Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Playing Malware Injection with Exploit thoughts

adr
August 11, 2018
Technology
1
910

Playing Malware Injection with Exploit thoughts

In the past, when hackers did malicious program code injection, they used to adopt RunPE, AtomBombing, cross-process creation threads, and other approaches. They could forge their own execution program as any critical system service. However with increasing process of anti-virus techniques, these sensitive approaches have been gradually proactively killed. Therefore, hackers began to aim at another place, namely memory-level weakness, due to the breakages of critical system service itself.

This agenda will simply introduce a new memory injection technique that emerged after 2013, PowerLoadEx. Based on this concept, three new injection methods will be disclosed as well. These makes good use of the memory vulnerability in Windows to inject malicious behavior into system critical services. The content will cover Windows reverse analysis, memory weakness analysis, how to use and utilize, and so on. The relevant PoC will be released at the end of the agenda.

adr

August 11, 2018
Tweet

More Decks by adr

See All by adr
Skrull Like A King: 從重兵看守的天眼防線殺出重圍
aaaddress1
3
1.1k
Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland
aaaddress1
0
640
重建天堂之門:從 32bit 地獄一路打回天堂聖地
aaaddress1
0
210
Reversing In Wonderland: Neural Network Based Malware Detection Techniques
aaaddress1
2
600
CYBERSEC: 唉唷,你的簽章根本沒在驗啦。
aaaddress1
1
3.4k
SITCON: Playing Win32 Like a K!NG ;)
aaaddress1
2
940
NTUST [2019]: Windows Reversing
aaaddress1
0
970
Duplicate Paths Attack: Get Elevated Privilege from Forged Identities
aaaddress1
0
1.2k
SDN Final Report
aaaddress1
0
410

Other Decks in Technology

See All in Technology
Agileを始める前に知っておきたい3つの真実
chiroruxx
4
850
“品質”をみんなのものにするために行なっている入社者オンボーディング/Onboarding new members to think about "quality" together
mii3king
0
220
WebGLやCanvasを使ったデータ可視化コンテンツ開発/nikkei-tech-talk5-3
nikkei_engineer_recruiting
0
120
ここから始めるDevOps CI/CD編
devops_vtj
0
100
作って理解するバックドア
ad5jp
0
220
人生がときめく自宅ネットワークの魔法
tatematsu_san
1
480
[k8sjp #56] Kustomize v5 を含む最新機能とテクニックの紹介
koba1t
0
350
ChatGPTにR言語を教えてもらう(仮)
doradora09
1
180
Pain-free APIs with Smithy4s
kubukoz
0
130
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.4k
ITエンジニアとして大切にしている3つのこと
korodroid
1
320
技育祭2023春 ちゅらデータ講演資料
foursue
1
630

Featured

See All Featured
Reflections from 52 weeks, 52 projects
jeffersonlam
339
18k
Designing Experiences People Love
moore
130
22k
It's Worth the Effort
3n
177
26k
Happy Clients
brianwarren
90
5.9k
Facilitating Awesome Meetings
lara
34
4.7k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
217
21k
WebSockets: Embracing the real-time Web
robhawkes
58
6.1k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
227
16k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
349
27k
In The Pink: A Labor of Love
frogandcode
133
21k
Building Adaptive Systems
keathley
28
1.4k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k

Transcript

  1. Playing Malware Injection
    with Exploit thoughts
    [email protected]

    View Slide

  2. • Master degree at CSIE, NTUST
    • Security Researcher - chrO.ot, TDOHacker
    • Speaker - BlackHat, VXCON, HITCON
    >_cat ./Bio

    View Slide

  3. • Introduction
    • Challenge When we meet Anti-Virus
    • Interesting Case - PowerLoader since 2013
    • New Vulnerability - 3 idea inspired by PowerLoader
    • Summary
    >_ls ./agenda

    View Slide

  4. [email protected]
    Quickly Review:
    What's Malware Injection?

    View Slide

  5. >_man inject
    (`_´)ゞ Used for bypassing whitelist checking, byassing
    anti-virus, privilege escalation, etc.
    e.g.
    • DLL Side-Loading + Digital Signature = Bypassing anti-virus
    • Remote Inject + whitelisted process = Bypassing whitelist
    • Inject explorer + DLL Side-Loading + Self-elevate Service

    = Bypassing Windows UAC (User Account Control) *Vista ~ Win8*

    View Slide

  6. >_man inject
    There're serval well-known techniques
    • Shellcode Inject or DLL Inject - OpenProcess, VirtualAllocExRWX,
    WriteProcessMemory, CreateRemoteThread

    • Process Hollowing (aka RunPE) - OpenProcess, CreateProcessASuspended,
    Mapping PE FileVirtualAllocEx + WriteProcessMemory, GetThreadContext, and
    ResumeThread to Execute exe file from memory

    • Thread Hijack or AtomBombing - QueueUserAPC, Inline Hook, or IAT
    Hijack

    • Memory Exploit (PowerLoaderEX) - SetWindowLong, SendNotifyMessage

    View Slide

  7. (ꐦ`•ω•´)!!!
    Here are the 4 primary challenges that
    you'll encounter during injection.
    >_man inject

    View Slide

  8. There are 4 primary challenges in injection:
    1. What's target - choose a target to inject, and it should be
    meaningful. e.g. explorer, svchost

    2. Where to place - find memory for us to place RWX memory or
    ROPChain payload. e.g. VirtualAllocEx

    3. How to inject payload - any way for us to write payload into
    remote process memory

    4. How to execute - create a new thread to execute or hijack
    current thread of that process?
    >_man inject

    View Slide

  9. [email protected]
    Interesting Case:
    Powerloader since 2013

    View Slide

  10. Powerloader,
    aka Extra Window Vulnerability

    View Slide

  11. >_Shell_TrayWnd?

    View Slide

  12. >_Shell_TrayWnd?
    Window event callback function

    View Slide

  13. >_s_WndProc?

    View Slide

  14. >_s_WndProc?

    View Slide

  15. >_how it works
    Explorer Process Memory
    Low Address ➔
    High Address ➔
    Shell_TrayWnd
    Window Class Structure
    +0 - 0xcafe (vtable)
    +4 - window hwnd
    ...

    View Slide

  16. Explorer Process Memory
    Shell_TrayWnd
    +0 - 0xcafe (vtable)
    +4 - window hwnd
    ...
    vtable @ 0xcafe
    +0 - Interlocked (inc)
    +4 - message callback
    +8 - Interlocked (inc)
    >_how it works

    View Slide

  17. Explorer Process Memory
    Shell_TrayWnd
    +0 - 0xcafe (vtable)
    +4 - window hwnd
    ...
    vtable @ 0xcafe
    +0 - Interlocked (inc)
    +4 - message callback
    +8 - Interlocked (inc)
    Operating System
    1) Send Window Message
    2) Send Window Message
    3) Invoke s_wndProc function
    4) Invoke several
    function from vtable
    >_how it works

    View Slide

  18. Explorer Process Memory
    Shell_TrayWnd
    +0 - 0xcafe (vtable)
    +4 - window hwnd
    ...
    vtable @ 0xcafe
    +0 - Interlocked (inc)
    +4 - message callback
    +8 - Interlocked (inc)
    >_issue?
    GetWindowLong()

    View Slide

  19. Explorer Process Memory
    Shell_TrayWnd
    +0 - 0xbeef 0xcafe
    +4 - window hwnd
    ...
    >_issue?
    GetWindowLong()
    vtable @ 0xcafe
    +0 - Interlocked (inc)
    +4 - message callback
    +8 - Interlocked (inc)
    fake vtable @ 0xbeef
    +0 - shellcode addr
    +4 - shellcode
    ...
    SetWindowLong()

    View Slide

  20. Explorer Process Memory
    malicious
    Shell_TrayWnd
    >_issue?
    GetWindowLong()
    payload
    SetWindowLong()
    +0 - fake vtable ($+4)
    fake vtable
    +4 - shellcode addr ($+8)
    +8 - shellcode
    pwn!

    View Slide

  21. >_abuse vtable

    View Slide

  22. >_abuse vtable

    View Slide

  23. [email protected]
    Demo

    View Slide

  24. [email protected]
    3 more vulnerability:
    From Exploit to Inject

    View Slide

  25. Actually,
    Many old-design services in Windows
    don't have vtable mitigation (° ꈊ °)✧˖

    View Slide

  26. [email protected]
    #1
    Ole32 DropEnter Event

    View Slide

  27. >_cat ./ole32_init

    View Slide

  28. >_cat ./reg_dropevent

    View Slide

  29. >_man LPDROPTARGET
    IDropTarget actually is a virtual method table :)

    View Slide

  30. >_issue?
    vtable addr is determined by GetProp()
    so... it's really easy for us to
    hijack vtable just by SetProp()
    This callback function is used to deal
    with dropping file to Start Button of
    Explorer.exe

    View Slide

  31. >_how it works
    explorer Process Memory
    Low Address ➔
    High Address ➔
    DropTarget @ 0xc0fee
    DropTarget Structure
    +4 - function 1
    ...
    +8 - function 2
    +0C- dropfile func
    Prop Name Value
    OleDropTargetInterface 0xc0fee
    write DropTarget structure address (0xc0fee) via
    SetPropW() in function explorer!RegisterDragDrop
    +0 - 0xc0fee (this)

    View Slide

  32. >_how it works
    explorer Process Memory
    DropTarget @ 0xc0fee
    Prop Name Value
    OleDropTargetInterface 0xbeef
    payload @ 0xbeef
    +0 - 0xbeef (this)
    +4 - don't care
    ...
    +8 - don't care
    +0C- shellcode addr
    it's easy for us to change the return value of
    GetPropW("OleDropTargetInterface") from 0xc0fee
    to 0xbeef (malicious payload).

    View Slide

  33. explorer Process Memory
    Operating System
    1) Send Window Message (Drag & Drop)
    2)
    GetPropW("OleDropTargetInterface")
    3) Invoke drop file function from vtable,
    invoke shellcode addr = *(beef+0c)
    >_how it works
    DropTarget @ 0xc0fee
    payload @ 0xbeef
    +0 - 0xbeef (this)
    +4 - don't care
    ...
    +8 - don't care
    +0C- shellcode addr
    Prop Name Value
    OleDropTargetInterface 0xbeef

    View Slide

  34. >_abuse vtable

    View Slide

  35. >_abuse vtable

    View Slide

  36. [email protected]
    Demo

    View Slide

  37. [email protected]
    #2
    Comctl32 SubClass Event

    View Slide

  38. >_cat FastGetSubclsHdr

    View Slide

  39. >_cat MstSubclsProc

    View Slide

  40. >_cat EnterSubclsFram

    View Slide

  41. >_cat CallNxtSubclsProc

    View Slide

  42. >_cat EntrSubclsCallbk

    View Slide

  43. >_abuse vtable

    View Slide

  44. >_abuse vtable

    View Slide

  45. >_abuse vtable

    View Slide

  46. [email protected]
    Demo

    View Slide

  47. [email protected]
    #3
    Thread Hijacking (win10+)

    View Slide

  48. 3) create first thread of this process,
    point register eax to AddressOfEntry,
    point ebx+8 (TIB base + 8) to image base,
    and point eip to ntdll!LdrInitializeThunk
    Process
    >_Process?
    Kernel (ring0)
    Application (ring3)
    1) create process
    via CreateProcess()
    2) mapping file into memory
    iexplorer.exe
    .data section
    .text section
    AddressOfEntry
    ntdll.dll
    kernel32.dll
    ...

    View Slide

  49. >_Process?
    Process
    iexplorer.exe
    ntdll.dll
    kernel32.dll
    ...
    Call Stack
    --------------
    _LdrpSnapModule
    _LdrpMapAndSnapDependency
    _LdrpMapDllWithSectionHandle
    _LdrpLoadKnownDll
    _LdrpFindOrPrepareLoadingModule
    _LdrpLoadDllInternal
    _LdrpLoadDll
    _LdrLoadDll
    _LdrpInitializeProcess
    __LdrpInitialize
    _LdrInitializeThunk
    fix import address table,
    fix export directory,
    apply relocation, etc
    .text section ntdll!LdrInitializeThunk

    View Slide

  50. >_Process?
    ntdll!LdrInitializeThunk
    [email protected]
    Process
    iexplorer.exe
    .text section
    ntdll.dll
    kernel32.dll
    ...
    ntdll!RtlUserThreadStart
    RtlUserThreadStart is entry-point of every thread.
    We can hijack thread via write shellcode address into
    global variable ‘LdrDelegatedRtlUserThreadStart'.

    View Slide

  51. 3) point 'LdrDelegatedRtlUserThreadStart'
    to shellcode address
    Process
    >_Abuse
    Malware
    1) get privilege of target process
    via OpenProcess()
    2) mapping shellcode into target process
    chrome.exe
    .data section
    .text section
    shellcode
    ...
    ntdll.dll
    LdrDelegatedRtlUserThreadStart
    4) every new thread of target process
    can be hijack to invoke shellcode

    View Slide

  52. [email protected]
    Demo

    View Slide

  53. Thanks for listening
    [email protected]
    Slide
    Github @aaaddress1
    Facebook

    View Slide