- Joined
- Jan 8, 2019
- Messages
- 56,609
- Solutions
- 2
- Reputation
- 32
- Reaction score
- 100,454
- Points
- 2,313
- Credits
- 32,610
6 Years of Service
76%
Using fibers to run in-memory code in a different and stealthy way.
Description
A fiber is a unit of execution that must be manually scheduled by the application rather than rely on the priority-based scheduling mechanism built into Windows. Fibers are often called lightweight threads. For more detailed information about what are and how fibers work consult the official documentation. Fibers allow to have multiple execution flows in a single thread, each one with its own registers' state and stack. On the other hand, fibers are invisible to the kernel, which makes them a stealthier (and cheaper) method to execute in-memory code than spawning new threads.
Advantages
The use of fibers may be advantageous for some types of payloads (like a C2 beacon) for some of these reasons:
Fibers allow to run in-memory code without the need of using the instructions JMP or CALL from the loader pointing to unbacked memory regions.
This execution is performed without the creation of new threads, preventing the generation of callbacks from the kernel that can be collected by an EDR.
The payload fiber's stack can be hidden when the payload enters on an alertable state or when it needs to wait for a pending I/O operation. This is done using a control fiber with a normal stack that runs code from disk. This "hiding" is cheaper and easier to implement that the regular thread stack spoofing process.
The fibers are invisible to the kernel and all the switching procedure happens on user space, which makes it easier to hide from an EDR.