CYBERSEC: 唉唷，你的簽章根本沒在驗啦。

Transcript

1. 2020 414141414141414141 AAAAAAAAAA iThome # CyberSec 唉唷！你的簽章， 根本沒在驗啦。 [email protected]

2. #Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE,

   NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • [email protected] • Hao's Arsenal

3. [email protected] 1. Scenes in Practice 2. Authenticode 3. Attack Vectors

   → 5 methods + 2 demo 4. Recap /?outline

4. [email protected] 〉〉〉Scenes in Practice

5. [email protected] /?scene#1

6. [email protected] /?scene#1

7. [email protected] /?scene#1

8. [email protected] /?scene#2

9. [email protected] /?scenes 你以為會看簽章就能躲過駭客︖

10. [email protected] 〉〉〉Authenticode

11. [email protected] # PE Overview 'MZ' DOS 'PE' File Headr Opt

    Header Section Header 1 .NumberOfSections .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase .VA .size .RVA .text Section Header Array → .text (Data) 6A 00 68 AD DE 00 00 68 EF BE 00 00 6A 00 FF 15 FE CA 00 00 33 C0 C3 PE /?

12. [email protected] PE /? # PE Overview 'MZ' DOS 'PE' File

    Headr .text .data .rdata Opt Header .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase File Headr .NumberOfSections Section Headers

13. [email protected] • MSDN: Authenticode Digital Signatures • March 21, 2008:

    Windows Authenticode Portable Executable Signature Format • Authenticode signature 1. The file originates from a specific software publisher 2. The file has not been altered since it was signed /?Sign

14. [email protected] /?Sign

15. [email protected] /?Sign

16. [email protected] /?Sign

17. [email protected] /?Sign

18. [email protected] /?Sign

19. [email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .NumberOfSections PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe .text .data .rdata Section Headers IMAGE_DIRECTORY_ENTRY_SECURITY (RVA + Size) PKCS#7

20. [email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .NumberOfSections .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()

21. [email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()

22. [email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "C:\it\home\30cm_tw.exe" )= ?

23. [email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg PKCS#7

24. [email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

25. [email protected] Explorer syscall WinVerifyTrust( ... )= true 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

26. [email protected] 〉〉〉/?Attack Vectors

27. [email protected] 〉〉〉/> Misc

28. [email protected] /?misc#1

29. [email protected] /?misc#1

30. [email protected] PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

31. [email protected] PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

32. [email protected] • Process Hollowing • github.com/Zer0Mem0ry/RunPE • malware.exe + benignware.exe

    Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata 'MZ' .text .rdata .idata Process EntryPoint PEB "C:\infected\mal.exe" /?misc#2 mal.exe EntryPoint Loader

33. [email protected] Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata

    a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "System32\VERSION.dll", "SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?misc#3 • FireEye: DLL Side-Loading • malware.dll + benignware.exe

34. [email protected] /?misc 垃圾議程你根本來拖台錢der 講這尛我都會了R 咩..咩噗

35. [email protected] 〉〉〉/> SignThief

36. [email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

37. [email protected] benign.exe [Signed by M$] 'PE' Opt Header .text .data

    .idata Section Headers PKCS#7 malware.exe [malicious] 'PE' Opt Header .text .data .idata Section Headers PKCS#7 /?thief

38. [email protected] /?thief

39. [email protected] WinVerifyTrust()=false PKCS#7 hash() explorer.exe ntdll.dll kernel32.dll user32.dll Crypt32.dll Process

    /?thief Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData

40. [email protected] • Subverting Trust in Windows by @mattifestation • https://gist.github.com/aaaddress1/870d745741b276484219e1a3cda800ed

    /?thief $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /f $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "FuncName" /t REG_SZ /d "AutoApproveHash" /f

41. [email protected] /?thief

42. [email protected] /?thief

43. [email protected] 〉〉〉/> Steganography

44. [email protected] /?Sign 'MZ' Opt Header .DataDirectory#4 .text .data .rdata (RVA

    + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe hash() sizeof(WIN_CERTIFICATE) RVA

45. [email protected] • BlackHat 2016: Certificate Bypass: Hiding and Executing Malware

    from a Digitally Signed Executable • Custom Loader + Steganography • Used for Bypassing Anti-Virus /?stego

46. [email protected] 〉〉〉/> PathNormaliz

47. [email protected] • Introduction • Challenge When we meet Anti-Virus •

    Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON www.youtube.com/watch?v=6LUo-Crd9pc

48. [email protected] Path Normalization by Jeremy Kuhne Path Format Overview by

    Jeremy Kuhne /?normaliz if the path does not start with exactly \\?\ it will be normalized. • Identifying the Path and Legacy Devices • Applying the Current Directory • Canonicalizing Separators • Evaluating Relative Components • Trimming Characters An important exception: if you have a device path that begins with a question mark instead of a period It must use the canonical backslash. • Skipping Normalization

49. [email protected] normaliz RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p

    = L"\??\C:\Windows\System32\a.exe" AiLaunchProcess(L"C:\Windows \System32\a.exe") /?

50. [email protected] /?normaliz

51. [email protected] /?normaliz

52. [email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate " )= ? /?normaliz

53. [email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate.exe " )= ? /?normaliz WinVerifyTrust( "\C:\ithome\GoogleUpdate.exe" )= ? "\??\C:\ithome\GOOGLE~2.EXE"

54. [email protected] /?normaliz

55. [email protected] /?normaliz

56. [email protected] /?normaliz

57. [email protected] />defender

58. [email protected] />defender

59. [email protected] 〉〉〉Recap

60. [email protected] • Attack Vectors • Misc / DLL Side-Loading /

    Process Hollowing • WinTrust & Crypt32 • Authenticode & PKCS#7 Issue • Path Normalization • UAC Bypass • Signature Cheat • Attack path based protection e.g. AppLocker, Defender /?Recap

61. [email protected] • Introduction • Challenge When we meet Anti-Virus •

    Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON

62. 2020 414141414141414141 AAAAAAAAAA iThome # CyberSec Thanks! [email protected] Slide Github

    @aaaddress1 Facebook