Gargoyle hunting: Detecting 'Gargoyle' code-hiding via automated Windows kernel analysis

Every so often, a mechanism becomes popular which is difficult to detect. Gargoyle is a good example of this - it relies on Windows timer events to achieve execution from non-executable memory. While it would be nice to detect it by examining active timers, Windows exposes very little information about timers to user-space, making it impossible.

In this talk, I will first recap how the attack works, and then demonstrate how a kernel debugger can be used to examine Windows internal data structures to extract the information we need to detect it. I will demonstrate how to enumerate system timers, and to find the code that each timer will trigger. Once this code is located, a Volatility plugin will be written to automate the work, and I will demonstrate how to assess how suspicious the triggered code is by using an emulation framework to detect operations intrinsic to the attack itself, such as a stack pivot or adjusting memory page permissions via VirtualProtect.

Complete code for the plugin is public. After the talk, attendees should be confident in modifying it to detect other kernel-level artifacts, and to create their own Volatility plugins to find other suspicious activity as required. No prior kernel knowledge is needed, but those with a background in WinDbg, Windows internals, forensics, and/or Volatility will get the most from this talk.