Payload Execution Control

The more actions malware performs, the more likely it is to be picked up by monitoring systems. Limiting the actions performed by malware and focusing on essential tasks is called "Execution Control".

PreviousEvading EDR NextWrapping NTAPI Functions

Last updated 7 months ago

Payload Execution Control

Synchronization Objects

A synchronization object is an object whose handle can be specified in one of the to coordinate the execution of multiple threads.

The following object types are provided exclusively for synchronization.

Type

Description

Event

Mutex

Semaphore

Waitable timer

Events

notify one or more waiting threads that an event has occurred. They can be used to cooridinate the execution of multiple threads or processes. They can be either manual or automatic.

To use events in a program, the WinAPI can be employed. The usage of the function is demonstrated below:

HANDLE hEvent = CreateEventA(NULL, FALSE, FALSE, "ControlString");

if (hEvent != NULL && GetLastError() == ERROR_ALREADY_EXISTS)
	// Payload is already running
else
	// Payload is not running

Mutex

HANDLE hMutex = CreateMutexA(NULL, FALSE, "ControlString");

if (hMutex != NULL && GetLastError() == ERROR_ALREADY_EXISTS)
	// Payload is already running
else
	// Payload is not running

Semaphore

To control execution of a payload, a named semaphore object will be created each time the payload is executed. If the binary is executed multiple times, the first execution will create the named semaphore and the payload will be executed as intended. On subsequent executions, the semaphore creation will fail as the semaphore with the same name is already running. This indicates that the payload is currently being executed from a previous run and therefore should not be run again to avoid duplication.

HANDLE hSemaphore = CreateSemaphoreA(NULL, 10, 10, "ControlString");

if (hSemaphore != NULL && GetLastError() == ERROR_ALREADY_EXISTS)
	// Payload is already running
else
	// Payload is not running

Other Forms of Synchronization Objects

In some circumstances, you can also use a file, named pipe, or communications device as a synchronization object.

CreateNamedPipeA

Example of setting up a named pipe and using it for inter-process communication (IPC).

HANDLE hNamedPipe;
char buffer[1024];
DWORD bytesRead;

// Create a named pipe
hNamedPipe = CreateNamedPipeA(
    "\\\\.\\pipe\\MyNamedPipe",  // Pipe name
    PIPE_ACCESS_DUPLEX,         // Pipe open mode
    PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT, // Pipe mode
    1,                          // Maximum instances
    1024,                       // Output buffer size
    1024,                       // Input buffer size
    0,                          // Default timeout (0 means blocking)
    NULL                        // Security attributes
);

if (hNamedPipe == INVALID_HANDLE_VALUE) {
    fprintf(stderr, "CreateNamedPipe failed with error %d\n", GetLastError());
    return 1;
}

printf("Waiting for a client to connect...\n");

// Wait for a client to connect to the named pipe
if (!ConnectNamedPipe(hNamedPipe, NULL)) {
    fprintf(stderr, "ConnectNamedPipe failed with error %d\n", GetLastError());
    CloseHandle(hNamedPipe);
    return 1;
}

printf("Client connected. Waiting for data...\n");

// Read data from the client
if (ReadFile(hNamedPipe, buffer, sizeof(buffer), &bytesRead, NULL)) {
    printf("Received data from client: %s\n", buffer);
} else {
    fprintf(stderr, "ReadFile failed with error %d\n", GetLastError());
}

// Clean up
CloseHandle(hNamedPipe);

return 0;

Others

Taken from microsoft docs:

Object

Description

Change notification

Console input

Job

Memory resource notification

Process

Thread

PreviousEvading EDR NextWrapping NTAPI Functions

Last updated 7 months ago