DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 Synacktiv Lucas GEORGES
Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5
Whoami Twitter : @_lucas_georges_ Reverser @ Synacktiv Located in Rennes;p 3/43
Dynamic Link Library (DLL) Dependencies Applications TOTO.EXE TATA.EXE TITI.EXE Win32 API Subsystem Servers user32.dll kernel32.dll System Services ws2_32.dll advapi32.dll Critical gdi32.dll etc ... Processes Native ntdll.dll API User mode Kernel mode ntoskrnl.exe 4/43
Missing DLL 5/43
Missing DLL? 6/43
Missing Export 7/43
Missing???? 8/43
Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5
Windbg 10/43
Dependency Walker 11/43
Dependency Walker on a modern binary 12/43
Dependency Walker on a modern binary 13/43
Dependencies 14/43
DEMO DEMO TIME! 15/43
Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5
Diagram DLL Redirection DLL Search Dynamic Load kernelbase!LoadLibraryEx Y N N Load from Apiset ? WinSxs ? KnownDll ? \KnownDLLs Y Y N LdrpLoadKnownDll Process Initialization Load Dependencies DLL Search order LdrpLoadDependentModule LdrpInitializeProcess Apiset Resolution WinSxs Resolution LdrpSearchPath + LdrpResolveDllName LdrpLoadDllInternal LdrpPreprocessName Load from in System32 ? SysWow64 (opt) Wow64 layer Load from Disk LdrpMapDllNtFilename 17/43
Apisets TOTO.EXE api-ms-win-core-debug-l1.dll IsDebuggerPresent Kernel32.dll call DebugBreak DebugBreak OutputDebugStringA OutputDebugStringW ContinueDebugEvent WaitForDebugEvent Export Address Table DebugActiveProcess DebugActiveProcessStop ... CheckRemoteDebuggerPresent DebugBreak WaitForDebugEventEx ... HeapCreate api-ms-win-core-heap-l1.dll HeapCreate HeapFree ... api-ms-win-wsl-api-l1-1 WslConfigureDistribution srpapi.dll WslGetDistributionConfiguration WslIsDistributionRegistered WslLaunch WslLaunchInteractive WslRegisterDistribution Export Address Table WslUnregisterDistribution ... DebugBreak ext-ms-win-security-srp-l1 ... AiEvaluatePlugin HeapCreate AppIDFreeAttributeString ... API SET NAMESPACE HOST DLLs 18/43
WinSxS 19/43
</assembly> </dependentAssembly> </trustInfo> </security> </requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> <requestedPrivileges> <security> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> </dependency> </assemblyIdentity> publicKeyToken="6595b64144ccf1df" language="*"> version="6.0.0.0" processorArchitecture="*" type="win32" name="Microsoft.Windows.Common-Controls" <assemblyIdentity <dependentAssembly> <dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> PE manifest Embedded PE manifest for Opera’s installer 20/43
</assembly> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> </compatibility> </application> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS> <application> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <!-- runAsInvoker --!></trustInfo> </dependency> </dependentAssembly> assemblyIdentity> <assemblyIdentity type="win32" name="74.0.3729.169" version="74.0.3729.169" language="*"></ <dependentAssembly> <dependency> <dependency> <!-- "Microsoft.Windows.Common-Controls" dependency --!></dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> PE manifest Embedded PE manifest for Chrome executable 21/43
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='74.0.3729.169' version='74.0.3729.169' type='win32'/> <file name='chrome_elf.dll'/> </assembly> PE manifest C :\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\74.0.3729.169.manifest 22/43
KnownDlls 23/43
KnownDlls 24/43
KnownDlls ntdll.dll!LdrVerifyImageMatchesChecksumEx 25/43
DLL Search Order Source : https ://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-search-order 26/43
"C:\Windows\System32\spool" "C:\Windows\System32\ntdll.dll" "C:\Windows\System32\logfiles" "C:\Windows\System32\hostdriverstore" "C:\Windows\System32\drivers\etc" "C:\Windows\System32\driverstore" "C:\Windows\System32\catroot2" "C:\Windows\System32\catroot" "C:\Windows\Sysnative\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\System32\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" System32 folder redirection Implemented in wow64 binaries ( wow64cpu.dll , wow64win.dll and wow64.dll ) Original Path Redirected Path Exemptions 27/43
Diagram DLL Redirection DLL Search Dynamic Load kernelbase!LoadLibraryEx Y N N Load from Apiset ? WinSxs ? KnownDll ? \KnownDLLs Y Y N LdrpLoadKnownDll Process Initialization Load Dependencies DLL Search order LdrpLoadDependentModule LdrpInitializeProcess Apiset Resolution WinSxs Resolution LdrpSearchPath + LdrpResolveDllName LdrpLoadDllInternal LdrpPreprocessName Load from in System32 ? SysWow64 (opt) Wow64 layer Load from Disk LdrpMapDllNtFilename 28/43
Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5
Asus Delayload plant 30/43
Asus Delayload plant The binary can’t be rewritten But any user can write a file or a folder in the same folder Let’s find a DLL to plant! 31/43
Asus Delayload plant 32/43
Asus Delayload plant 33/43
Asus Delayload plant 34/43
Asus Delayload plant 35/43
WinSxS redirection launcher.exe copy installer.exe from C:\Program Files\Opera\${version}\installer.exe into a temporary directory, C:\Windows\Temp\opera autoupdate\ launcher.exe calls CreateProcess on the temporary executable installer.exe is executed and also drops a temporary DLL C:\Windows\Temp\Opera_installer_${timestamp}.dll which is then loaded in the installer.exe ’s proces. C:\Windows\Temp\opera autoupdate\installer.exe is automatically deleted when the process exits. 36/43
</assembly> </dependentAssembly> </trustInfo> </security> </requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> <requestedPrivileges> <security> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> </dependency> </assemblyIdentity> publicKeyToken="6595b64144ccf1df" language="*"> version="6.0.0.0" processorArchitecture="*" type="win32" name="Microsoft.Windows.Common-Controls" <assemblyIdentity <dependentAssembly> <dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> WinSxS redirection Embedded PE manifest for Opera’s installer 37/43
WinSxS redirection 38/43
WinSxS redirection 39/43
WinSxS redirection Demo 40/43
Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5
Conclusion Lien vers le projet : https ://www.github.com/lucasg/Dependencies.git 42/43
AVEZ-VOUS DES QUESTIONS? MERCI DE VOTRE ATTENTION
Recommend
More recommend