Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PE File Structure Security and Custom Base 64 Steganography

Lilly Chalupowski
April 07, 2016
Programming
0
440

PE File Structure Security and Custom Base 64 Steganography

AtlSecCon Presentation on PE File Security, Custom Base 64 Steganography, and details on bypassing DEP with ROP.

Lilly Chalupowski

April 07, 2016
Tweet

More Decks by Lilly Chalupowski

See All by Lilly Chalupowski
The Chrome Crusader
lillypad
0
300
Breaking in the Front Door with OWASP Zap and Metasploit
lillypad
0
610

Other Decks in Programming

See All in Programming
Build Apps for iOS, Android & Desktop in 100% Kotlin With Compose Multiplatform (mDevCamp 2024)
zsmb
0
330
デフォルトにして至高、RubyMineの大好きな所
ruzia
0
360
エンターテイメント業界で利用されるAWS
demuyan
0
210
ゆるい個人開発のススメ
kuroppe1819
10
990
Anthropic Cookbook のおすすめレシピ
schroneko
7
940
Ruby Function Composition
bkuhlmann
1
330
Komplexe Oberflächen mit SVG und der Web Animation API
joergneumann
0
670
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
170
AWS Application Composerで始める、 サーバーレスなデータ基盤構築 / 20240406-jawsug-hokuriku-shinkansen
kasacchiful
1
260
1BRC--Nerd Sniping the Java Community
gunnarmorling
0
340
Blue/Greenデプロイの導入による 運用フローの改善
kudoas
1
370
try! Swift Tokyo 2024 参加報告 / try! Swift Tokyo 2024 Report
hironytic
0
200

Featured

See All Featured
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Building Your Own Lightsaber
phodgson
99
5.7k
Making Projects Easy
brettharned
108
5.5k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
From Idea to $5000 a Month in 5 Months
shpigford
377
45k
Why Our Code Smells
bkeepers
PRO
331
56k
Design by the Numbers
sachag
274
18k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
25
2.3k
Done Done
chrislema
178
15k
The Brand Is Dead. Long Live the Brand.
mthomps
49
28k
What’s in a name? Adding method to the madness
productmarketing
PRO
16
2.6k
Optimising Largest Contentful Paint
csswizardry
8
2.4k

Transcript

  1. Enumerating PE File Structure Security and Custom Base 64 Steganography

    PE File Structure Security Enumeration AtlSecCon - 2016

  2. To my mentors, without them I wouldn't be here today.

     Travis Barlow  Kathryn Dumke Special Thanks

  3. Who is the new girl?  We will be doing

    pictures  They are faster than words trust me Introduction

  4. Who I think I am

  5. What I really am

  6. What my family thinks I do Me Apparently

  7. What I actually do

  8. Disclaimer Presentation Legal Notes  This presentation is for informational

    purposes only  Use this information at your own risk  I won't bail you out of jail  This presentation does not reflect the views or interests of GoSecure

  9. PE File Structure The Ground Rules  When we talk

    about PE File Structures we will be referring directly to DLLs (Dynamic Link Libraries)  We are only interested in gaining information to leverage an exploit on a particular application, all other information we can leave behind  Slides and PE File Structure Security Roadmap will be available on GitHub after the presentation  I'm in no way responsible for your actions based on the information presented today

  10. PE File Structure What can this be used for? 

    Analysis of Malware  Enumerate Security Protections  Securing Vendor Applications without Source  Exploit Development

  11. PE File Structure High Level Overview  Microsoft moved to

    the PE file format for their executable in Windows NT 3.1 (DOS Header)  It has retained legacy support  This is where we find data for typical segments when reverse engineering .text, .data, etc.

  12. PE File Structure Going into more detail...  Our main

    focus is in the IMAGE_NT_HEADERS Section  Take note of how we get pointers to each respective section in the binary from the headers  .data and .text

  13. PE File Structure Going Deeper  We will be looking

    for the Export Names table  Then we will use a few functions of windows.h to help use extract their location in memory when loaded  I will then go over a algorithm that can extract how many bits of entropy we are dealing with  Before we begin we must know the difference between a RVA and a Raw Address.

  14. PE File Structure RVA and Raw Pointers  RVA (Relative

    Virtual Address) – The address of an item after it's loaded into memory  If there is a difference between the RVA and Pointer to Raw Data then we must take their difference into consideration  Now let's zoom in closer to the file structure

  15. PE Security Road Map

  16. How you probably feel right now

  17. Break it down!

  18. PE Security Road Map IMAGE_NT_HEADERS

  19. Forgetting the DOS Header

  20. IMAGE_NT_HEADERS IMAGE_FILE_HEADER  Contains the generic information about the PE

    file  Machine contains information on the architecture  Number of Sections, .text, .data, .edata, etc.

  21. IMAGE_NT_HEADERS IMAGE_FILE_HEADER → Machine  Example of the values that

    can be in the machine entry  Checking these with bit masking is a good plan  We are only concerned with x86 for this presentation

  22. IMAGE_NT_HEADERS IMAGE_OPTIONAL_HEADER  Contains information that pertains to security enumeration

     DllCharacteristics (ASLR, DEP, SEH)  Address of Entry Point  Reserve for the Heap and the Stack

  23. IMAGE_NT_HEADERS IMAGE_OPTIONAL_HEADER → DllCharacteristics  ASLR  DEP/NX  SEH

  24. IMAGE_NT_HEADERS DllCharacteristics → The Code  Bit masking  Structs

     If/else logic

  25. IMAGE_NT_HEADERS IMAGE_DATA_DIRECTORY (within optional header)  Several of these stacked

    together create a list of offsets to different tables  Using this we can find the IMAGE LOAD CONFIG DIRECTORY and the IMAGE EXPORT DIRECTORY

  26. IMAGE_SECTION_HEADER IMAGE_SECTION_HEADER  The number of these in the file

    are based on the number of sections that were talked about before  VirtualAddress, SizeOfRawData, PointerToRawData

  27. IMAGE_LOAD_CONFIG_DIRECTORY  SecurityCookie  SEHandlerTable  SEHandlerCount

  28. IMAGE_LOAD_CONFIG_DIRECTORY → GetProcAddress() Pay Dirt! LoadLibrary(FileName)

  29. IMAGE_LOAD_CONFIG_DIRECTORY → LoadLibrary()

  30. Back to the PE Security Road Map

  31. None

  32. Enumerating DLL Function Calls

  33. Enumerating DLL Function Calls

  34. Enumerating DEP, SEH, and ASLR

  35. Enumerating DEP, SEH, and ASLR

  36. ASLR Entropy Algorithm

  37. ASLR Entropy Algorithm Loading and Unloading Bit Masking

  38. ASLR Entropy Algorithm Print Flipped Nibbles Calculate Entropy

  39. ASLR Entropy Algorithm Setting the Limitations  Currently only works

    on libraries that aren't currently loaded into memory as kernel32.dll and user32.dll only change addresses upon reboot as they are loaded into memory on boot.  Only x86 at this time  Use as much itterations as you like however don't let your computer get hot enough to catch fire or fry eggs (this totally didn't happen to me)  Suggestions are welcome after the talk

  40. Badger Demo

  41. GCC DEP/NX and SSP Protections Overview Exploitation Knowledge Base 

    Canaries  Smashing Stack Protection (SSP)  --fno-stack-protector disables the feature  Default since GCC 4.1  DEP/NX  Data Execution Prevention  Non-Executable Stack  -z execstac disables the feature  Default since GCC 4.1  ASLR  Address Space Layout Randomization  Kernel Level

  42. Exploitation Knowledge Base  Used to overwrite eip/rip  Avoid

    null bytes for code execution  Happens when a buffer receives too much data and proper error checking isn't present  Allows an attacker to obtain code execution or remote code execution  Can be used for privledge escalation Smashing the Stack

  43. Exploitation Knowledge Base  Buffer starts at c[0]  Buffer

    ends at c[11]  Pointer to char *bar  Saved Frame Pointer (ebp)  Return Address (eip)  Step through the process Smashing the Stack

  44. Exploitation Knowledge Base  Normal buffer  '\x00' / null

    / terminator  Return Address (eip) OK  Normal execution Smashing the Stack

  45. Exploitation Knowledge Base  Control User Input  Enter too

    much data  Check for security controls  Find offset of eip/rip  Addresses stored in memory are in Little Endian format  Point to your code Smashing the Stack

  46. Smashing The Stack → Example Code Exploitation Knowledge Base 

    No error checking  Argv[1] moved into buffer with no check if size is over 256 bytes  Vulnerable to overflow

  47. Smashing The Stack → Bypassing DEP Exploitation Knowledge Base 

    Since DEP (Data Execution Prevention) makes certain parts of memory NX how can we bypass this?  Feel free to shout your answers to me! Hmmm...

  48. Smashing The Stack → Bypassing DEP Exploitation Knowledge Base 

    DLLs → (why can we use this?)  Why can we use the Program Image?  What instructions are useful to us?  What technique is it called? Hmmm...

  49. Smashing The Stack → Bypassing DEP with ROP Exploitation Knowledge

    Base  Before the overflow

  50. Smashing The Stack → Bypassing DEP with ROP Exploitation Knowledge

    Base  After the overflow  In this case we used a bogus return address  '\x41' is = 'A'  How do we chain this together?

  51. Smashing The Stack → Bypassing DEP with ROP Exploitation Knowledge

    Base  We can chain these together using pop-ret or pop-pop-ret or any combination of pop-ret  We use these pop-ret sections from parts of the memory space that is marked executable  These little pieces of code are called ROP Gadgets

  52. Smashing The Stack → Bypassing DEP with ROP Exploitation Knowledge

    Base  The code to jmp esp works as well if DEP is only enabled for Windows Services or a library has protection disabled.  Code: jmp esp = '\xff\xe4'  Code: pop esp; ret; = '\x5c\xc3'  Same idea however not chaining multiple gadgets
  53. None

  54. What is TEBs and PEB? Exploitation Knowledge Base  TEB

    – Thread Environment Block  PEB – Process Environment Block  Let's go over what these blocks contain as well TEB/PEB

  55. What is TEB and PEB, how do I access them?

    TEB and PEB Overview  This isn't required knowledge  Since it's part of memory space we will briefly touch on the subject

  56. What is TEB, how do I access it? Accessing TEB

     TEB is simply a data structure that hold information about the current thread.  Here is an example of how to get the pointer to TIB  Let's have a look at what TIB contains

  57. Accessing TEB

  58. Accessing TEB

  59. What is PEB, how do I access it? Accessing PEB

     PEB – is a data structure that is opaque. It's used internally by the Windows Operating System itself  Handles Mutual Exclusion  Close to EPROCESS or Kernel Space  Pointer located inside TEB

  60. Accessing PEB

  61. Make Way for the Shellcode

  62. Make Way! Making Space for your Shellcode  VirtualAlloc(MEM_COMMIT +

    PAGE READWRITE EXECUTE) + copy memory  Allows creation of new executable memory region, now copy your shellcode to it, and execute  HeapCreate(HEAP_CREATE_ENABLE_EXECUTE) + HeapAlloc() + copy memory  A very similar technique to VirtualAlloc()

  63. Make Way! Making Space for your Shellcode  SetProcessDEPPolicy() 

    Changes DEP policy for the current process (Vista SP1, XP SP3, Server 2008, and only when DEP Policy is set to OptIn or OptOut)  NtSetInformationProcess()  Changes the DEP policy for the current process

  64. Make Way! Making Space for your Shellcode  VirtualProtect(PAGE_READ_WRITE_EXECUTE) 

    Change the access protection level to executable of a given memory page.  WriteProcessMemory(). Copies shellcode to another executable location, jump to it and execute. (Must be a writable executable)

  65. Choose your Weapon

  66. Choose your Weapon

  67. VirtualProtect() Overview Starting Address Pointer Size of Shellcode Protection Options

    A Place to Save your Settings *A Writable Memory Location

  68. ROP Demo

  69. Chameleon Demo

  70. Questions?