Tweet
Tweet

Slide 1

Slide 1 text

Workshop ⚐ Playing Malware Injection with Exploit thoughts TDOHConf 2018, aaaddress1@chroot.org !1

Slide 2

Slide 2 text

• Master degree at CSIE, NTUST • Security Researcher - chrO.ot, TDOHacker • Speaker - BlackHat, DEFCON, beVX, VXCON, HITCON >_cat ./Bio !2

Slide 3

Slide 3 text

• Recap • Malware Injection • Lab #1 - Basic Injection • Abuse the demon of Windows • Lab #2 - Ole32 DropEnter Event • Lab #3 - Comctl32 SubClass Event • Lab #4 - Extra Window Vulnerability aka PowerLoader >_cat ./lab !3

Slide 4

Slide 4 text

• Windows 7 x86 • IDA (Demo Version) • Visual Stduio CMT • Chrome • x64dbg • Lab File x4 >_ls ./env !4

Slide 5

Slide 5 text

aaaddress1@chroot.org Recap: Ma1w4re !nj3cti0n !5

Slide 6

Slide 6 text

Process malware .text Section KiFastSystemCall _asm { sysenter } eax = function index ntdll.dll .text Section >_Win32 API !6 KiFastSystemCall _asm { sysenter } Windows Kernel (Ring0) eax = function index kernel32.dll .text Section

Slide 7

Slide 7 text

>_Blindspot !7 Process Malware Code Messenger .text Section RegOpenKey WriteProcessMemory ntdll.dll .text Section Windows Kernel (Ring0) DeleteFileA

Slide 8

Slide 8 text

>_man inject (`_´)ゞ Used for bypassing whitelist checking, byassing anti-virus, privilege escalation, etc. e.g. • DLL Side-Loading + Digital Signature = Bypassing anti-virus • Remote Inject + whitelisted process = Bypassing whitelist • Inject explorer + DLL Side-Loading + Self-elevate Service
 = Bypassing Windows UAC (User Account Control) *Vista ~ Win8* !8

Slide 9

Slide 9 text

>_man inject There're serval well-known techniques • Shellcode Inject or DLL Inject - OpenProcess, VirtualAllocExRWX, WriteProcessMemory, CreateRemoteThread
 • Process Hollowing (aka RunPE) - OpenProcess, CreateProcessASuspended, Mapping PE FileVirtualAllocEx + WriteProcessMemory, GetThreadContext, and ResumeThread to Execute exe file from memory
 • Thread Hijack or AtomBombing - QueueUserAPC, Inline Hook, or IAT Hijack
 • Memory Exploit (PowerLoaderEX) - SetWindowLong, SendNotifyMessage !9

Slide 10

Slide 10 text

There are 4 primary challenges in injection: 1. What's target - choose a target to inject, and it should be meaningful. e.g. explorer, svchost
 2. Where to place - find memory for us to place RWX memory or ROPChain payload. e.g. VirtualAllocEx
 3. How to inject payload - any way for us to write payload into remote process memory
 4. How to run it - create a new thread to execute or hijack current thread of that process? >_man inject !10

Slide 11

Slide 11 text

aaaddress1@chroot.org !nJ3ct!0n Lab: From zero to Exploit. !11

Slide 12

Slide 12 text

aaaddress1@chroot.org Lab #1 Shellcode Injection !12

Slide 13

Slide 13 text

Process >_Process #0 Main Thread application .text Section ntdll.dll .text Section .data Section .bss Section Stack Memory Stack Register #1 Thread Stack Register #2 Thread Stack Register program counter (eip)

Slide 14

Slide 14 text

Process >_Process #0 Main Thread application .text Section ntdll.dll .text Section .data Section .bss Section Stack Memory Stack Register #1 Thread Stack Register #2 Thread Stack Register

Slide 15

Slide 15 text

EIP(x86), RIP(x86_64), program counter, or the instruction pointer, is a special-purpose register which stores a pointer to the address of the instruction that is currently executing. Making a jump is like adding to or subtracting from the instruction pointer. >_Intel x86 EIP wiki.skullsecurity.org/index.php?title=Registers#eip

Slide 16

Slide 16 text

Creates a thread that runs in the virtual address space of another process and optionally specifies extended attributes such as processor group affinity. >_CreateRemoteThreadEx Çdocs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex

Slide 17

Slide 17 text

aaaddress1@chroot.org Demo !17

Slide 18

Slide 18 text

!18 >_Remote Access Token?

Slide 19

Slide 19 text

User Interface Privilege Isolation (UIPI) is a technology introduced in Windows Vista and Windows Server 2008 to combat shatter attack exploits. By making use of Mandatory Integrity Control, it prevents processes with a lower "integrity level" (IL) from sending messages to higher IL processes (except for a very specific set of UI messages). >_It doesn't work? !19

Slide 20

Slide 20 text

Window messages are designed to communicate user action to processes. However, they can be used to run arbitrary code in the receiving process' context. This can be used by a malicious low IL process to run arbitrary code in the context of a higher IL process, which constitutes an unauthorized privilege escalation. By restricting access to some vectors for code execution and data injection, UIPI can mitigate these kinds of attacks. >_It doesn't work? !20

Slide 21

Slide 21 text

aaaddress1@chroot.org Lab #1.1 DLL Injection !21

Slide 22

Slide 22 text

>_Memory !22 Ntdll.dll ... Process Kerne32.dll User32.dll ... Ntdll.dll ... Process Kerne32.dll User32.dll ... Messenger.exe Ntdll.dll ... Process Kerne32.dll User32.dll ... Chrome.exe Stack Memory Stack Memory Stack Memory Fixed ASLR Malware.exe Actually, system modules are located at the same memory space even different processes, even if ASLR protection is enabled by default after Windows 7. It means every system API function is placed at a predictable address. Low Heigh

Slide 23

Slide 23 text

Loads the specified module into the address space of the calling process. The specified module may cause other modules to be loaded. >_LoadLibraryA msdn.microsoft.com/zh-tw/library/windows/desktop/ms684175(v=vs.85).aspx

Slide 24

Slide 24 text

Creates a thread that runs in the virtual address space of another process and optionally specifies extended attributes such as processor group affinity. >_CreateRemoteThreadEx docs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex

Slide 25

Slide 25 text

A pointer to a variable to be passed to the thread function pointed to by lpStartAddress. This parameter can be NULL. >_lpParamter docs.microsoft.com/zh-tw/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createremotethreadex

Slide 26

Slide 26 text

LoadLibraryA ( "\\127.0.0.1\C$\hackMudle.dll" ); >_Goal⚐ !26

Slide 27

Slide 27 text

>_Dll Injection github.com/aaaddress1/Dll-Injector-In-CB/blob/master/Unit1.cpp

Slide 28

Slide 28 text

aaaddress1@chroot.org Lab #2 Ole32 DropEnter Event !28

Slide 29

Slide 29 text

Open Explorer.exe@C$ \Windows\System32\Ole32.dll file with IDA, and analyze the function PrivDragDrop. >_IDA !29

Slide 30

Slide 30 text

>_Rebase !30 Due to ASLR protection, it's necessary for us to rebase the base of Ole32.dll for IDA to detect. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.

Slide 31

Slide 31 text

We can debug a function inside the DLL in an active process dynamically now, after rebasing. ;) >_Debug Active DLL !31

Slide 32

Slide 32 text

>_cat ./ole32_init !32

Slide 33

Slide 33 text

>_cat ./reg_dropevent !33

Slide 34

Slide 34 text

>_man LPDROPTARGET IDropTarget actually is a virtual method table :) !34

Slide 35

Slide 35 text

>_issue? vtable addr is determined by GetProp() so... it's really easy for us to hijack vtable just by SetProp() This callback function is used to deal with dropping file to Start Button of Explorer.exe !35

Slide 36

Slide 36 text

explorer Process Memory DropTarget @ 0xc0fee Prop Name Value OleDropTargetInterface 0xbeef payload @ 0xbeef +0 - 0xbeef (this) +4 - don't care ... +8 - don't care +0C- shellcode addr it's easy for us to change the return value of GetPropW("OleDropTargetInterface") from 0xc0fee to 0xbeef (malicious payload). >_issue !36

Slide 37

Slide 37 text

explorer Process Memory Operating System 1) Send Window Message (Drag & Drop) 2) GetPropW("OleDropTargetInterface") 3) Invoke drop file function from vtable, invoke shellcode addr = *(beef+0c) DropTarget @ 0xc0fee payload @ 0xbeef +0 - 0xbeef (this) +4 - don't care ... +8 - don't care +0C- shellcode addr Prop Name Value OleDropTargetInterface 0xbeef >_issue !37

Slide 38

Slide 38 text

>_abuse vtable !38

Slide 39

Slide 39 text

aaaddress1@chroot.org Demo !39

Slide 40

Slide 40 text

aaaddress1@chroot.org Lab #3 Comctl32 SubClass Event !40

Slide 41

Slide 41 text

Open Explorer.exe@C$ \Windows\System32\Comctl32.dll file with IDA, and analyze the function MasterSubclassProc. >_IDA !41

Slide 42

Slide 42 text

However Micro$oft have given comctl32.dll a patch at C$ \Windows\WinSxS\x86_microsoft.wi ndows.common- controls_6595b64144ccf1df_6.0.76 01.18837_none_41e855142bd5705d. We need to analyze this patch to understand how it works in real world. >_IDA !42

Slide 43

Slide 43 text

>_Rebase !43 Due to ASLR protection, it's necessary for us to rebase the base of Comctl32 for IDA to detect. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.

Slide 44

Slide 44 text

We can debug a function inside the DLL in an active process dynamically now, after rebasing. ;) >_Debug Active DLL !44

Slide 45

Slide 45 text

>_cat FastGetSubclsHdr !45

Slide 46

Slide 46 text

>_cat MstSubclsProc !46

Slide 47

Slide 47 text

>_cat EnterSubclsFram !47

Slide 48

Slide 48 text

>_cat EntrSubclsCallbk !48

Slide 49

Slide 49 text

>_cat CallNxtSubclsProc !49

Slide 50

Slide 50 text

>_abuse vtable !50

Slide 51

Slide 51 text

>_abuse vtable !51

Slide 52

Slide 52 text

aaaddress1@chroot.org Demo !52

Slide 53

Slide 53 text

aaaddress1@chroot.org Lab #4 Extra Window Vulnerability !53

Slide 54

Slide 54 text

Open Explorer.exe@C$\Windows\Explorer file with IDA, and analyze the function s_WndProc. >_IDA !54

Slide 55

Slide 55 text

>_CImpWndProc::s_WndProc !55

Slide 56

Slide 56 text

>_Rebase !56 Due to ASLR protection, it's necessary for us to rebase the base of explorer for IDA to debug dynamically. We can use CheatEngine, PCHunter, Scrylla, etc. to fetch the base address of explorer.

Slide 57

Slide 57 text

>_Shell_TrayWnd? !57

Slide 58

Slide 58 text

>_Shell_TrayWnd? !58 Window event callback function

Slide 59

Slide 59 text

aaaddress1@chroot.org >_s_WndProc? !59

Slide 60

Slide 60 text

aaaddress1@chroot.org >_s_WndProc? !60

Slide 61

Slide 61 text

Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 - window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) Operating System 1) Send Window Message 2) Send Window Message 3) Invoke s_wndProc function 4) Invoke several function from vtable >_how it works !61

Slide 62

Slide 62 text

Explorer Process Memory Shell_TrayWnd +0 - 0xcafe (vtable) +4 - window hwnd ... vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) >_issue? GetWindowLong() !62

Slide 63

Slide 63 text

Explorer Process Memory Shell_TrayWnd +0 - 0xbeef 0xcafe +4 - window hwnd ... >_issue? GetWindowLong() vtable @ 0xcafe +0 - Interlocked (inc) +4 - message callback +8 - Interlocked (inc) fake vtable @ 0xbeef +0 - shellcode addr +4 - shellcode ... SetWindowLong() !63

Slide 64

Slide 64 text

Explorer Process Memory malicious Shell_TrayWnd >_issue? GetWindowLong() payload SetWindowLong() +0 - fake vtable ($+4) fake vtable +4 - shellcode addr ($+8) +8 - shellcode pwn! !64

Slide 65

Slide 65 text

>_abuse vtable !65

Slide 66

Slide 66 text

aaaddress1@chroot.org Demo !66

Slide 67

Slide 67 text

>_Not Enough? • PowerLoader Injection – Something truly amazing • A basic trick. talk more on 64bit Attack • BreakingMalware/PowerLoaderEx (Github) • Pass the payload by Windows Extra Memory to explorer • Execute payload on RW memory with ROP-Chain !67

Slide 68

Slide 68 text

Thanks. aaaddress1@chroot.org Slide Github @aaaddress1 Facebook !68