Upgrade to Pro — share decks privately, control downloads, hide ads and more …

SITCON: Playing Win32 Like a K!NG ;)

adr
August 08, 2020

SITCON: Playing Win32 Like a K!NG ;)

在 Windows Vista 後作業系統內置了 UAC(User Account Control)防護,本來應被視為其中一項相當重要的惡意程式防護、替我們擋下未知的惡意程式做出的惡意手段。然而現實慘狀卻告訴我們:UAC 服務只是一個惱人要求使用者同意的彈窗設計、而未能擋下數不盡的惡意程式攻擊。

在這場議程中,將簡介微軟在 Windows 上防護體系的馬其諾防線、Win32 Process 裝載特性、逆向工程分析 UAC 實作細節、微軟設計 UAC 時作出的安全考量假設 與 各個大神是怎麼玩爆你的 UAC 防護的。

sysDoor: gist.github.com/aaaddress1/6c4276155104a5b7df9ab15221c91f69

adr

August 08, 2020
Tweet

More Decks by adr

Other Decks in Technology

Transcript

  1. #Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE,

    NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • [email protected] • Hao's Arsenal
  2. [email protected] 1. UAC Design 2. Exploit Attacks 1. Misc Method

    2. CIA Vault7: Elevated COM Object Method 3. UAC Bypass by Mocking Trusted Directories 3. Recap /?outline
  3. syscall Ring0 Ring3 Explorer (A.) RunAs UAC Service (B.) Send

    a task by RPC message to UAC service for creating a different privilege child process RPC trust_authA consent.exe privileged child process trust_authB
  4. [email protected] • TrustAuth_A # trust path verify - $p =

    ToDosName("C:\\a.exe") # \??\C:\a.exe - $p.startswith(\??\C:\Windows\System32) or $p.startswith(\??\C:\Windows\SysWoW64) - deny-list /?auth_a
  5. [email protected] • TrustAuth_B - whitelisted *.exe with M$ signature -

    or AutoElevate marked as TRUE in manifest.xml /?auth_b
  6. [email protected] /?Bypass • UAC: 朕不給的,你拿不⾛! • TrustAuth_A # binary from

    the trusted zone? A. launched from the system directory B. whitelisted + signed by M$ • TrustAuth_B # should be elevated? C. marked as auto-elevated or whitelisted PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe 所以現在... 我們有⼀份 好棒棒⽬標名單
  7. [email protected] /?misc#2 • 那我們能讓⾼權服務直接呼叫我們嗎 • Bypassing UAC on Windows10 using

    Disk Cleanup enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup
  8. [email protected] 'PE' Opt Header .text .EntryPoint .ImageBase Section Data .rdata

    .idata a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "C:\Windows\System32\VERSION.dll", "C:\Windows\SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?hijack
  9. [email protected] • DLL Side-Loading → to hijack auto-elevated windows services

    by drop a malicious *.dll binary • IFileOperation → file arbitrary writing if you're Explorer → drop *.dll into C:\windows\system32 to hijack • DLL Injection → do things as Explorer https://github.com/hjc4869/UacBypass /?bypass#1
  10. malware system32\cliconfg.exe /?bypass#1 explorer.exe Process ntdll.dll kernel32.dll user32.dll malware.dll (a.)

    inject *.dll module (b.) create a new thread to wake malware up (c.) drop a *.dll into %system32% to hijack service (d.) get privileged by dll hijack
  11. [email protected] • 更動 Windows 註冊序號 →駭客可以幫你安裝正版的 Windows! • 執⾏磁碟管理⼯具 →電腦跑很慢電腦垃圾太多︖駭客幫你磁碟重整⼀下

    • 幫你移除防毒軟體 →覺得防毒讓電腦跑很慢︖沒關係駭客幫你刪掉 (⁎⁍̴̛ᴗ⁍̴̛⁎) • 寫入開機啟動項 →駭客可以植入開機⾃動執⾏的後⾨ watch after you ;) /?bypass4what
  12. [email protected] 'PE' Opt Header .text .EntryPoint .ImageBase Section Data .rdata

    .idata Source.cpp Compiler 'MZ' Opt Header ImageBase .text .rdata .idata Process Application Loader EntryPoint PEB "C:\Windows\explorer.exe" PE Module /?MasqueradePEB
  13. [email protected] • DLL Side-Loading → to hijack auto-elevated windows services

    by drop a malicious *.dll binary • IFileOperation + MasqueradePEB → file arbitrary writing as Explorer → drop *.dll into C:\windows\system32 to hijack /?bypass#2
  14. malware system32\cliconfg.exe /?bypass#1 explorer.exe Process ntdll.dll kernel32.dll user32.dll malware.dll (a.)

    inject *.dll module (b.) create a new thread to wake malware up (c.) drop a *.dll into %system32% to hijack service (d.) get privileged by dll hijack
  15. system32\cliconfg.exe /?bypass#2 malware.exe Process ntdll.dll kernel32.dll user32.dll (a.) Masquerade current

    path as explorer.exe (b.) drop a *.dll into %system32% to hijack service (c.) get privileged by dll hijack PEB "C:\Windows\explorer.exe"
  16. [email protected] Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html M$

    patched this vulnerability after Win10 version 1607 (include known *.dll lead to hijack)
  17. [email protected] Vault 7: CIA Hacking Tools Revealed /?WikiLeaks wikileaks.org/ciav7p1/cms/page_3375231.html M$

    patched this vulnerability after Win10 version 1607 (include known *.dll lead to hijack)
  18. syscall Ring0 Ring3 Explorer (A.) RunAs UAC Service (B.) Send

    a task by RPC message to UAC service for creating a different privilege child process RPC trust_authA consent.exe privileged child process trust_authB
  19. [email protected] /?Bypass • UAC: 朕不給的,你拿不⾛! • TrustAuth_A # binary from

    the trusted zone? A. launched from the system directory B. whitelisted + signed by M$ • TrustAuth_B # should be elevated? C. marked as auto-elevated or whitelisted PS C:> sigcheck.exe -m C:\Windows\System32\Taskmgr.exe 所以現在... 我們有⼀份 好棒棒⽬標名單
  20. [email protected] • TrustAuth_A # trust path verify - $p =

    ToDosName("C:\\a.exe") # \??\C:\a.exe - $p.startswith(\??\C:\Windows\System32) or $p.startswith(\??\C:\Windows\SysWoW64) - deny-list /?auth_a
  21. [email protected] • TrustAuth_A - Path Normalization Issues • TrustAuth_B -

    Whitelisted EXE Files with Trusted Signature - AutoElevated Marked EXE Files → DLL Side-Loading Tricks to hijack windows services • UAC Bypass by Mocking Trusted Directories /?attack
  22. [email protected] • UAC Design - auth_a: *.exe launched from the

    system - auth_b: marked as AutoElevated • Bypass Tricks - Issue: IFileOperation, Path Normalization - DLL Side-Loading - Code Inject / MasqueradePEB - DEFCON 25: UAC 0day, all day! by @FuzzySec /?recap
  23. 萬 ⽤ 劫 持 本 地 提 权 情報滲透 越

    級 注 入 PS C:\> [System.Convert]::ToBase64String([Sy ext.Encoding]::UTF8.GetByte cmd.exe /c "dir" 414141414141414141 AAAAAAAAAAAAAAAAAAAAAA [email protected] 遠程後⾨ 網軍⾏動 Thanks! Slide Github @aaaddress1 Facebook