Upgrade to Pro — share decks privately, control downloads, hide ads and more …

TDOHConf Workshop 2018: Playing Malware Injection with Exploit thoughts

229b1596ce57cd0935a2bacd410d87a0?s=47 adr
September 28, 2018

TDOHConf Workshop 2018: Playing Malware Injection with Exploit thoughts

以往駭客希望繞過防毒軟體或者系統防護產品的白名單保護時,通常會採用惡意程式碼注入手段,將自身具有惡意的程式碼注入在白名單中的系統服務中執行起來,避免遭受防毒軟體或者防護產品白名單防護查殺。

當駭客做惡意程式碼注入時,通常會採用 RunPE、AtomBombing、跨行程創建執行緒等等手段來做到程式碼注入、駭客可以偽造自己的執行程式為任何系統關鍵服務;不過在市面上防毒廠商日趨進步下,這些敏感手段已經逐漸會被主動防禦查殺,不過——萬一作業系統關鍵服務本身早已千瘡百孔呢?駭客手段已經逐漸高明、動刀在記憶體之戰上。

本議程將簡單帶過 2013 年後出現的新型態記憶體層級注入手法—— PowerLoadEx,並基於此概念上披露三種未曾出現於網路上的全新注入手段,善用了 Windows 本身關鍵記憶體缺陷弱點,藉此來注入惡意行為至系統關鍵服務。內容將涵蓋 Windows 系統程式逆向分析、記憶體弱點分析、如何實作與利用。

229b1596ce57cd0935a2bacd410d87a0?s=128

adr

September 28, 2018
Tweet

Transcript

  1. Workshop ⚐ Playing Malware Injection with Exploit thoughts TDOHConf 2018,

    aaaddress1@chroot.org !1
  2. • Master degree at CSIE, NTUST • Security Researcher -

    chrO.ot, TDOHacker • Speaker - BlackHat, DEFCON, beVX, VXCON, HITCON >_cat ./Bio !2
  3. • Recap • Malware Injection • Lab #1 - Basic

    Injection • Abuse the demon of Windows • Lab #2 - Ole32 DropEnter Event • Lab #3 - Comctl32 SubClass Event • Lab #4 - Extra Window Vulnerability aka PowerLoader >_cat ./lab !3
  4. • Windows 7 x86 • IDA (Demo Version) • Visual

    Stduio CMT • Chrome • x64dbg • Lab File x4 >_ls ./env !4
  5. aaaddress1@chroot.org Recap: Ma1w4re !nj3cti0n !5

  6. Process malware .text Section KiFastSystemCall _asm { sysenter } eax

    = function index ntdll.dll .text Section >_Win32 API !6 KiFastSystemCall _asm { sysenter } Windows Kernel (Ring0) eax = function index kernel32.dll .text Section
  7. >_Blindspot !7 Process Malware Code Messenger .text Section RegOpenKey WriteProcessMemory

    ntdll.dll .text Section Windows Kernel (Ring0) DeleteFileA
  8. >_man inject (`_´)ゞ Used for bypassing whitelist checking, byassing anti-virus,

    privilege escalation, etc. e.g. • DLL Side-Loading + Digital Signature = Bypassing anti-virus • Remote Inject + whitelisted process = Bypassing whitelist • Inject explorer + DLL Side-Loading + Self-elevate Service
 = Bypassing Windows UAC (User Account Control) *Vista ~ Win8* !8
  9. >_man inject There're serval well-known techniques • Shellcode Inject or

    DLL Inject - OpenProcess, VirtualAllocExRWX, WriteProcessMemory, CreateRemoteThread
 • Process Hollowing (aka RunPE) - OpenProcess, CreateProcessASuspended, Mapping PE FileVirtualAllocEx + WriteProcessMemory, GetThreadContext, and ResumeThread to Execute exe file from memory
 • Thread Hijack or AtomBombing - QueueUserAPC, Inline Hook, or IAT Hijack
 • Memory Exploit (PowerLoaderEX) - SetWindowLong, SendNotifyMessage !9
  10. There are 4 primary challenges in injection: 1. What's target

    - choose a target to inject, and it should be meaningful. e.g. explorer, svchost
 2. Where to place - find memory for us to place RWX memory or ROPChain payload. e.g. VirtualAllocEx
 3. How to inject payload - any way for us to write payload into remote process memory
 4. How to run it - create a new thread to execute or hijack current thread of that process? >_man inject !10
  11. aaaddress1@chroot.org !nJ3ct!0n Lab: From zero to Exploit. !11

  12. aaaddress1@chroot.org Lab #1 Shellcode Injection !12

  13. Process >_Process #0 Main Thread application .text Section ntdll.dll .text

    Section .data Section .bss Section Stack Memory Stack Register #1 Thread Stack Register #2 Thread Stack Register program counter (eip)
  14. Process >_Process #0 Main Thread application .text Section ntdll.dll .text

    Section .data Section .bss Section Stack Memory Stack Register #1 Thread Stack Register #2 Thread Stack Register
  15. EIP(x86), RIP(x86_64), program counter, or the instruction pointer, is a

    special-purpose register which stores a pointer to the address of the instruction that is currently executing. Making a jump is like adding to or subtracting from the instruction pointer. >_Intel x86 EIP wiki.skullsecurity.org/index.php?title=Registers#eip
  16. Creates a thread that runs in the virtual address space

    of another process and optionally specifies extended attributes such as processor group affinity. >_CreateRemoteThreadEx Çdocs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex
  17. aaaddress1@chroot.org Demo !17

  18. !18 >_Remote Access Token?

  19. User Interface Privilege Isolation (UIPI) is a technology introduced in

    Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages). >_It doesn't work? !19
  20. Window messages are designed to communicate user action to processes.

    However, they can be used to run arbitrary code in the receiving process' context. This can be used by a malicious low IL process to run arbitrary code in the context of a higher IL process, which constitutes an unauthorized privilege escalation. By restricting access to some vectors for code execution and data injection, UIPI can mitigate these kinds of attacks. >_It doesn't work? !20
  21. aaaddress1@chroot.org Lab #1.1 DLL Injection !21

  22. >_Memory !22 Ntdll.dll ... Process Kerne32.dll User32.dll ... Ntdll.dll ...

    Process Kerne32.dll User32.dll ... Messenger.exe Ntdll.dll ... Process Kerne32.dll User32.dll ... Chrome.exe Stack Memory Stack Memory Stack Memory Fixed ASLR Malware.exe Actually, system modules are located at the same memory space even different processes, even if ASLR protection is enabled by default after Windows 7. It means every system API function is placed at a predictable address. Low Heigh
  23. Loads the specified module into the address space of the

    calling process. The specified module may cause other modules to be loaded. >_LoadLibraryA msdn.microsoft.com/zh-tw/library/windows/desktop/ms684175(v=vs.85).aspx
  24. Creates a thread that runs in the virtual address space

    of another process and optionally specifies extended attributes such as processor group affinity. >_CreateRemoteThreadEx docs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex
  25. A pointer to a variable to be passed to the

    thread function pointed to by lpStartAddress. This parameter can be NULL. >_lpParamter docs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex
  26. LoadLibraryA ( "\\127.0.0.1\C$\hackMudle.dll" ); >_Goal⚐ !26

  27. >_Dll Injection github.com/aaaddress1/Dll-Injector-In-CB/blob/master/Unit1.cpp

  28. aaaddress1@chroot.org Lab #2 Ole32 DropEnter Event !28

  29. Open Explorer.exe@C$ \Windows\System32\Ole32.dll file with IDA, and analyze the function

    PrivDragDrop. >_IDA !29
  30. >_Rebase !30 Due to ASLR protection, it's necessary for us

    to rebase the base of Ole32.dll for IDA to detect. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.
  31. We can debug a function inside the DLL in an

    active process dynamically now, after rebasing. ;) >_Debug Active DLL !31
  32. >_cat ./ole32_init !32

  33. >_cat ./reg_dropevent !33

  34. >_man LPDROPTARGET IDropTarget actually is a virtual method table :)

    !34
  35. >_issue? vtable addr is determined by GetProp() so... it's really

    easy for us to hijack vtable just by SetProp() This callback function is used to deal with dropping file to Start Button of Explorer.exe !35
  36. explorer Process Memory DropTarget @ 0xc0fee Prop Name Value OleDropTargetInterface

    0xbeef payload @ 0xbeef +0 - 0xbeef (this) +4 - don't care ... +8 - don't care +0C- shellcode addr it's easy for us to change the return value of GetPropW("OleDropTargetInterface") from 0xc0fee to 0xbeef (malicious payload). >_issue !36
  37. explorer Process Memory Operating System 1) Send Window Message (Drag

    & Drop) 2) GetPropW("OleDropTargetInterface") 3) Invoke drop file function from vtable, invoke shellcode addr = *(beef+0c) DropTarget @ 0xc0fee payload @ 0xbeef +0 - 0xbeef (this) +4 - don't care ... +8 - don't care +0C- shellcode addr Prop Name Value OleDropTargetInterface 0xbeef >_issue !37
  38. >_abuse vtable !38

  39. aaaddress1@chroot.org Demo !39

  40. aaaddress1@chroot.org Lab #3 Comctl32 SubClass Event !40

  41. Open Explorer.exe@C$ \Windows\System32\Comctl32.dll file with IDA, and analyze the function

    MasterSubclassProc. >_IDA !41
  42. However Micro$oft have given comctl32.dll a patch at C$ \Windows\WinSxS\x86_microsoft.wi

    ndows.common- controls_6595b64144ccf1df_6.0.76 01.18837_none_41e855142bd5705d. We need to analyze this patch to understand how it works in real world. >_IDA !42
  43. >_Rebase !43 Due to ASLR protection, it's necessary for us

    to rebase the base of Comctl32 for IDA to detect. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.
  44. We can debug a function inside the DLL in an

    active process dynamically now, after rebasing. ;) >_Debug Active DLL !44
  45. >_cat FastGetSubclsHdr !45

  46. >_cat MstSubclsProc !46

  47. >_cat EnterSubclsFram !47

  48. >_cat EntrSubclsCallbk !48

  49. >_cat CallNxtSubclsProc !49

  50. >_abuse vtable !50

  51. >_abuse vtable !51

  52. aaaddress1@chroot.org Demo !52

  53. aaaddress1@chroot.org Lab #4 Extra Window Vulnerability !53

  54. Open Explorer.exe@C$\Windows\Explorer file with IDA, and analyze the function s_WndProc.

    >_IDA !54
  55. >_CImpWndProc::s_WndProc !55

  56. >_Rebase !56 Due to ASLR protection, it's necessary for us

    to rebase the base of explorer for IDA to debug dynamically. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.
  57. >_Shell_TrayWnd? !57

  58. >_Shell_TrayWnd? !58 Window event callback function

  59. aaaddress1@chroot.org >_s_WndProc? !59

  60. aaaddress1@chroot.org >_s_WndProc? !60

  61. Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 -

    window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) Operating System 1) Send Window Message 2) Send Window Message 3) Invoke s_wndProc function 4) Invoke several function from vtable >_how it works !61
  62. Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 -

    window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) >_issue? GetWindowLong() !62
  63. Explorer Process Memory Shell_TrayWnd +0 - 0xbeef 0xcafe +4 -

    window hwnd ... >_issue? GetWindowLong() vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) fake vtable @ 0xbeef +0 - shellcode addr +4 - shellcode ... SetWindowLong() !63
  64. Explorer Process Memory malicious Shell_TrayWnd >_issue? GetWindowLong() payload SetWindowLong() +0

    - fake vtable ($+4) fake vtable +4 - shellcode addr ($+8) +8 - shellcode pwn! !64
  65. >_abuse vtable !65

  66. aaaddress1@chroot.org Demo !66

  67. >_Not Enough? • PowerLoader Injection – Something truly amazing •

    A basic trick. talk more on 64bit Attack • BreakingMalware/PowerLoaderEx (Github) • Pass the payload by Windows Extra Memory to explorer • Execute payload on RW memory with ROP-Chain !67
  68. Thanks. aaaddress1@chroot.org Slide Github @aaaddress1 Facebook !68