Fighting Hooks With Hooks – Sandbox Escape



I was pretty bored today and couldn’t think of an article to write, decided I’d come up with an example of escaping a sandbox. Most sandboxes use hooks placed within user-mode dlls in order to monitor process activity. If someone was able to remove or bypass these hooks, they would be able to escape the sandbox.

A common method used by advanced malware is to write a custom implementation of “LoadLibrary” / “LdrLoadDll”. Using this code they can manually map a new, clean, copy of a dll and use it to evade hooks. Because of the nature of PE files, it is generally quite complex to do this and required a good understanding of PE files and the PE loader. As it happens, there is currently no working, easy to find, code to do this on Google, so such methods are not seen is script-kiddie malware and I’d like to keep it that way. Instead I will be showing a nice little hack that works in a similar way, however will be fairly easy for sandbox developers to deal with. 

How It Works

When i was thinking of which way to attack the sandbox, I thought it would be amusing (at least for me) to use hooks to facilitate the escape, I managed to do it using a single hook: “RtlEqualUnicodeString”.
First, if we look at the call path for “LoadLibrary” we will see it eventually ends up at “LdrLoadDll” which internally calls “LdrpLoadDll”. Inside “LdrpLoadDll” is a call to LdrpCheckForLoadedDll, this function is responsible for iterating through the list of currently loaded dlls (“PEB_LDR_DATA->InMemoryOrderModuleList”) and checking that the target dll isn’t already loaded.
A snippet from LdrpCheckForLoadedDll
By hooking “RtlEqualUnicodeString” or “RtlCompareUnicodeString”, which is called internally by “RtlEqualUnicodeString”, we can trick LdrpLoadDll into loading an already loaded dll. Because of the way “GetModuleHandle” works, any subsequent calls will return a handle to the original dll and not our new one. 
Now that we can trick the loader into loading new dlls, we can load a new copy of ntdll which will not be hooked. Using the address returned by “LdrLoadDll”, we can call “GetProcAddress” to get a pointer to “RtlCreateUserProcess” within the new dll. Now we can create a new process whilst bypassing any hooks to catch new process creation.


This method can easily be prevented by using a hook within LdrLoadDll. Each time LdrLoadDll is called, check if the name is that of a module we need to hook, if it is, call the original LdrLoadDll, then pass the address returned to the hooking function. Remember, we cannot use GetModuleHandle or equivalent.

An Example

Process with 2 copies of ntdll loaded
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …