Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Code Graphology

Thomas Roccia
November 29, 2022

Code Graphology

Writing exploits is a complex task that requires some experience to build a reliable proof of concept (POC). Most of the time, exploit developers rely on certain habits to fingerprint the operating system, elevate privileges, or exploit primitives.

Being able to identify exploit developer habits can be very useful in identifying a variant of an exploit or an additional POC. This presentation will focus on studying a local privilege escalation (LPE) on the Windows operating system and how we can dissect it to identify artifacts that can be used to hunt for similar code in the wild.

Through the presentation, we will detail some of the exploit mechanisms and see how to build reliable hunting rules. The audience will learn more about exploit techniques and how to identify the parts of the code that may be relevant to analyse for threat hunting.

Thomas Roccia

November 29, 2022

More Decks by Thomas Roccia

Other Decks in Technology


  1. Code graphology definition Case study on an LPE: CVE-2021-1732 Extracting

    relevant artifacts Creating a hunting Yara rule
  2. Particularly useful in exploit hunting as exploit writers tend to

    use similar mechanisms throughout multiple exploits. First discussed by CheckPoint researchers in 2020 at VirusBulletin, @megabeets_ and @EyalItkin.
  3. CVE-2021-1732 is a Local Privilege Escalation (LPE) exploit on Windows

    10. This exploit has been reported by Dbapp Security in February 2021 and allegedly used by the Bitter APT. This kernel exploit is a Win32k window object type confusion leading to an OOB write (out-of-bounds).
  4. Another uniq string part of the binary: "T$hH9T$ptf" PDB Path:

    “C:\Users\Win10\source\repos\KSP_EPL\x64\Release\ ConsoleApplication13.pdb” Kaspersky process fingerprinted at the beginning: "avp.exe" Strings to create the class and the window: “normalClass” “magicClass” “somewnd”
  5. IsWOW64Process function to check if it is a 64-bit or

    32-bit version. Common mechanism in exploit development to correctly setup the exploitation. The running version must be larger than 0x3FE1 and 0x471C (Windows10 build 16353 and Windows 10 build 18204) to continue the execution.
  6. Many exploits are using a kernel leak primitive that utilizes

    the known technique HMValidateHandle to get a kernel memory address. The online documentation refers to this technique as leveraging the function IsMenu and then parsing it to find the HMValidateHandle function.
  7. In most LPE, the exploit will swap the token of

    the current process to elevate privileges. At the end of the exploitation this is exactly the case for our sample.
  8. Hash 914b6125f6e39168805fdf57be61cf20dd11acd708d7db7fa37ff75bf1abfc29 PDB C:\Users\Win10\source\repos\KSP_EPL\x64\Release\ConsoleApplication13.pdb Compile TimeStamp 2020-05-05 05:10:29 UTC Version

    x64 Bit ee2d53303e2c5a2787dad11e3a0abce5ea0ff9a4219e963e69a4054a11efc628 C:\Users\Win10\source\repos\SOPHOS_EPL\Release\sophos.pdb 2020-07-10 06:30:28 UTC x32 bit First Sample Second Sample
  9. To exploit vulnerability attackers relies on known techniques. Identifying those

    techniques and studying the structure of the exploit may help to build a relevant hunting or detection rule. In this presentation, we uncovered an unknown new sample that uses the same strings convention as the original one.