For a driver to mention the right vulnerability analysis-vulnerability warning-the black bar safety net

One, Foreword
As Microsoft is constantly reinforcing core safety, enhance the native kernel components of the exploit difficulty, and now third party kernel drivers are gradually becoming the attacker’s preferred target, is security analysts the focus of the study. Signed third-party driver vulnerability may cause a very significant impact: an attacker can abuse this vulnerability to elevate privileges, or to bypass the driver enforcement signature mechanism, which is more common of a practice, without theoperating systemuse more precious 0-day kernel vulnerability.
Computer vendors will usually provide the user with ease of device management software and tools, these software and tools including Drive typically contains the running kernel ring-0 layer of the Assembly. Due to these components installed by default, so in terms of security must match the kernel remains the same: even if one component is defective, it may be the entire kernel the safety of fatal weakness.
Our analysis Microsoft Defender Advanced Threat Protection kernel sensor module generates a warning when it find such a drive. After tracking, we found that this abnormal behavior is present in Huawei R & D for a device that is management-driven. After a thorough digging, we found the device there is one local to mention the right vulnerability.
The feedback of the vulnerability after vulnerability number CVE-2019-5241, the Huawei aspect of the positive response, the entire cooperation process is very fast and professional. 2019 1 month, Huawei released a hotfix. In this article, we will share with you from our investigations the ATP warning to the discovery of a vulnerability, and ultimately with vendors to protect client safety of the complete process.

Second, use Microsoft Defender ATP detected the kernel initiates the code injection
From the Windows 10 1809 version of the beginning, the system in the core of the new deployment of some sensors, used for tracking by the kernel code to perform the User APC code injection operation, can be more better analysis DOUBLEPULSAR like the kernel vulnerability exploitation techniques. In a previous article in-depth analysis report, we mentioned that DOUBLEPULSAR is WannaCry ransomware using a kernel backdoor that used to be the main function of the payload injected into user-space user-space to. DOUBLEPULSAR the payload from the kernel copied to the lsass. exe in a piece of executable memory area, the User APC into a target thread, and the NormalRoutine pointer to this piece of memory area.
! [](/Article/UploadPic/2019-3/201932843421139. png)
Figure 1. WannaCry User APC injection technology schematic
Although the User APC code injection techniques are not rare reference Conficker or Valerino before providing the proof-of-concept, but wanted to detect running in the kernel of the security threats is not easy. Ever since Windows introduced PatchGuard since the user can no longer hook NTOSKRNL, drivers can not pass a public way to obtain information about the operation of any notification. Therefore, if there is no better choice, the only strategy is to memory forensics, and this can be a very complex a process.
These newly deployed sensor to the target precisely in order to solve these kernel threats. Microsoft Defender the ATP to use these sensors to detect by the kernel code to initiate suspicious operations that could ultimately inject code into User-Mode user-mode, we also because of a suspicious operation before the start of the survey trip.

Third, the analysis from the kernel exception code injection behavior
When monitoring the kernel mode of attack-related alarm information, we noticed an alert:
! [](/Article/UploadPic/2019-3/201932843422654. png)
Figure 2. Microsoft Defender in the ATP on the kernel initiates the code injection alert
From the alarm in the process tree information, we found that some kernel code will be in the services. exe executed in the context of the exception of the memory allocation and to perform the operation. To further investigate after, Oh have found the same time in another host on the same alert.
In order to better understand this anomaly, we observe from the kernel sensor of the original signal, draw two conclusions:
A system thread called the nt! NtAllocateVirtualMemory, in the services. exe address space assigned to a single page-size = 0x1000 the pages with PAGE_EXECUTE_READWRITE protection mask
The system thread then calls nt! KeInsertQueueApc, the User APC added services. exe any thread in the queue, wherein the NormalRoutine pointer to an executable page at the beginning, the NormalContext point to 0x800 offset
Copy from kernel-mode payload is divided into two parts: a shellcode（NormalRoutine and a parameter block NormalContext it. So far, the entire process has been sufficiently suspicious, and deserves our continued study. Our goal is to determine the alarm is triggered the kernel code.

Fourth, the positioning of the sources
In the user mode of the threat, we can according to the caller process context to find the attacker and his attack phase of the trail. However, for kernel-mode threats in terms of the situation is a bit complicated. The kernel is essentially asynchronous, the callback function can be in any context of the call, so forensic analysis is concerned, we cannot learn from the Process Context Information.
Therefore, we try to look for third-party code loaded into the kernel of circumstantial evidence. Analysis of the host timeline, we found out before the host has loaded a plurality of third-party drive.
According to these driver files the path, we found that these drive come with a program for: Huawei PC Manager, which is a device management software to manage Huawei MateBook notebook. Huawei official website provides installer the Download, we download to a local study. For each Huawei driver, we are using dumpbin. exe to check the corresponding Import function.
Then we got a clue, as follows:
! [](/Article/UploadPic/2019-3/201932843422461. png)
Figure 3. Use dumpbin to detect User APC injection feature

Five, HwOs2Ec10x64.sys: from the drivers of non-expected behavior
Now we have found a trigger warning in the kernel code. Typically, the device management software is mainly used to perform hardware-related tasks, The Associated device driver to bear with the OEM dedicated hardware communication layer. So why this drive will appear abnormal behavior? In order to answer this question, 我们逆向分析了HwOs2Ec10x64.sys the.
Our entry point is to achieve a user APC to inject a function, we find a code path:
1, in some Target process allocate RWX page;
2, in the target process’s address space, parsing CreateProcessW and the CloseHandle function pointer;
3, from the drive of a region of code and it looks like the parameter block of data is copied to the allocated page;
4, the implementation for the page the User APC injection operation.
This parameter block contains the resolved function pointer and a string, the string is actually a command line:

[1] [2] [3] next