Slide 1

Slide 1 text

2020 414141414141414141 AAAAAAAAAA iThome # CyberSec 唉唷!你的簽章, 根本沒在驗啦。 [email protected]

Slide 2

Slide 2 text

#Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE, NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • [email protected] • Hao's Arsenal

Slide 3

Slide 3 text

[email protected] 1. Scenes in Practice 2. Authenticode 3. Attack Vectors → 5 methods + 2 demo 4. Recap /?outline

Slide 4

Slide 4 text

[email protected] 〉〉〉Scenes in Practice

Slide 5

Slide 5 text

[email protected] /?scene#1

Slide 6

Slide 6 text

[email protected] /?scene#1

Slide 7

Slide 7 text

[email protected] /?scene#1

Slide 8

Slide 8 text

[email protected] /?scene#2

Slide 9

Slide 9 text

[email protected] /?scenes 你以為會看簽章就能躲過駭客︖

Slide 10

Slide 10 text

[email protected] 〉〉〉Authenticode

Slide 11

Slide 11 text

[email protected] # PE Overview 'MZ' DOS 'PE' File Headr Opt Header Section Header 1 .NumberOfSections .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase .VA .size .RVA .text Section Header Array → .text (Data) 6A 00 68 AD DE 00 00 68 EF BE 00 00 6A 00 FF 15 FE CA 00 00 33 C0 C3 PE /?

Slide 12

Slide 12 text

[email protected] PE /? # PE Overview 'MZ' DOS 'PE' File Headr .text .data .rdata Opt Header .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase File Headr .NumberOfSections Section Headers

Slide 13

Slide 13 text

[email protected] • MSDN: Authenticode Digital Signatures • March 21, 2008: Windows Authenticode Portable Executable Signature Format • Authenticode signature 1. The file originates from a specific software publisher 2. The file has not been altered since it was signed /?Sign

Slide 14

Slide 14 text

Slide 15

Slide 15 text

Slide 16

Slide 16 text

Slide 17

Slide 17 text

Slide 18

Slide 18 text

Slide 19

Slide 19 text

[email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum .DataDirectory#4 File Headr .NumberOfSections PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe .text .data .rdata Section Headers IMAGE_DIRECTORY_ENTRY_SECURITY (RVA + Size) PKCS#7

Slide 20

Slide 20 text

[email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum .DataDirectory#4 File Headr .NumberOfSections .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()

Slide 21

Slide 21 text

[email protected] /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum .DataDirectory#4 File Headr .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()

Slide 22

Slide 22 text

[email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 WinVerifyTrust( "C:\it\home\30cm_tw.exe" )= ?

Slide 23

Slide 23 text

[email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg PKCS#7

Slide 24

Slide 24 text

[email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

Slide 25

Slide 25 text

[email protected] Explorer syscall WinVerifyTrust( ... )= true 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

Slide 26

Slide 26 text

[email protected] 〉〉〉/?Attack Vectors

Slide 27

Slide 27 text

[email protected] 〉〉〉/> Misc

Slide 28

Slide 28 text

Slide 29

Slide 29 text

Slide 30

Slide 30 text

[email protected] PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

Slide 31

Slide 31 text

[email protected] PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

Slide 32

Slide 32 text

[email protected] • Process Hollowing • github.com/Zer0Mem0ry/RunPE • malware.exe + benignware.exe Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata 'MZ' .text .rdata .idata Process EntryPoint PEB "C:\infected\mal.exe" /?misc#2 mal.exe EntryPoint Loader

Slide 33

Slide 33 text

[email protected] Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "System32\VERSION.dll", "SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?misc#3 • FireEye: DLL Side-Loading • malware.dll + benignware.exe

Slide 34

Slide 34 text

[email protected] /?misc 垃圾議程你根本來拖台錢der 講這尛我都會了R 咩..咩噗

Slide 35

Slide 35 text

[email protected] 〉〉〉/> SignThief

Slide 36

Slide 36 text

[email protected] Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

Slide 37

Slide 37 text

[email protected] benign.exe [Signed by M$] 'PE' Opt Header .text .data .idata Section Headers PKCS#7 malware.exe [malicious] 'PE' Opt Header .text .data .idata Section Headers PKCS#7 /?thief

Slide 38

Slide 38 text

Slide 39

Slide 39 text

[email protected] WinVerifyTrust()=false PKCS#7 hash() explorer.exe ntdll.dll kernel32.dll user32.dll Crypt32.dll Process /?thief Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData

Slide 40

Slide 40 text

[email protected] • Subverting Trust in Windows by @mattifestation • https://gist.github.com/aaaddress1/870d745741b276484219e1a3cda800ed /?thief $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /f $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "FuncName" /t REG_SZ /d "AutoApproveHash" /f

Slide 41

Slide 41 text

Slide 42

Slide 42 text

Slide 43

Slide 43 text

[email protected] 〉〉〉/> Steganography

Slide 44

Slide 44 text

[email protected] /?Sign 'MZ' Opt Header .DataDirectory#4 .text .data .rdata (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe hash() sizeof(WIN_CERTIFICATE) RVA

Slide 45

Slide 45 text

[email protected] • BlackHat 2016: Certificate Bypass: Hiding and Executing Malware from a Digitally Signed Executable • Custom Loader + Steganography • Used for Bypassing Anti-Virus /?stego

Slide 46

Slide 46 text

[email protected] 〉〉〉/> PathNormaliz

Slide 47

Slide 47 text

[email protected] • Introduction • Challenge When we meet Anti-Virus • Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON www.youtube.com/watch?v=6LUo-Crd9pc

Slide 48

Slide 48 text

[email protected] Path Normalization by Jeremy Kuhne Path Format Overview by Jeremy Kuhne /?normaliz if the path does not start with exactly \\?\ it will be normalized. • Identifying the Path and Legacy Devices • Applying the Current Directory • Canonicalizing Separators • Evaluating Relative Components • Trimming Characters An important exception: if you have a device path that begins with a question mark instead of a period It must use the canonical backslash. • Skipping Normalization

Slide 49

Slide 49 text

[email protected] normaliz RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p = L"\??\C:\Windows\System32\a.exe" AiLaunchProcess(L"C:\Windows \System32\a.exe") /?

Slide 50

Slide 50 text

[email protected] /?normaliz

Slide 51

Slide 51 text

[email protected] /?normaliz

Slide 52

Slide 52 text

[email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate " )= ? /?normaliz

Slide 53

Slide 53 text

[email protected] Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate.exe " )= ? /?normaliz WinVerifyTrust( "\C:\ithome\GoogleUpdate.exe" )= ? "\??\C:\ithome\GOOGLE~2.EXE"

Slide 54

Slide 54 text

[email protected] /?normaliz

Slide 55

Slide 55 text

[email protected] /?normaliz

Slide 56

Slide 56 text

[email protected] /?normaliz

Slide 57

Slide 57 text

[email protected] />defender

Slide 58

Slide 58 text

[email protected] />defender

Slide 59

Slide 59 text

[email protected] 〉〉〉Recap

Slide 60

Slide 60 text

[email protected] • Attack Vectors • Misc / DLL Side-Loading / Process Hollowing • WinTrust & Crypt32 • Authenticode & PKCS#7 Issue • Path Normalization • UAC Bypass • Signature Cheat • Attack path based protection e.g. AppLocker, Defender /?Recap

Slide 61

Slide 61 text

[email protected] • Introduction • Challenge When we meet Anti-Virus • Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON

Slide 62

Slide 62 text

2020 414141414141414141 AAAAAAAAAA iThome # CyberSec Thanks! [email protected] Slide Github @aaaddress1 Facebook