CYBERSEC: 唉唷,你的簽章根本沒在驗啦。

229b1596ce57cd0935a2bacd410d87a0?s=47 adr
August 11, 2020

CYBERSEC: 唉唷,你的簽章根本沒在驗啦。

對於許多有資安意識的使用者而言,下載一個網路上知名的軟體(如:CClearner)通常會先右鍵檢視是否有被數位簽章簽署來確定一個程式的可信任度;而每天在網路上攻擊惡意程式如此之多,防毒軟體更是需要仰賴數位簽章來避免誤判而使用戶困擾。

本議程將先簡介 Windows 上數位簽章、程式裝載器、連結器的愛恨情仇三角關係,並帶以實例檢視使用者與防毒軟體檢測數位簽章的時間點、分析出用戶與防毒軟體間對數位簽章理解不同而引發的各種濫用手段。

229b1596ce57cd0935a2bacd410d87a0?s=128

adr

August 11, 2020
Tweet

Transcript

  1. 2020 414141414141414141 AAAAAAAAAA iThome # CyberSec 唉唷!你的簽章, 根本沒在驗啦。 aaaddress1@chroot.org

  2. #Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE,

    NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • aaaddress1@chroot.org • Hao's Arsenal
  3. aaaddress1@chroot.org 1. Scenes in Practice 2. Authenticode 3. Attack Vectors

    → 5 methods + 2 demo 4. Recap /?outline
  4. aaaddress1@chroot.org 〉〉〉Scenes in Practice

  5. aaaddress1@chroot.org /?scene#1

  6. aaaddress1@chroot.org /?scene#1

  7. aaaddress1@chroot.org /?scene#1

  8. aaaddress1@chroot.org /?scene#2

  9. aaaddress1@chroot.org /?scenes 你以為會看簽章就能躲過駭客︖

  10. aaaddress1@chroot.org 〉〉〉Authenticode

  11. aaaddress1@chroot.org # PE Overview 'MZ' DOS 'PE' File Headr Opt

    Header Section Header 1 .NumberOfSections .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase .VA .size .RVA .text Section Header Array → .text (Data) 6A 00 68 AD DE 00 00 68 EF BE 00 00 6A 00 FF 15 FE CA 00 00 33 C0 C3 PE /?
  12. aaaddress1@chroot.org PE /? # PE Overview 'MZ' DOS 'PE' File

    Headr .text .data .rdata Opt Header .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase File Headr .NumberOfSections Section Headers
  13. aaaddress1@chroot.org • MSDN: Authenticode Digital Signatures • March 21, 2008:

    Windows Authenticode Portable Executable Signature Format • Authenticode signature 1. The file originates from a specific software publisher 2. The file has not been altered since it was signed /?Sign
  14. aaaddress1@chroot.org /?Sign

  15. aaaddress1@chroot.org /?Sign

  16. aaaddress1@chroot.org /?Sign

  17. aaaddress1@chroot.org /?Sign

  18. aaaddress1@chroot.org /?Sign

  19. aaaddress1@chroot.org /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .NumberOfSections PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe .text .data .rdata Section Headers IMAGE_DIRECTORY_ENTRY_SECURITY (RVA + Size) PKCS#7
  20. aaaddress1@chroot.org /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .NumberOfSections .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()
  21. aaaddress1@chroot.org /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()
  22. aaaddress1@chroot.org Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "C:\it\home\30cm_tw.exe" )= ?
  23. aaaddress1@chroot.org Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg PKCS#7
  24. aaaddress1@chroot.org Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()
  25. aaaddress1@chroot.org Explorer syscall WinVerifyTrust( ... )= true 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()
  26. aaaddress1@chroot.org 〉〉〉/?Attack Vectors

  27. aaaddress1@chroot.org 〉〉〉/> Misc

  28. aaaddress1@chroot.org /?misc#1

  29. aaaddress1@chroot.org /?misc#1

  30. aaaddress1@chroot.org PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

  31. aaaddress1@chroot.org PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

  32. aaaddress1@chroot.org • Process Hollowing • github.com/Zer0Mem0ry/RunPE • malware.exe + benignware.exe

    Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata 'MZ' .text .rdata .idata Process EntryPoint PEB "C:\infected\mal.exe" /?misc#2 mal.exe EntryPoint Loader
  33. aaaddress1@chroot.org Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata

    a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "System32\VERSION.dll", "SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?misc#3 • FireEye: DLL Side-Loading • malware.dll + benignware.exe
  34. aaaddress1@chroot.org /?misc 垃圾議程你根本來拖台錢der 講這尛我都會了R 咩..咩噗

  35. aaaddress1@chroot.org 〉〉〉/> SignThief

  36. aaaddress1@chroot.org Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()
  37. aaaddress1@chroot.org benign.exe [Signed by M$] 'PE' Opt Header .text .data

    .idata Section Headers PKCS#7 malware.exe [malicious] 'PE' Opt Header .text .data .idata Section Headers PKCS#7 /?thief
  38. aaaddress1@chroot.org /?thief

  39. aaaddress1@chroot.org WinVerifyTrust()=false PKCS#7 hash() explorer.exe ntdll.dll kernel32.dll user32.dll Crypt32.dll Process

    /?thief Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData
  40. aaaddress1@chroot.org • Subverting Trust in Windows by @mattifestation • https://gist.github.com/aaaddress1/870d745741b276484219e1a3cda800ed

    /?thief $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /f $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "FuncName" /t REG_SZ /d "AutoApproveHash" /f
  41. aaaddress1@chroot.org /?thief

  42. aaaddress1@chroot.org /?thief

  43. aaaddress1@chroot.org 〉〉〉/> Steganography

  44. aaaddress1@chroot.org /?Sign 'MZ' Opt Header .DataDirectory#4 .text .data .rdata (RVA

    + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe hash() sizeof(WIN_CERTIFICATE) RVA
  45. aaaddress1@chroot.org • BlackHat 2016: Certificate Bypass: Hiding and Executing Malware

    from a Digitally Signed Executable • Custom Loader + Steganography • Used for Bypassing Anti-Virus /?stego
  46. aaaddress1@chroot.org 〉〉〉/> PathNormaliz

  47. aaaddress1@chroot.org • Introduction • Challenge When we meet Anti-Virus •

    Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON www.youtube.com/watch?v=6LUo-Crd9pc
  48. aaaddress1@chroot.org Path Normalization by Jeremy Kuhne Path Format Overview by

    Jeremy Kuhne /?normaliz if the path does not start with exactly \\?\ it will be normalized. • Identifying the Path and Legacy Devices • Applying the Current Directory • Canonicalizing Separators • Evaluating Relative Components • Trimming Characters An important exception: if you have a device path that begins with a question mark instead of a period It must use the canonical backslash. • Skipping Normalization
  49. aaaddress1@chroot.org normaliz RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p

    = L"\??\C:\Windows\System32\a.exe" AiLaunchProcess(L"C:\Windows \System32\a.exe") /?
  50. aaaddress1@chroot.org /?normaliz

  51. aaaddress1@chroot.org /?normaliz

  52. aaaddress1@chroot.org Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate " )= ? /?normaliz
  53. aaaddress1@chroot.org Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate.exe " )= ? /?normaliz WinVerifyTrust( "\C:\ithome\GoogleUpdate.exe" )= ? "\??\C:\ithome\GOOGLE~2.EXE"
  54. aaaddress1@chroot.org /?normaliz

  55. aaaddress1@chroot.org /?normaliz

  56. aaaddress1@chroot.org /?normaliz

  57. aaaddress1@chroot.org />defender

  58. aaaddress1@chroot.org />defender

  59. aaaddress1@chroot.org 〉〉〉Recap

  60. aaaddress1@chroot.org • Attack Vectors • Misc / DLL Side-Loading /

    Process Hollowing • WinTrust & Crypt32 • Authenticode & PKCS#7 Issue • Path Normalization • UAC Bypass • Signature Cheat • Attack path based protection e.g. AppLocker, Defender /?Recap
  61. aaaddress1@chroot.org • Introduction • Challenge When we meet Anti-Virus •

    Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON
  62. 2020 414141414141414141 AAAAAAAAAA iThome # CyberSec Thanks! aaaddress1@chroot.org Slide Github

    @aaaddress1 Facebook