dll shell game and other misdirections
play

DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 - PowerPoint PPT Presentation

DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 Synacktiv Lucas GEORGES Table des matires Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5 Whoami Twitter : @_lucas_georges_ Reverser @


  1. DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 Synacktiv Lucas GEORGES

  2. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  3. Whoami Twitter : @_lucas_georges_ Reverser @ Synacktiv Located in Rennes;p 3/43

  4. Dynamic Link Library (DLL) Dependencies Applications TOTO.EXE TATA.EXE TITI.EXE Win32 API Subsystem Servers user32.dll kernel32.dll System Services ws2_32.dll advapi32.dll Critical gdi32.dll etc ... Processes Native ntdll.dll API User mode Kernel mode ntoskrnl.exe 4/43

  5. Missing DLL 5/43

  6. Missing DLL? 6/43

  7. Missing Export 7/43

  8. Missing???? 8/43

  9. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  10. Windbg 10/43

  11. Dependency Walker 11/43

  12. Dependency Walker on a modern binary 12/43

  13. Dependency Walker on a modern binary 13/43

  14. Dependencies 14/43

  15. DEMO DEMO TIME! 15/43

  16. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  17. Diagram DLL Redirection DLL Search Dynamic Load kernelbase!LoadLibraryEx Y N N Load from Apiset ? WinSxs ? KnownDll ? \KnownDLLs Y Y N LdrpLoadKnownDll Process Initialization Load Dependencies DLL Search order LdrpLoadDependentModule LdrpInitializeProcess Apiset Resolution WinSxs Resolution LdrpSearchPath + LdrpResolveDllName LdrpLoadDllInternal LdrpPreprocessName Load from in System32 ? SysWow64 (opt) Wow64 layer Load from Disk LdrpMapDllNtFilename 17/43

  18. Apisets TOTO.EXE api-ms-win-core-debug-l1.dll IsDebuggerPresent Kernel32.dll call DebugBreak DebugBreak OutputDebugStringA OutputDebugStringW ContinueDebugEvent WaitForDebugEvent Export Address Table DebugActiveProcess DebugActiveProcessStop ... CheckRemoteDebuggerPresent DebugBreak WaitForDebugEventEx ... HeapCreate api-ms-win-core-heap-l1.dll HeapCreate HeapFree ... api-ms-win-wsl-api-l1-1 WslConfigureDistribution srpapi.dll WslGetDistributionConfiguration WslIsDistributionRegistered WslLaunch WslLaunchInteractive WslRegisterDistribution Export Address Table WslUnregisterDistribution ... DebugBreak ext-ms-win-security-srp-l1 ... AiEvaluatePlugin HeapCreate AppIDFreeAttributeString ... API SET NAMESPACE HOST DLLs 18/43

  19. WinSxS 19/43

  20. </assembly> </dependentAssembly> </trustInfo> </security> </requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> <requestedPrivileges> <security> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> </dependency> </assemblyIdentity> publicKeyToken="6595b64144ccf1df" language="*"> version="6.0.0.0" processorArchitecture="*" type="win32" name="Microsoft.Windows.Common-Controls" <assemblyIdentity <dependentAssembly> <dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> PE manifest Embedded PE manifest for Opera’s installer 20/43

  21. </assembly> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> </compatibility> </application> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS> <application> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <!-- runAsInvoker --!></trustInfo> </dependency> </dependentAssembly> assemblyIdentity> <assemblyIdentity type="win32" name="74.0.3729.169" version="74.0.3729.169" language="*"></ <dependentAssembly> <dependency> <dependency> <!-- "Microsoft.Windows.Common-Controls" dependency --!></dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> PE manifest Embedded PE manifest for Chrome executable 21/43

  22. <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='74.0.3729.169' version='74.0.3729.169' type='win32'/> <file name='chrome_elf.dll'/> </assembly> PE manifest C :\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\74.0.3729.169.manifest 22/43

  23. KnownDlls 23/43

  24. KnownDlls 24/43

  25. KnownDlls ntdll.dll!LdrVerifyImageMatchesChecksumEx 25/43

  26. DLL Search Order Source : https ://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-search-order 26/43

  27. "C:\Windows\System32\spool" "C:\Windows\System32\ntdll.dll" "C:\Windows\System32\logfiles" "C:\Windows\System32\hostdriverstore" "C:\Windows\System32\drivers\etc" "C:\Windows\System32\driverstore" "C:\Windows\System32\catroot2" "C:\Windows\System32\catroot" "C:\Windows\Sysnative\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\System32\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" System32 folder redirection Implemented in wow64 binaries ( wow64cpu.dll , wow64win.dll and wow64.dll ) Original Path Redirected Path Exemptions 27/43

  28. Diagram DLL Redirection DLL Search Dynamic Load kernelbase!LoadLibraryEx Y N N Load from Apiset ? WinSxs ? KnownDll ? \KnownDLLs Y Y N LdrpLoadKnownDll Process Initialization Load Dependencies DLL Search order LdrpLoadDependentModule LdrpInitializeProcess Apiset Resolution WinSxs Resolution LdrpSearchPath + LdrpResolveDllName LdrpLoadDllInternal LdrpPreprocessName Load from in System32 ? SysWow64 (opt) Wow64 layer Load from Disk LdrpMapDllNtFilename 28/43

  29. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  30. Asus Delayload plant 30/43

  31. Asus Delayload plant The binary can’t be rewritten But any user can write a file or a folder in the same folder Let’s find a DLL to plant! 31/43

  32. Asus Delayload plant 32/43

  33. Asus Delayload plant 33/43

  34. Asus Delayload plant 34/43

  35. Asus Delayload plant 35/43

  36. WinSxS redirection launcher.exe copy installer.exe from C:\Program Files\Opera\${version}\installer.exe into a temporary directory, C:\Windows\Temp\opera autoupdate\ launcher.exe calls CreateProcess on the temporary executable installer.exe is executed and also drops a temporary DLL C:\Windows\Temp\Opera_installer_${timestamp}.dll which is then loaded in the installer.exe ’s proces. C:\Windows\Temp\opera autoupdate\installer.exe is automatically deleted when the process exits. 36/43

  37. </assembly> </dependentAssembly> </trustInfo> </security> </requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> <requestedPrivileges> <security> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> </dependency> </assemblyIdentity> publicKeyToken="6595b64144ccf1df" language="*"> version="6.0.0.0" processorArchitecture="*" type="win32" name="Microsoft.Windows.Common-Controls" <assemblyIdentity <dependentAssembly> <dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> WinSxS redirection Embedded PE manifest for Opera’s installer 37/43

  38. WinSxS redirection 38/43

  39. WinSxS redirection 39/43

  40. WinSxS redirection Demo 40/43

  41. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  42. Conclusion Lien vers le projet : https ://www.github.com/lucasg/Dependencies.git 42/43

  43. AVEZ-VOUS DES QUESTIONS? MERCI DE VOTRE ATTENTION

Recommend


More recommend