dll shell game and other misdirections
play

DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 - PowerPoint PPT Presentation

Feb 02, 2024 •28 likes •458 views

DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 Synacktiv Lucas GEORGES Table des matires Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5 Whoami Twitter : @_lucas_georges_ Reverser @

  1. DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 Synacktiv Lucas GEORGES

  2. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  3. Whoami Twitter : @_lucas_georges_ Reverser @ Synacktiv Located in Rennes;p 3/43

  4. Dynamic Link Library (DLL) Dependencies Applications TOTO.EXE TATA.EXE TITI.EXE Win32 API Subsystem Servers user32.dll kernel32.dll System Services ws2_32.dll advapi32.dll Critical gdi32.dll etc ... Processes Native ntdll.dll API User mode Kernel mode ntoskrnl.exe 4/43

  5. Missing DLL 5/43

  6. Missing DLL? 6/43

  7. Missing Export 7/43

  8. Missing???? 8/43

  9. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  10. Windbg 10/43

  11. Dependency Walker 11/43

  12. Dependency Walker on a modern binary 12/43

  13. Dependency Walker on a modern binary 13/43

  14. Dependencies 14/43

  15. DEMO DEMO TIME! 15/43

  16. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  17. Diagram DLL Redirection DLL Search Dynamic Load kernelbase!LoadLibraryEx Y N N Load from Apiset ? WinSxs ? KnownDll ? \KnownDLLs Y Y N LdrpLoadKnownDll Process Initialization Load Dependencies DLL Search order LdrpLoadDependentModule LdrpInitializeProcess Apiset Resolution WinSxs Resolution LdrpSearchPath + LdrpResolveDllName LdrpLoadDllInternal LdrpPreprocessName Load from in System32 ? SysWow64 (opt) Wow64 layer Load from Disk LdrpMapDllNtFilename 17/43

  18. Apisets TOTO.EXE api-ms-win-core-debug-l1.dll IsDebuggerPresent Kernel32.dll call DebugBreak DebugBreak OutputDebugStringA OutputDebugStringW ContinueDebugEvent WaitForDebugEvent Export Address Table DebugActiveProcess DebugActiveProcessStop ... CheckRemoteDebuggerPresent DebugBreak WaitForDebugEventEx ... HeapCreate api-ms-win-core-heap-l1.dll HeapCreate HeapFree ... api-ms-win-wsl-api-l1-1 WslConfigureDistribution srpapi.dll WslGetDistributionConfiguration WslIsDistributionRegistered WslLaunch WslLaunchInteractive WslRegisterDistribution Export Address Table WslUnregisterDistribution ... DebugBreak ext-ms-win-security-srp-l1 ... AiEvaluatePlugin HeapCreate AppIDFreeAttributeString ... API SET NAMESPACE HOST DLLs 18/43

  19. WinSxS 19/43

  20. </assembly> </dependentAssembly> </trustInfo> </security> </requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> <requestedPrivileges> <security> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> </dependency> </assemblyIdentity> publicKeyToken="6595b64144ccf1df" language="*"> version="6.0.0.0" processorArchitecture="*" type="win32" name="Microsoft.Windows.Common-Controls" <assemblyIdentity <dependentAssembly> <dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> PE manifest Embedded PE manifest for Opera’s installer 20/43

  21. </assembly> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> </compatibility> </application> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS> <application> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <!-- runAsInvoker --!></trustInfo> </dependency> </dependentAssembly> assemblyIdentity> <assemblyIdentity type="win32" name="74.0.3729.169" version="74.0.3729.169" language="*"></ <dependentAssembly> <dependency> <dependency> <!-- "Microsoft.Windows.Common-Controls" dependency --!></dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> PE manifest Embedded PE manifest for Chrome executable 21/43

  22. <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='74.0.3729.169' version='74.0.3729.169' type='win32'/> <file name='chrome_elf.dll'/> </assembly> PE manifest C :\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\74.0.3729.169.manifest 22/43

  23. KnownDlls 23/43

  24. KnownDlls 24/43

  25. KnownDlls ntdll.dll!LdrVerifyImageMatchesChecksumEx 25/43

  26. DLL Search Order Source : https ://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-search-order 26/43

  27. "C:\Windows\System32\spool" "C:\Windows\System32\ntdll.dll" "C:\Windows\System32\logfiles" "C:\Windows\System32\hostdriverstore" "C:\Windows\System32\drivers\etc" "C:\Windows\System32\driverstore" "C:\Windows\System32\catroot2" "C:\Windows\System32\catroot" "C:\Windows\Sysnative\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\System32\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" System32 folder redirection Implemented in wow64 binaries ( wow64cpu.dll , wow64win.dll and wow64.dll ) Original Path Redirected Path Exemptions 27/43

  28. Diagram DLL Redirection DLL Search Dynamic Load kernelbase!LoadLibraryEx Y N N Load from Apiset ? WinSxs ? KnownDll ? \KnownDLLs Y Y N LdrpLoadKnownDll Process Initialization Load Dependencies DLL Search order LdrpLoadDependentModule LdrpInitializeProcess Apiset Resolution WinSxs Resolution LdrpSearchPath + LdrpResolveDllName LdrpLoadDllInternal LdrpPreprocessName Load from in System32 ? SysWow64 (opt) Wow64 layer Load from Disk LdrpMapDllNtFilename 28/43

  29. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  30. Asus Delayload plant 30/43

  31. Asus Delayload plant The binary can’t be rewritten But any user can write a file or a folder in the same folder Let’s find a DLL to plant! 31/43

  32. Asus Delayload plant 32/43

  33. Asus Delayload plant 33/43

  34. Asus Delayload plant 34/43

  35. Asus Delayload plant 35/43

  36. WinSxS redirection launcher.exe copy installer.exe from C:\Program Files\Opera\${version}\installer.exe into a temporary directory, C:\Windows\Temp\opera autoupdate\ launcher.exe calls CreateProcess on the temporary executable installer.exe is executed and also drops a temporary DLL C:\Windows\Temp\Opera_installer_${timestamp}.dll which is then loaded in the installer.exe ’s proces. C:\Windows\Temp\opera autoupdate\installer.exe is automatically deleted when the process exits. 36/43

  37. </assembly> </dependentAssembly> </trustInfo> </security> </requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> <requestedPrivileges> <security> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> </dependency> </assemblyIdentity> publicKeyToken="6595b64144ccf1df" language="*"> version="6.0.0.0" processorArchitecture="*" type="win32" name="Microsoft.Windows.Common-Controls" <assemblyIdentity <dependentAssembly> <dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> WinSxS redirection Embedded PE manifest for Opera’s installer 37/43

  38. WinSxS redirection 38/43

  39. WinSxS redirection 39/43

  40. WinSxS redirection Demo 40/43

  41. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  42. Conclusion Lien vers le projet : https ://www.github.com/lucasg/Dependencies.git 42/43

  43. AVEZ-VOUS DES QUESTIONS? MERCI DE VOTRE ATTENTION

Recommend

What is Bash Shell Scripting? A shell script is a script written for the shell, or command

What is Bash Shell Scripting? A shell script is a script written for the shell, or command

What is Bash Shell Scripting? A shell script is a script written for the shell, or command line interpreter, of an operating system. The shell is often considered a simple domain-specific programming language . Typical operations

802 views • 15 slides
Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation: http://www.gnu.org/software/bash/manual/bashref.html Bash is an acronym for Bourne - Again SHell. The Bourne shell is the traditional

947 views • 37 slides
Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University 1 /

Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University 1 /

Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University 1 / 29 Introduction to Bank Runs Bryant (1980) and Diamond and Dybvig (1983): bank runs in the post-deposit game 2 / 29 Introduction to Bank

896 views • 78 slides
More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell Scripts Shell Variables and the Environment Simple Shell Scripting More Advanced Shell Scripting Start-up Shell Scripts Shells and Shell

367 views • 17 slides
CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU

CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU

Shell CSCE 625 TAMU CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU 3 Shell CSCE 625 TAMU 4 Shell CSCE 625 TAMU Pay attention to this: https://www.youtube.com/watch?v=vJG698U2Mvo 5 Shell

352 views • 8 slides
Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University

Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University

Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University Balasko Festschrift NYU Abu Dhabi 16 December 2015 1 / 28 Multiple Equilibria I Renements 2 / 28 Multiple Equilibria I Renements I Samuelson

1.17k views • 81 slides
e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and

e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and

e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and Learning Outcomes Feedback to date and evaluation plans Game Style Game style encompasses two genres of game o Platform game fast action

575 views • 22 slides
Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line

Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line

Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line arguments For loops Conditionals Shell customization Environment variables Aliases Shells A Unix shell is a command-line interpreter

475 views • 18 slides
e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and

e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and

e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and Learning Outcomes Feedback to date and evaluation plans Game Style Game is a detective game where the player investigates microbial problems.

572 views • 19 slides
Introduction to Shell Programming what is shell programming? about cygwin review of

Introduction to Shell Programming what is shell programming? about cygwin review of

Introduction to Shell Programming what is shell programming? about cygwin review of basic UNIX TM pipelines of commands about shell scripts some new commands variables parameters and shift command substitution

515 views • 35 slides
Bourne Shell Programming Topics Covered Shell variables Using options using getopts

Bourne Shell Programming Topics Covered Shell variables Using options using getopts

Bourne Shell Programming Topics Covered Shell variables Using options using getopts Using Quotes Reading Data Arithmetic On Shell Environment and subshells Passing Arguments Parameter substitution

826 views • 65 slides
Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution Was part of OS kernel initially, now a normal program The shell interface looks like this: $ _ Prompt Keyboard cursor Unix shell $ cat

474 views • 22 slides
Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with high-level languages The turtle library Scripts &amp; Dependency Management Parsing command line options A small application Conclusion Shell

537 views • 27 slides
Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your

Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your

Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your default shell %chsh USERNAME /bin/bash More in the CS help page http://www.cs.purdue.edu/resources/facilities/oracle/cs.sxhtml Note te :

92 views • 5 slides
The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands run some code to do the command For other commands find program executable and .... run it. Other features: wildcards, pipes, redirection.

468 views • 18 slides
Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile &amp; Debug (for C) Text Editor (Vim, Sublime text, Atom) Shell Script A shell script is a program designed to be run by the shell. The various

375 views • 35 slides
UNIX Basics + shell commands Michael Tsai 2017/03/06 Where UNIX started Ken Thompson &amp;

UNIX Basics + shell commands Michael Tsai 2017/03/06 Where UNIX started Ken Thompson &amp;

UNIX Basics + shell commands Michael Tsai 2017/03/06 Where UNIX started Ken Thompson &amp; Dennis Ritchie Multics OS project (1960s) @ Bell Labs UNIX on scavenged PDP-7 (1969) Space Travel game Good environment to do

805 views • 24 slides
The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell

The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell

The Command Shell Fundamentals of Computer Science Outline Starting the Command Shell Locally Remote Host Directory Structure Moving around the directories Displaying File Contents Compiling and Running a Python Program

198 views • 19 slides
REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell

REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell

REPRESENTING THE UNIVERSITY OF JOHANNESBURG AT THE SHELL ECO-MARATHON CONTENTS 01 The Shell Eco-marathon 02 Introduction 03 Technical Aspects 04 Technical Budget 05 Sponsorships 06 Multi-Disciplinary Team 07 Off Track Awards 08 Exposure

234 views • 20 slides
The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive

The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive

The devil shell (dsh) COMPSCI210 Recitation 4th Feb 2013 Vamsi Thummala Shell Interactive command interpreter A high level language (scripting) Interface to the OS Provides support for key OS ideas Isolation Concurrency

522 views • 22 slides
Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016

Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016

Annual General Meeting 2016 Royal Dutch Shell plc May 24, 2016 Royal Dutch Shell | May 24, 2016 Chad Holliday Chairman Royal Dutch Shell plc Royal Dutch Shell | May 24, 2016 Definitions &amp; The New Lens Scenarios are part of an ongoing

197 views • 19 slides
C Shell CIS 218 C Shell overview Csh (new version tchs) is a command language interpreter

C Shell CIS 218 C Shell overview Csh (new version tchs) is a command language interpreter

C Shell CIS 218 C Shell overview Csh (new version tchs) is a command language interpreter developed under BSD UNIX. It incorporates features of other shells and a history mechanism. Tcsh development is currently maintained by tcsh.org.

737 views • 25 slides
ROYAL DUT ROYAL DUTCH CH SHELL SHELL P PLC FIRS RST QU QUART ARTER 20 ER 2020 20 RES

ROYAL DUT ROYAL DUTCH CH SHELL SHELL P PLC FIRS RST QU QUART ARTER 20 ER 2020 20 RES

ROYAL DUT ROYAL DUTCH CH SHELL SHELL P PLC FIRS RST QU QUART ARTER 20 ER 2020 20 RES RESULTS APRIL 30 th 2020 FIRST QUARTER 2020 RESULTS WEBCAST TO MEDIA AND ANALYSTS BY BEN VAN BEURDEN, CHIEF EXECUTIVE OFFICER OF ROYAL DUTCH SHELL PLC

144 views • 11 slides
CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU Charles Sanders Peirce:

CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU Charles Sanders Peirce:

Shell CSCE 625 TAMU CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU Charles Sanders Peirce: &quot;Looking out my window this lovely spring morning, I see an azalea in full bloom. No, no! I don't see that; though that

287 views • 9 slides

More recommend