Sunday, January 20, 2013

Introducing Prasadhak: Check running processes for known malwares using PowerShell

Once during a pen test, I got a complete acess to a box. It was a Windows 2008 server in a really bad shape. So bad that I wanted to check it for malwares as I was not sure about the integrity of the anti virus of the server. The client was also not sure as the server was just one of "those" servers who no one cared about as the services it offered were no longer required by business (I later gave a lecture to the client on why this is bad etc. etc.)

So I was in a fix, installing an AV was not an option and as always there was not enough time to do a manual sanity check of the system for malwares. I though of using Virustotal for this. Virustotal provides a nice API which could be used for automating the process of analysis of files. But there was a catch, I could not upload files from the system to the interent, confidentiality issues! So I decided to use search function for running processes. I would search for executables of running processes for malwares using Virustotal API, looks good.

So behold world, I give you, Prasadhak. A powershll script which will check running processes (actually their executables) for malware by searching md5 their md5 hashes on virustotal database. For those curious, Prasadhak means purifier in Sanskrit.

PowerShell being quite powerful there was not much of a problem getting the current processes and their corresponding executable. Please note that some of the process do not report their path.
A little problem was with the limitations on request by the API. Using the normal public API, one could make only 4 requests in a minute. So I have to adjust the code this way.

Another problem was that Virustotal API responded with JSON objects and I was unable to parse the responses properly. I tried various methods including this. The code worked fine for a single request but failed for a batch request. I got lazy and wrote the script for PowerShell v3 instead which comes with a ready made ConverFrom-Json cmdlet. This is my first script which would require powershell v3.

Prasadhak reports one of the following for each process whose executable path was detected based on the response from Virustotal:
  1. Not found in VT database for hashes which are not present in Virustotal Database.
  2. Something malicious is found with the link to complete analysis.
  3. This is reported clean for hashes which are reported clean.
  4. File queued for analysis.
You need to register a free account on virustotal to get the apikey which is required for using the API.

A sample run of Prasadhak on my machine with Administrator privilege

So two malicious processes were found, the first one is a known one and I ran it just to test Prasadhak. Second one is new for me, lets have a look at it.

So hfs server is detected as malware by many AVs. Interestingly, a modified meterpreter payload was not found in database as its hash was different from a "normal" meterpreter. A huge limitation of hash based detection (Do I sound like an AV vendor?)

Two major limitations I know of Prasadhak are:

1. Results of each process are not labelled with the process name. You will see that I have left commented portions of code for labelling the results, this was a quick attempt before this post. Please let me know if you modify the script to improve that.

2. The approach of Prasadhak is very limited. As we saw above, a meterpreter binary was not detected just because slight modifications were made to it. Many malwares are better in stealth.

Please note that only section of script which requires PowerShellv3 is the function "check". If you need to use this script using PowerShell v2, try using this code at codeplex.

The code could be found below

Prasadhak is available in Nishang's repository, please update your repos.

Hope this would be useful. There wold be a day when I will start writing non-ugly code.
Bugs, feedback and comments are welcome. 

Update - Minor changes  have been made to Prasadhak, the code above has been modified a bit.

P.S. - I planned to release Prasadhak later after some improvements but a similar blog post forced me to post this, now. Research collision anyone? Thanks to my friends who quickly consoled me when I was shocked after that post.. hee hee :)

Monday, January 14, 2013

(Quick Post) Check if your payload is running inside a VM using PowerShell

I was trying to improve some existing payloads of Nishang and Kautilya. One idea was to enumerate the environment in which the payloads would be running. I decided to start with detection of Virtual Environment. I found this post module in msf by Carlos Perez which is easy to understand. I quickly ported the script to powershell. This post is about that script. Though I still need to figure out a way to integrate this in other payloads without increasing the complexity, I am sharing the current script anyway :)

The script checks for a number of parameters like, registry keys and running services for Hyper-V, VMWare, Virtual PC, Virtual Box, Xen and QEMU.

A code snippet showing the logic for detection of Hyper-V.

This is how it looks like when ran inside a Windows 7 on VMWare.

I checked it only on VMWare. If somebody tests this for all the environments that would be great ;)

UPDATE: Thomas hac confirmed that the script detected a Hyper-V machine.

The script has been added to Nishang repo, please update your repo to get the script.

Hope this would be useful. Comments and suggestions are welcome.