Slide 1

Slide 1 text

2020 414141414141414141 AAAAAAAAAA iThome # CyberSec 唉唷!你的簽章, 根本沒在驗啦。 aaaddress1@chroot.org

Slide 2

Slide 2 text

#Windows #Reversing #Pwn #Exploit $man • Master degree at CSIE, NTUST • Security Researcher - chrO.ot • Speaker - BlackHat, DEFCON, VXCON, HITCON • aaaddress1@chroot.org • Hao's Arsenal

Slide 3

Slide 3 text

aaaddress1@chroot.org 1. Scenes in Practice 2. Authenticode 3. Attack Vectors → 5 methods + 2 demo 4. Recap /?outline

Slide 4

Slide 4 text

aaaddress1@chroot.org 〉〉〉Scenes in Practice

Slide 5

Slide 5 text

aaaddress1@chroot.org /?scene#1

Slide 6

Slide 6 text

aaaddress1@chroot.org /?scene#1

Slide 7

Slide 7 text

aaaddress1@chroot.org /?scene#1

Slide 8

Slide 8 text

aaaddress1@chroot.org /?scene#2

Slide 9

Slide 9 text

aaaddress1@chroot.org /?scenes 你以為會看簽章就能躲過駭客︖

Slide 10

Slide 10 text

aaaddress1@chroot.org 〉〉〉Authenticode

Slide 11

Slide 11 text

aaaddress1@chroot.org # PE Overview 'MZ' DOS 'PE' File Headr Opt Header Section Header 1 .NumberOfSections .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase .VA .size .RVA .text Section Header Array → .text (Data) 6A 00 68 AD DE 00 00 68 EF BE 00 00 6A 00 FF 15 FE CA 00 00 33 C0 C3 PE /?

Slide 12

Slide 12 text

aaaddress1@chroot.org PE /? # PE Overview 'MZ' DOS 'PE' File Headr .text .data .rdata Opt Header .Checksum .DataDirectory .AddressOfEntryPoint .ImageBase File Headr .NumberOfSections Section Headers

Slide 13

Slide 13 text

aaaddress1@chroot.org • MSDN: Authenticode Digital Signatures • March 21, 2008: Windows Authenticode Portable Executable Signature Format • Authenticode signature 1. The file originates from a specific software publisher 2. The file has not been altered since it was signed /?Sign

Slide 14

Slide 14 text

aaaddress1@chroot.org /?Sign

Slide 15

Slide 15 text

aaaddress1@chroot.org /?Sign

Slide 16

Slide 16 text

aaaddress1@chroot.org /?Sign

Slide 17

Slide 17 text

aaaddress1@chroot.org /?Sign

Slide 18

Slide 18 text

aaaddress1@chroot.org /?Sign

Slide 19

Slide 19 text

aaaddress1@chroot.org /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum .DataDirectory#4 File Headr .NumberOfSections PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe .text .data .rdata Section Headers IMAGE_DIRECTORY_ENTRY_SECURITY (RVA + Size) PKCS#7

Slide 20

Slide 20 text

aaaddress1@chroot.org /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum .DataDirectory#4 File Headr .NumberOfSections .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()

Slide 21

Slide 21 text

aaaddress1@chroot.org /?Sign 'MZ' DOS 'PE' File Headr Opt Header .Checksum .DataDirectory#4 File Headr .text .data .rdata Section Headers (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe sort headers in order of VA hash()

Slide 22

Slide 22 text

aaaddress1@chroot.org Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 WinVerifyTrust( "C:\it\home\30cm_tw.exe" )= ?

Slide 23

Slide 23 text

aaaddress1@chroot.org Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg PKCS#7

Slide 24

Slide 24 text

aaaddress1@chroot.org Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

Slide 25

Slide 25 text

aaaddress1@chroot.org Explorer syscall WinVerifyTrust( ... )= true 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

Slide 26

Slide 26 text

aaaddress1@chroot.org 〉〉〉/?Attack Vectors

Slide 27

Slide 27 text

aaaddress1@chroot.org 〉〉〉/> Misc

Slide 28

Slide 28 text

aaaddress1@chroot.org /?misc#1

Slide 29

Slide 29 text

aaaddress1@chroot.org /?misc#1

Slide 30

Slide 30 text

aaaddress1@chroot.org PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

Slide 31

Slide 31 text

aaaddress1@chroot.org PS C:> signtool sign ... ⼯⾏⽹银的U盾 ⽀付宝 /?misc#1

Slide 32

Slide 32 text

aaaddress1@chroot.org • Process Hollowing • github.com/Zer0Mem0ry/RunPE • malware.exe + benignware.exe Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata 'MZ' .text .rdata .idata Process EntryPoint PEB "C:\infected\mal.exe" /?misc#2 mal.exe EntryPoint Loader

Slide 33

Slide 33 text

aaaddress1@chroot.org Opt Header .text .EntryPoint .ImageBase Section Data .rdata .idata a.exe Process PEB PE Module ntdll.dll VERSION.dll user32.dll ... LoadLibrary() $PATH: { "C:\hijack\VERSION.dll", "System32\VERSION.dll", "SysWoW64\VERSION.dll", ... } C:\hijack\a.exe /?misc#3 • FireEye: DLL Side-Loading • malware.dll + benignware.exe

Slide 34

Slide 34 text

aaaddress1@chroot.org /?misc 垃圾議程你根本來拖台錢der 講這尛我都會了R 咩..咩噗

Slide 35

Slide 35 text

aaaddress1@chroot.org 〉〉〉/> SignThief

Slide 36

Slide 36 text

aaaddress1@chroot.org Explorer syscall WinVerifyTrust( ... )= ? 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData PKCS#7 hash()

Slide 37

Slide 37 text

aaaddress1@chroot.org benign.exe [Signed by M$] 'PE' Opt Header .text .data .idata Section Headers PKCS#7 malware.exe [malicious] 'PE' Opt Header .text .data .idata Section Headers PKCS#7 /?thief

Slide 38

Slide 38 text

aaaddress1@chroot.org /?thief

Slide 39

Slide 39 text

aaaddress1@chroot.org WinVerifyTrust()=false PKCS#7 hash() explorer.exe ntdll.dll kernel32.dll user32.dll Crypt32.dll Process /?thief Crypt32!CryptSIPGetSignedDataMsg Crypt32!CryptSIPVerifyIndirectData

Slide 40

Slide 40 text

aaaddress1@chroot.org • Subverting Trust in Windows by @mattifestation • https://gist.github.com/aaaddress1/870d745741b276484219e1a3cda800ed /?thief $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "Dll" /t REG_SZ /d "C:\test\MySIP.dll" /f $ REG ADD "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData(...)" /v "FuncName" /t REG_SZ /d "AutoApproveHash" /f

Slide 41

Slide 41 text

aaaddress1@chroot.org /?thief

Slide 42

Slide 42 text

aaaddress1@chroot.org /?thief

Slide 43

Slide 43 text

aaaddress1@chroot.org 〉〉〉/> Steganography

Slide 44

Slide 44 text

aaaddress1@chroot.org /?Sign 'MZ' Opt Header .DataDirectory#4 .text .data .rdata (RVA + Size) IMAGE_DIRECTORY_ENTRY_SECURITY PKCS#7 PS C:> signtool sign /f cert.pfx /t 30cm.tw mal.exe hash() sizeof(WIN_CERTIFICATE) RVA

Slide 45

Slide 45 text

aaaddress1@chroot.org • BlackHat 2016: Certificate Bypass: Hiding and Executing Malware from a Digitally Signed Executable • Custom Loader + Steganography • Used for Bypassing Anti-Virus /?stego

Slide 46

Slide 46 text

aaaddress1@chroot.org 〉〉〉/> PathNormaliz

Slide 47

Slide 47 text

aaaddress1@chroot.org • Introduction • Challenge When we meet Anti-Virus • Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON www.youtube.com/watch?v=6LUo-Crd9pc

Slide 48

Slide 48 text

aaaddress1@chroot.org Path Normalization by Jeremy Kuhne Path Format Overview by Jeremy Kuhne /?normaliz if the path does not start with exactly \\?\ it will be normalized. • Identifying the Path and Legacy Devices • Applying the Current Directory • Canonicalizing Separators • Evaluating Relative Components • Trimming Characters An important exception: if you have a device path that begins with a question mark instead of a period It must use the canonical backslash. • Skipping Normalization

Slide 49

Slide 49 text

aaaddress1@chroot.org normaliz RtlDosPathNameToRelativeNtPathName_U_WithStatus( GetLongPathNameW(L"C:\Windows \System32\a.exe") ) RtlDosPathNameToRelativeNtPathName_U_WithStatus( L"C:\Windows\System32\a.exe" ) $p = L"\??\C:\Windows\System32\a.exe" AiLaunchProcess(L"C:\Windows \System32\a.exe") /?

Slide 50

Slide 50 text

aaaddress1@chroot.org /?normaliz

Slide 51

Slide 51 text

aaaddress1@chroot.org /?normaliz

Slide 52

Slide 52 text

aaaddress1@chroot.org Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate " )= ? /?normaliz

Slide 53

Slide 53 text

aaaddress1@chroot.org Explorer syscall 'MZ' 'PE' Opt Header .text .data .idata Section Headers PKCS#7 WinVerifyTrust( "\??\C:\ithome\GoogleUpdate.exe " )= ? /?normaliz WinVerifyTrust( "\C:\ithome\GoogleUpdate.exe" )= ? "\??\C:\ithome\GOOGLE~2.EXE"

Slide 54

Slide 54 text

aaaddress1@chroot.org /?normaliz

Slide 55

Slide 55 text

aaaddress1@chroot.org /?normaliz

Slide 56

Slide 56 text

aaaddress1@chroot.org /?normaliz

Slide 57

Slide 57 text

aaaddress1@chroot.org />defender

Slide 58

Slide 58 text

aaaddress1@chroot.org />defender

Slide 59

Slide 59 text

aaaddress1@chroot.org 〉〉〉Recap

Slide 60

Slide 60 text

aaaddress1@chroot.org • Attack Vectors • Misc / DLL Side-Loading / Process Hollowing • WinTrust & Crypt32 • Authenticode & PKCS#7 Issue • Path Normalization • UAC Bypass • Signature Cheat • Attack path based protection e.g. AppLocker, Defender /?Recap

Slide 61

Slide 61 text

aaaddress1@chroot.org • Introduction • Challenge When we meet Anti-Virus • Interesting Case - PowerLoad after 2013 • New Vunerability - 3 idea inspired by PowerLoad • Summary /?HITCON

Slide 62

Slide 62 text

2020 414141414141414141 AAAAAAAAAA iThome # CyberSec Thanks! aaaddress1@chroot.org Slide Github @aaaddress1 Facebook