Gargoyle hunting: Detecting 'Gargoyle' code-hiding via automated Windows kernel analysis

by Aliz Hammond | Thursday, 12:00pm - 12:30pm

Every so often, a mechanism becomes popular which is difficult to detect. Gargoyle is a good example of this - it relies on Windows timer events to achieve execution from non-executable memory. While it would be nice to detect it by examining active timers, Windows exposes very little information about timers to user-space, making it impossible.

In this talk, I will first recap how the attack works, and then demonstrate how a kernel debugger can be used to examine Windows internal data structures to extract the information we need to detect it. I will demonstrate how to enumerate system timers, and to find the code that each timer will trigger. Once this code is located, a Volatility plugin will be written to automate the work, and I will demonstrate how to assess how suspicious the triggered code is by using an emulation framework to detect operations intrinsic to the attack itself, such as a stack pivot or adjusting memory page permissions via VirtualProtect.

Complete code for the plugin is public. After the talk, attendees should be confident in modifying it to detect other kernel-level artifacts, and to create their own Volatility plugins to find other suspicious activity as required. No prior kernel knowledge is needed, but those with a background in WinDbg, Windows internals, forensics, and/or Volatility will get the most from this talk.

About Aliz Hammond

Aliz is a security researcher working alongside the threat hunting team at F-Secure Countercept, providing focussed analysis to assist and empower the hunters against specific threats. With a background in large-scale fuzzing, bug-hunting, and exploitation, their main hangout is in ring0 with their BFF WinDbg, analysing (and abusing) the Windows kernel. When they aren’t hacking stuff, they like to mess around with old computing hardware, fixing and enhancing any surviving relics of the 80s-to-00s eras.