Disabling Windows Event Logs by Suspending EventLog Service Threads
PreviousEnumerating RWX Protected Memory Regions for Code InjectionNextObfuscated Powershell Invocations
Last updated
Last updated
This lab was inspired by an old post Phant0m: Killing Windows Event Log by @hlldz where he introduced a powershell tool Invoke-Phant0m, which disables Windows EventLog service by killing its threads hosted by the svchost.exe.
The purpose of this quick lab is to understand some of the inner workings of Invoke-Phant0m. In particular, I wanted to play around with Windows APIs related to retrieving a process ID that hosts a given service, thread enumeration, mapping threads to a particular service (Windows Eventlog in this case) hosted in the svchost.exe and so on. This would give me a better understanding of how I can target specific threads when I need to, I thought.
Although this lab was inspired by @hlldz' post, you will notice that we implemented the same technique in a slightly different way by levarging different Windows APIs.
Windows event logs are handled by EventLog service that is hosted by svchost.exe.
If we list svchost processes, we see a number of those:
From the above screenshot, it's not clear which process actually hosts the EventLog service, but if we keep inspecting svchost.exe processes one by one in Process Hacker, we will eventually find the process hosting the EventLog service, which in my case it is svchost.exe with pid 2196:
Note that we can find out the PID of the process that is hosting EventLog:
If we look into svchost.exe threads for EventLog, we see there are a couple of threads of interest as highlighted in blue:
Below shows that indeed, suspending the threas is enough to disable the EventLog service from registering any new events:
Based on the above, the main goal of this lab is to hack some code to find these threads and simply suspend them and disable windows event logging this way.
Resuming threads will write out the events to the events log as if the threads had not been suspended in the first place.
Below is the code for the technique that at a high level works like this:
Open a handle to Service Control Manager with OpenSCManagerA
Open a handle to EventLog service with OpenServiceA
Retrieve svchost.exe (hosting EventLog) process ID with QueryServiceStatusEx
Open a handle to the svchost.exe process (from step 3)
Get a list of loaded modules loaded by svchost.exe EnumProcessModules
Loop through the list of svchost loaded modules, retrieved in step 5, find their names with GetModuleBaseName and find the base address of the module wevtsvc.dll - this is the module containing EventLog service inner-workings
Get wevtsvc.dll module info with GetModuleInformation. It will return a structure with module's start address and its image size - we will need these details later, when determiing if EventLog service thread's fall into wevtsvc.dll module's memory space
Enumerate all the threads inside svchost.exe with Thread32First and Thread32Next
For each thread from step 8, retrieve the thread's start address with NtQueryInformationThread
For each thread from step 8, check if the thread's start address belongs to the wevtsvc.dll memory space inside svchost.exe
If thread's start address is inside the wevtsvc.dll memory space, this is our victim thread and we suspend it with SuspendThread
EventLog service is now disabled
Below GIF illustrates:
net user ola ola is executed and user's ola password is changed and an event 4724 logged at 6:55:30 PM
4 EventLog threads are suspended in svchost.exe (PID 2196)
net user ola ola is executed again at 6:55:38 PM, but no new event 4724 is captured
