IPC For Evasion and Control

IPC(inter-process communication) is used to provide communications and data sharing between applications. IPC is an umbrella term that fits all of these definitions.

In this case, we won't be using IPC to communicate with other processes and such, but we will be using it as a shared object that indicates a certain function depending on our goal.

Payload Control

One scenario you might encounter is that your payload may have multiple instances and it might become too hectic. This can arise from DLL hijacking or COM hijacking where multiple programs might load your payload. Although having multiple running instances of your payload on a machine may be a good thing for stability and such, it may create a lot of noise due to the number of artifacts being created to your system.

To solve this, we can create an IPC object and say, "if this object already exists, stop execution, but if this object does not exist, create it and execute your payload". This logic ensures that only one instance of your payload is running at a time.

One example of an IPC object we can use is named pipes.

NamedPipeCheck = CreateNamedPipe("\\\\.\\pipe\\EvilCheck", PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); 

if (GetLastError() == ERROR_ALREADY_EXISTS) {
   CloseHandle(NamedPipeCheck);
   return 0;
}

In the above function, we will try to create a named pipe called "\\\\.\\pipe\\EvilCheck", if it already exists, we will stop execution and return 0.

As you can see, this is a very simple method to keep your payloads in control. Note that your pipe name can be a IOC.

Evasion

The same idea can be used for sandbox evasion, except that we will only start execution if a certain IPC object exists. This method was documented in the vault7 leaks here, which used mutexes:

As stated in the document, this method calls itself. This works because "The AV will only trigger the code if it has been called in a certain way"

We can implement this with:

NamedPipeCheck = CreateNamedPipe("\\\\.\\pipe\\EvilCheck", PIPE_ACCESS_DUPLEX, PIPE_TYPE_MESSAGE, PIPE_UNLIMITED_INSTANCES, 1024, 1024, 0, NULL); 

if (GetLastError() == ERROR_ALREADY_EXISTS) {
   decryptCodeSection();
   startShellCode();
}
else {
   startExe("test.exe"); // name of implant
   Sleep(100);
}

return 0;

Conclusion

There are plenty of ways to implement these types of checks. You can use Mutexes, Semaphores etc. You don't even have to use IPC objects, a simply registry key or file will suffice.

Last updated