TDOHConf Workshop 2018: Playing Malware Injection with Exploit thoughts

Transcript

1. Workshop ⚐ Playing Malware Injection with Exploit thoughts TDOHConf 2018,

   [email protected] !1

2. • Master degree at CSIE, NTUST • Security Researcher -

   chrO.ot, TDOHacker • Speaker - BlackHat, DEFCON, beVX, VXCON, HITCON >_cat ./Bio !2

3. • Recap • Malware Injection • Lab #1 - Basic

   Injection • Abuse the demon of Windows • Lab #2 - Ole32 DropEnter Event • Lab #3 - Comctl32 SubClass Event • Lab #4 - Extra Window Vulnerability aka PowerLoader >_cat ./lab !3

4. • Windows 7 x86 • IDA (Demo Version) • Visual

   Stduio CMT • Chrome • x64dbg • Lab File x4 >_ls ./env !4

5. [email protected] Recap: Ma1w4re !nj3cti0n !5

6. Process malware .text Section KiFastSystemCall _asm { sysenter } eax

   = function index ntdll.dll .text Section >_Win32 API !6 KiFastSystemCall _asm { sysenter } Windows Kernel (Ring0) eax = function index kernel32.dll .text Section

7. >_Blindspot !7 Process Malware Code Messenger .text Section RegOpenKey WriteProcessMemory

   ntdll.dll .text Section Windows Kernel (Ring0) DeleteFileA

8. >_man inject (｀_´)ゞ Used for bypassing whitelist checking, byassing anti-virus,

   privilege escalation, etc. e.g. • DLL Side-Loading + Digital Signature = Bypassing anti-virus • Remote Inject + whitelisted process = Bypassing whitelist • Inject explorer + DLL Side-Loading + Self-elevate Service
 = Bypassing Windows UAC (User Account Control) *Vista ~ Win8* !8

9. >_man inject There're serval well-known techniques • Shellcode Inject or

   DLL Inject - OpenProcess, VirtualAllocExRWX, WriteProcessMemory, CreateRemoteThread
 • Process Hollowing (aka RunPE) - OpenProcess, CreateProcessASuspended, Mapping PE FileVirtualAllocEx + WriteProcessMemory, GetThreadContext, and ResumeThread to Execute exe file from memory
 • Thread Hijack or AtomBombing - QueueUserAPC, Inline Hook, or IAT Hijack
 • Memory Exploit (PowerLoaderEX) - SetWindowLong, SendNotifyMessage !9

10. There are 4 primary challenges in injection: 1. What's target

    - choose a target to inject, and it should be meaningful. e.g. explorer, svchost
 2. Where to place - find memory for us to place RWX memory or ROPChain payload. e.g. VirtualAllocEx
 3. How to inject payload - any way for us to write payload into remote process memory
 4. How to run it - create a new thread to execute or hijack current thread of that process? >_man inject !10

11. [email protected] !nJ3ct!0n Lab: From zero to Exploit. !11

12. [email protected] Lab #1 Shellcode Injection !12

13. Process >_Process #0 Main Thread application .text Section ntdll.dll .text

    Section .data Section .bss Section Stack Memory Stack Register #1 Thread Stack Register #2 Thread Stack Register program counter (eip)

14. Process >_Process #0 Main Thread application .text Section ntdll.dll .text

    Section .data Section .bss Section Stack Memory Stack Register #1 Thread Stack Register #2 Thread Stack Register

15. EIP(x86), RIP(x86_64), program counter, or the instruction pointer, is a

    special-purpose register which stores a pointer to the address of the instruction that is currently executing. Making a jump is like adding to or subtracting from the instruction pointer. >_Intel x86 EIP wiki.skullsecurity.org/index.php?title=Registers#eip

16. Creates a thread that runs in the virtual address space

    of another process and optionally specifies extended attributes such as processor group affinity. >_CreateRemoteThreadEx Çdocs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex

17. [email protected] Demo !17

18. !18 >_Remote Access Token?

19. User Interface Privilege Isolation (UIPI) is a technology introduced in

    Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages). >_It doesn't work? !19

20. Window messages are designed to communicate user action to processes.

    However, they can be used to run arbitrary code in the receiving process' context. This can be used by a malicious low IL process to run arbitrary code in the context of a higher IL process, which constitutes an unauthorized privilege escalation. By restricting access to some vectors for code execution and data injection, UIPI can mitigate these kinds of attacks. >_It doesn't work? !20

21. [email protected] Lab #1.1 DLL Injection !21

22. >_Memory !22 Ntdll.dll ... Process Kerne32.dll User32.dll ... Ntdll.dll ...

    Process Kerne32.dll User32.dll ... Messenger.exe Ntdll.dll ... Process Kerne32.dll User32.dll ... Chrome.exe Stack Memory Stack Memory Stack Memory Fixed ASLR Malware.exe Actually, system modules are located at the same memory space even different processes, even if ASLR protection is enabled by default after Windows 7. It means every system API function is placed at a predictable address. Low Heigh

23. Loads the specified module into the address space of the

    calling process. The specified module may cause other modules to be loaded. >_LoadLibraryA msdn.microsoft.com/zh-tw/library/windows/desktop/ms684175(v=vs.85).aspx

24. Creates a thread that runs in the virtual address space

    of another process and optionally specifies extended attributes such as processor group affinity. >_CreateRemoteThreadEx docs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex

25. A pointer to a variable to be passed to the

    thread function pointed to by lpStartAddress. This parameter can be NULL. >_lpParamter docs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex

26. LoadLibraryA ( "\\127.0.0.1\C$\hackMudle.dll" ); >_Goal⚐ !26

27. >_Dll Injection github.com/aaaddress1/Dll-Injector-In-CB/blob/master/Unit1.cpp

28. [email protected] Lab #2 Ole32 DropEnter Event !28

29. Open Explorer.exe@C$ \Windows\System32\Ole32.dll file with IDA, and analyze the function

    PrivDragDrop. >_IDA !29

30. >_Rebase !30 Due to ASLR protection, it's necessary for us

    to rebase the base of Ole32.dll for IDA to detect. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.

31. We can debug a function inside the DLL in an

    active process dynamically now, after rebasing. ;) >_Debug Active DLL !31

32. >_cat ./ole32_init !32

33. >_cat ./reg_dropevent !33

34. >_man LPDROPTARGET IDropTarget actually is a virtual method table :)

    !34

35. >_issue? vtable addr is determined by GetProp() so... it's really

    easy for us to hijack vtable just by SetProp() This callback function is used to deal with dropping file to Start Button of Explorer.exe !35

36. explorer Process Memory DropTarget @ 0xc0fee Prop Name Value OleDropTargetInterface

    0xbeef payload @ 0xbeef +0 - 0xbeef (this) +4 - don't care ... +8 - don't care +0C- shellcode addr it's easy for us to change the return value of GetPropW("OleDropTargetInterface") from 0xc0fee to 0xbeef (malicious payload). >_issue !36

37. explorer Process Memory Operating System 1) Send Window Message (Drag

    & Drop) 2) GetPropW("OleDropTargetInterface") 3) Invoke drop file function from vtable, invoke shellcode addr = *(beef+0c) DropTarget @ 0xc0fee payload @ 0xbeef +0 - 0xbeef (this) +4 - don't care ... +8 - don't care +0C- shellcode addr Prop Name Value OleDropTargetInterface 0xbeef >_issue !37

38. >_abuse vtable !38

39. [email protected] Demo !39

40. [email protected] Lab #3 Comctl32 SubClass Event !40

41. Open Explorer.exe@C$ \Windows\System32\Comctl32.dll file with IDA, and analyze the function

    MasterSubclassProc. >_IDA !41

42. However Micro$oft have given comctl32.dll a patch at C$ \Windows\WinSxS\x86_microsoft.wi

    ndows.common- controls_6595b64144ccf1df_6.0.76 01.18837_none_41e855142bd5705d. We need to analyze this patch to understand how it works in real world. >_IDA !42

43. >_Rebase !43 Due to ASLR protection, it's necessary for us

    to rebase the base of Comctl32 for IDA to detect. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.

44. We can debug a function inside the DLL in an

    active process dynamically now, after rebasing. ;) >_Debug Active DLL !44

45. >_cat FastGetSubclsHdr !45

46. >_cat MstSubclsProc !46

47. >_cat EnterSubclsFram !47

48. >_cat EntrSubclsCallbk !48

49. >_cat CallNxtSubclsProc !49

50. >_abuse vtable !50

51. >_abuse vtable !51

52. [email protected] Demo !52

53. [email protected] Lab #4 Extra Window Vulnerability !53

54. Open Explorer.exe@C$\Windows\Explorer file with IDA, and analyze the function s_WndProc.

    >_IDA !54

55. >_CImpWndProc::s_WndProc !55

56. >_Rebase !56 Due to ASLR protection, it's necessary for us

    to rebase the base of explorer for IDA to debug dynamically. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.

57. >_Shell_TrayWnd? !57

58. >_Shell_TrayWnd? !58 Window event callback function

59. [email protected] >_s_WndProc? !59

60. [email protected] >_s_WndProc? !60

61. Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 -

    window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) Operating System 1) Send Window Message 2) Send Window Message 3) Invoke s_wndProc function 4) Invoke several function from vtable >_how it works !61

62. Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 -

    window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) >_issue? GetWindowLong() !62

63. Explorer Process Memory Shell_TrayWnd +0 - 0xbeef 0xcafe +4 -

    window hwnd ... >_issue? GetWindowLong() vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) fake vtable @ 0xbeef +0 - shellcode addr +4 - shellcode ... SetWindowLong() !63

64. Explorer Process Memory malicious Shell_TrayWnd >_issue? GetWindowLong() payload SetWindowLong() +0

    - fake vtable ($+4) fake vtable +4 - shellcode addr ($+8) +8 - shellcode pwn! !64

65. >_abuse vtable !65

66. [email protected] Demo !66

67. >_Not Enough? • PowerLoader Injection – Something truly amazing •

    A basic trick. talk more on 64bit Attack • BreakingMalware/PowerLoaderEx (Github) • Pass the payload by Windows Extra Memory to explorer • Execute payload on RW memory with ROP-Chain !67

68. Thanks. [email protected] Slide Github @aaaddress1 Facebook !68