Tweet
Tweet

Slide 1

Slide 1 text

Playing Malware Injection with Exploit thoughts aaaddress1@chroot.org

Slide 2

Slide 2 text

• Master degree at CSIE, NTUST • Security Researcher - chrO.ot, TDOHacker • Speaker - BlackHat, VXCON, HITCON >_cat ./Bio

Slide 3

Slide 3 text

• Introduction • Challenge When we meet Anti-Virus • Interesting Case - PowerLoader since 2013 • New Vulnerability - 3 idea inspired by PowerLoader • Summary >_ls ./agenda

Slide 4

Slide 4 text

aaaddress1@chroot.org Quickly Review: What's Malware Injection?

Slide 5

Slide 5 text

>_man inject (`_´)ゞ Used for bypassing whitelist checking, byassing anti-virus, privilege escalation, etc. e.g. • DLL Side-Loading + Digital Signature = Bypassing anti-virus • Remote Inject + whitelisted process = Bypassing whitelist • Inject explorer + DLL Side-Loading + Self-elevate Service
 = Bypassing Windows UAC (User Account Control) *Vista ~ Win8*

Slide 6

Slide 6 text

>_man inject There're serval well-known techniques • Shellcode Inject or DLL Inject - OpenProcess, VirtualAllocExRWX, WriteProcessMemory, CreateRemoteThread
 • Process Hollowing (aka RunPE) - OpenProcess, CreateProcessASuspended, Mapping PE FileVirtualAllocEx + WriteProcessMemory, GetThreadContext, and ResumeThread to Execute exe file from memory
 • Thread Hijack or AtomBombing - QueueUserAPC, Inline Hook, or IAT Hijack
 • Memory Exploit (PowerLoaderEX) - SetWindowLong, SendNotifyMessage

Slide 7

Slide 7 text

(ꐦ`•ω•´)!!! Here are the 4 primary challenges that you'll encounter during injection. >_man inject

Slide 8

Slide 8 text

There are 4 primary challenges in injection: 1. What's target - choose a target to inject, and it should be meaningful. e.g. explorer, svchost
 2. Where to place - find memory for us to place RWX memory or ROPChain payload. e.g. VirtualAllocEx
 3. How to inject payload - any way for us to write payload into remote process memory
 4. How to execute - create a new thread to execute or hijack current thread of that process? >_man inject

Slide 9

Slide 9 text

aaaddress1@chroot.org Interesting Case: Powerloader since 2013

Slide 10

Slide 10 text

Powerloader, aka Extra Window Vulnerability

Slide 11

Slide 11 text

>_Shell_TrayWnd?

Slide 12

Slide 12 text

>_Shell_TrayWnd? Window event callback function

Slide 13

Slide 13 text

>_s_WndProc?

Slide 14

Slide 14 text

>_s_WndProc?

Slide 15

Slide 15 text

>_how it works Explorer Process Memory Low Address ➔ High Address ➔ Shell_TrayWnd Window Class Structure +0 - 0xcafe (vtable) +4 - window hwnd ...

Slide 16

Slide 16 text

Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 - window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) >_how it works

Slide 17

Slide 17 text

Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 - window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) Operating System 1) Send Window Message 2) Send Window Message 3) Invoke s_wndProc function 4) Invoke several function from vtable >_how it works

Slide 18

Slide 18 text

Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 - window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) >_issue? GetWindowLong()

Slide 19

Slide 19 text

Explorer Process Memory Shell_TrayWnd +0 - 0xbeef 0xcafe +4 - window hwnd ... >_issue? GetWindowLong() vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) fake vtable @ 0xbeef +0 - shellcode addr +4 - shellcode ... SetWindowLong()

Slide 20

Slide 20 text

Explorer Process Memory malicious Shell_TrayWnd >_issue? GetWindowLong() payload SetWindowLong() +0 - fake vtable ($+4) fake vtable +4 - shellcode addr ($+8) +8 - shellcode pwn!

Slide 21

Slide 21 text

>_abuse vtable

Slide 22

Slide 22 text

>_abuse vtable

Slide 23

Slide 23 text

aaaddress1@chroot.org Demo

Slide 24

Slide 24 text

aaaddress1@chroot.org 3 more vulnerability: From Exploit to Inject

Slide 25

Slide 25 text

Actually, Many old-design services in Windows don't have vtable mitigation (° ꈊ °)✧˖

Slide 26

Slide 26 text

aaaddress1@chroot.org #1 Ole32 DropEnter Event

Slide 27

Slide 27 text

>_cat ./ole32_init

Slide 28

Slide 28 text

>_cat ./reg_dropevent

Slide 29

Slide 29 text

>_man LPDROPTARGET IDropTarget actually is a virtual method table :)

Slide 30

Slide 30 text

>_issue? vtable addr is determined by GetProp() so... it's really easy for us to hijack vtable just by SetProp() This callback function is used to deal with dropping file to Start Button of Explorer.exe

Slide 31

Slide 31 text

>_how it works explorer Process Memory Low Address ➔ High Address ➔ DropTarget @ 0xc0fee DropTarget Structure +4 - function 1 ... +8 - function 2 +0C- dropfile func Prop Name Value OleDropTargetInterface 0xc0fee write DropTarget structure address (0xc0fee) via SetPropW() in function explorer!RegisterDragDrop +0 - 0xc0fee (this)

Slide 32

Slide 32 text

>_how it works explorer Process Memory DropTarget @ 0xc0fee Prop Name Value OleDropTargetInterface 0xbeef payload @ 0xbeef +0 - 0xbeef (this) +4 - don't care ... +8 - don't care +0C- shellcode addr it's easy for us to change the return value of GetPropW("OleDropTargetInterface") from 0xc0fee to 0xbeef (malicious payload).

Slide 33

Slide 33 text

explorer Process Memory Operating System 1) Send Window Message (Drag & Drop) 2) GetPropW("OleDropTargetInterface") 3) Invoke drop file function from vtable, invoke shellcode addr = *(beef+0c) >_how it works DropTarget @ 0xc0fee payload @ 0xbeef +0 - 0xbeef (this) +4 - don't care ... +8 - don't care +0C- shellcode addr Prop Name Value OleDropTargetInterface 0xbeef

Slide 34

Slide 34 text

>_abuse vtable

Slide 35

Slide 35 text

>_abuse vtable

Slide 36

Slide 36 text

aaaddress1@chroot.org Demo

Slide 37

Slide 37 text

aaaddress1@chroot.org #2 Comctl32 SubClass Event

Slide 38

Slide 38 text

>_cat FastGetSubclsHdr

Slide 39

Slide 39 text

>_cat MstSubclsProc

Slide 40

Slide 40 text

>_cat EnterSubclsFram

Slide 41

Slide 41 text

>_cat CallNxtSubclsProc

Slide 42

Slide 42 text

>_cat EntrSubclsCallbk

Slide 43

Slide 43 text

>_abuse vtable

Slide 44

Slide 44 text

>_abuse vtable

Slide 45

Slide 45 text

>_abuse vtable

Slide 46

Slide 46 text

aaaddress1@chroot.org Demo

Slide 47

Slide 47 text

aaaddress1@chroot.org #3 Thread Hijacking (win10+)

Slide 48

Slide 48 text

3) create first thread of this process, point register eax to AddressOfEntry, point ebx+8 (TIB base + 8) to image base, and point eip to ntdll!LdrInitializeThunk Process >_Process? Kernel (ring0) Application (ring3) 1) create process via CreateProcess() 2) mapping file into memory iexplorer.exe .data section .text section AddressOfEntry ntdll.dll kernel32.dll ...

Slide 49

Slide 49 text

>_Process? Process iexplorer.exe ntdll.dll kernel32.dll ... Call Stack -------------- _LdrpSnapModule _LdrpMapAndSnapDependency _LdrpMapDllWithSectionHandle _LdrpLoadKnownDll _LdrpFindOrPrepareLoadingModule _LdrpLoadDllInternal _LdrpLoadDll _LdrLoadDll _LdrpInitializeProcess __LdrpInitialize _LdrInitializeThunk fix import address table, fix export directory, apply relocation, etc .text section ntdll!LdrInitializeThunk

Slide 50

Slide 50 text

>_Process? ntdll!LdrInitializeThunk AddressOfEntry@.text Process iexplorer.exe .text section ntdll.dll kernel32.dll ... ntdll!RtlUserThreadStart RtlUserThreadStart is entry-point of every thread. We can hijack thread via write shellcode address into global variable ‘LdrDelegatedRtlUserThreadStart'.

Slide 51

Slide 51 text

3) point 'LdrDelegatedRtlUserThreadStart' to shellcode address Process >_Abuse Malware 1) get privilege of target process via OpenProcess() 2) mapping shellcode into target process chrome.exe .data section .text section shellcode ... ntdll.dll LdrDelegatedRtlUserThreadStart 4) every new thread of target process can be hijack to invoke shellcode

Slide 52

Slide 52 text

aaaddress1@chroot.org Demo

Slide 53

Slide 53 text

Thanks for listening aaaddress1@chroot.org Slide Github @aaaddress1 Facebook