Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CYBERSEC: 唉唷,你的簽章根本沒在驗啦。

adr
August 11, 2020

CYBERSEC: 唉唷,你的簽章根本沒在驗啦。

對於許多有資安意識的使用者而言,下載一個網路上知名的軟體(如:CClearner)通常會先右鍵檢視是否有被數位簽章簽署來確定一個程式的可信任度;而每天在網路上攻擊惡意程式如此之多,防毒軟體更是需要仰賴數位簽章來避免誤判而使用戶困擾。

本議程將先簡介 Windows 上數位簽章、程式裝載器、連結器的愛恨情仇三角關係,並帶以實例檢視使用者與防毒軟體檢測數位簽章的時間點、分析出用戶與防毒軟體間對數位簽章理解不同而引發的各種濫用手段。

adr

August 11, 2020
Tweet

More Decks by adr

Other Decks in Technology

Transcript

  1. 2020 414141414141414141 AAAAAAAAAA iThome # CyberSec 唉唷!你的簽章, 根本沒在驗啦。 [email protected]

  2. #Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE,

    NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • [email protected] • Hao's Arsenal
  3. [email protected] 1. Scenes in Practice 2. Authenticode 3. Attack Vectors

    → 5 methods + 2 demo 4. Recap /?outline
  4. [email protected] 〉〉〉Scenes in Practice

  5. [email protected] /?scene#1

  6. [email protected] /?scene#1

  7. [email protected] /?scene#1

  8. [email protected] /?scene#2

  9. [email protected] /?scenes 你以為會看簽章就能躲過駭客︖

  10. [email protected] 〉〉〉Authenticode

  11. [email protected] # PE Overview 'MZ' DOS 'PE' File Headr Opt

    Header Section Header 1 .NumberOfSections .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase .VA .size .RVA .text Section Header Array → .text (Data) 6A 00 68 AD DE 00 00 68 EF BE 00 00 6A 00 FF 15 FE CA 00 00 33 C0 C3 PE /?
  12. [email protected] PE /? # PE Overview 'MZ' DOS 'PE' File

    Headr .text .data .rdata Opt Header .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase File Headr .NumberOfSections Section Headers
  13. [email protected] • MSDN: Authenticode Digital Signatures • March 21, 2008:

    Windows Authenticode Portable Executable Signature Format • Authenticode signature 1. The file originates from a specific software publisher 2. The file has not been altered since it was signed /?Sign
  14. [email protected] /?Sign

  15. [email protected] /?Sign

  16. [email protected] /?Sign

  17. [email protected] /?Sign

  18. [email protected] /?Sign

  19. [email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .NumberOfSections PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe .text .data .rdata Section Headers IMAGE_DIRECTORY_ENTRY_SECURITY (RVA + Size) PKCS#7
  20. [email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .NumberOfSections .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()
  21. [email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum

    .DataDirectory#4 File Headr .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()
  22. [email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "C:\it\home\30cm_tw.exe" )= ?
  23. [email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg PKCS#7
  24. [email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()
  25. [email protected] Explorer syscall WinVerifyTrust( ... )= true 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()
  26. [email protected] 〉〉〉/?Attack Vectors

  27. [email protected] 〉〉〉/> Misc

  28. [email protected] /?misc#1

  29. [email protected] /?misc#1

  30. [email protected] PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

  31. [email protected] PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

  32. [email protected] • Process Hollowing • github.com/Zer0Mem0ry/RunPE • malware.exe + benignware.exe

    Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata 'MZ' .text .rdata .idata Process EntryPoint PEB "C:\infected\mal.exe" /?misc#2 mal.exe EntryPoint Loader
  33. [email protected] Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata

    a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "System32\VERSION.dll", "SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?misc#3 • FireEye: DLL Side-Loading • malware.dll + benignware.exe
  34. [email protected] /?misc 垃圾議程你根本來拖台錢der 講這尛我都會了R 咩..咩噗

  35. [email protected] 〉〉〉/> SignThief

  36. [email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt

    Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()
  37. [email protected] benign.exe [Signed by M$] 'PE' Opt Header .text .data

    .idata Section Headers PKCS#7 malware.exe [malicious] 'PE' Opt Header .text .data .idata Section Headers PKCS#7 /?thief
  38. [email protected] /?thief

  39. [email protected] WinVerifyTrust()=false PKCS#7 hash() explorer.exe ntdll.dll kernel32.dll user32.dll Crypt32.dll Process

    /?thief Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData
  40. [email protected] • Subverting Trust in Windows by @mattifestation • https://gist.github.com/aaaddress1/870d745741b276484219e1a3cda800ed

    /?thief $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /f $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "FuncName" /t REG_SZ /d "AutoApproveHash" /f
  41. [email protected] /?thief

  42. [email protected] /?thief

  43. [email protected] 〉〉〉/> Steganography

  44. [email protected] /?Sign 'MZ' Opt Header .DataDirectory#4 .text .data .rdata (RVA

    + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe hash() sizeof(WIN_CERTIFICATE) RVA
  45. [email protected] • BlackHat 2016: Certificate Bypass: Hiding and Executing Malware

    from a Digitally Signed Executable • Custom Loader + Steganography • Used for Bypassing Anti-Virus /?stego
  46. [email protected] 〉〉〉/> PathNormaliz

  47. [email protected] • Introduction • Challenge When we meet Anti-Virus •

    Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON www.youtube.com/watch?v=6LUo-Crd9pc
  48. [email protected] Path Normalization by Jeremy Kuhne Path Format Overview by

    Jeremy Kuhne /?normaliz if the path does not start with exactly \\?\ it will be normalized. • Identifying the Path and Legacy Devices • Applying the Current Directory • Canonicalizing Separators • Evaluating Relative Components • Trimming Characters An important exception: if you have a device path that begins with a question mark instead of a period It must use the canonical backslash. • Skipping Normalization
  49. [email protected] normaliz RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p

    = L"\??\C:\Windows\System32\a.exe" AiLaunchProcess(L"C:\Windows \System32\a.exe") /?
  50. [email protected] /?normaliz

  51. [email protected] /?normaliz

  52. [email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate " )= ? /?normaliz
  53. [email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata

    Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate.exe " )= ? /?normaliz WinVerifyTrust( "\C:\ithome\GoogleUpdate.exe" )= ? "\??\C:\ithome\GOOGLE~2.EXE"
  54. [email protected] /?normaliz

  55. [email protected] /?normaliz

  56. [email protected] /?normaliz

  57. [email protected] />defender

  58. [email protected] />defender

  59. [email protected] 〉〉〉Recap

  60. [email protected] • Attack Vectors • Misc / DLL Side-Loading /

    Process Hollowing • WinTrust & Crypt32 • Authenticode & PKCS#7 Issue • Path Normalization • UAC Bypass • Signature Cheat • Attack path based protection e.g. AppLocker, Defender /?Recap
  61. [email protected] • Introduction • Challenge When we meet Anti-Virus •

    Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON
  62. 2020 414141414141414141 AAAAAAAAAA iThome # CyberSec Thanks! [email protected] Slide Github

    @aaaddress1 Facebook