implant and into the target module itself by hooking its Import Address Table (IAT) and routing selected APIs through attacker-controlled, position‑independent code (PIC). This generalises evasion beyond the small API surface many kits expose (e.g., CreateProcessA), and extends the same protections to BOFs and post‑exploitation DLLs. + +High-level approach +- Stage a PIC blob alongside the target module using a reflective loader (prepended or companion). The PIC must be self‑contained and position‑independent. +- As the host DLL loads, walk its IMAGE_IMPORT_DESCRIPTOR and patch the IAT entries for targeted imports (e.g., CreateProcessA/W, CreateThread, LoadLibraryA/W, VirtualAlloc) to point at thin PIC wrappers. +- Each PIC wrapper executes evasions before tail‑calling the real API address. Typical evasions include: + - Memory mask/unmask around the call (e.g., encrypt beacon regions, RWX→RX, change page names/permissions) then restore post‑call. + - Call‑stack spoofing: construct a benign stack and transition into the target API so call‑stack analysis resolves to expected frames. +- For compatibility, export an interface so an Aggressor script (or equivalent) can register which APIs to hook for Beacon, BOFs and post‑ex DLLs. + +Why IAT hooking here +- Works for any code that uses the hooked import, without modifying tool code or relying on Beacon to proxy specific APIs. +- Covers post‑ex DLLs: hooking LoadLibrary* lets you intercept module loads (e.g., System.Management.Automation.dll, clr.dll) and apply the same masking/stack evasion to their API calls. +- Restores reliable use of process‑spawning post‑ex commands against call‑stack–based detections by wrapping CreateProcessA/W. + +Minimal IAT hook sketch (x64 C/C++ pseudocode) +```c +// For each IMAGE_IMPORT_DESCRIPTOR +// For each thunk in the IAT +// if imported function == "CreateProcessA" +// WriteProcessMemory(local): IAT[idx] = (ULONG_PTR)Pic_CreateProcessA_Wrapper; +// Wrapper performs: mask(); stack_spoof_call(real_CreateProcessA, args...); unmask(); +``` +Notes +- Apply the patch after relocations/ASLR and before first use of the import. Reflective loaders like TitanLdr/AceLdr demonstrate hooking during DllMain of the loaded module. +- Keep wrappers tiny and PIC-safe; resolve the true API via the original IAT value you captured before patching or via LdrGetProcedureAddress. +- Use RW → RX transitions for PIC and avoid leaving writable+executable pages. + +Call‑stack spoofing stub +- Draugr‑style PIC stubs build a fake call chain (return addresses into benign modules) and then pivot into the real API. +- This defeats detections that expect canonical stacks from Beacon/BOFs to sensitive APIs. +- Pair with stack cutting/stack stitching techniques to land inside expected frames before the API prologue. + +Operational integration +- Prepend the reflective loader to post‑ex DLLs so the PIC and hooks initialise automatically when the DLL is loaded. +- Use an Aggressor script to register target APIs so Beacon and BOFs transparently benefit from the same evasion path without code changes. + +Detection/DFIR considerations +- IAT integrity: entries that resolve to non‑image (heap/anon) addresses; periodic verification of import pointers. +- Stack anomalies: return addresses not belonging to loaded images; abrupt transitions to non‑image PIC; inconsistent RtlUserThreadStart ancestry. +- Loader telemetry: in‑process writes to IAT, early DllMain activity that modifies import thunks, unexpected RX regions created at load. +- Image‑load evasion: if hooking LoadLibrary*, monitor suspicious loads of automation/clr assemblies correlated with memory masking events. + +Related building blocks and examples +- Reflective loaders that perform IAT patching during load (e.g., TitanLdr, AceLdr) +- Memory masking hooks (e.g., simplehook) and stack‑cutting PIC (stackcutting) +- PIC call‑stack spoofing stubs (e.g., Draugr) + ## References +- [Crystal Kit – blog](https://rastamouse.me/crystal-kit/) +- [Crystal-Kit – GitHub](https://github.com/rasta-mouse/Crystal-Kit) +- [Elastic – Call stacks, no more free passes for malware](https://www.elastic.co/security-labs/call-stacks-no-more-free-passes-for-malware) +- [Crystal Palace – docs](https://tradecraftgarden.org/docs.html) +- [simplehook – sample](https://tradecraftgarden.org/simplehook.html) +- [stackcutting – sample](https://tradecraftgarden.org/stackcutting.html) +- [Draugr – call-stack spoofing PIC](https://github.com/NtDallas/Draugr) + - [Unit42 – New Infection Chain and ConfuserEx-Based Obfuscation for DarkCloud Stealer](https://unit42.paloaltonetworks.com/new-darkcloud-stealer-infection-chain/) - [Synacktiv – Should you trust your zero trust? Bypassing Zscaler posture checks](https://www.synacktiv.com/en/publications/should-you-trust-your-zero-trust-bypassing-zscaler-posture-checks.html) - [Check Point Research – Before ToolShell: Exploring Storm-2603’s Previous Ransomware Operations](https://research.checkpoint.com/2025/before-toolshell-exploring-storm-2603s-previous-ransomware-operations/)