dll shell game and other misdirections
play

DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 - PowerPoint PPT Presentation

Feb 02, 2024 •28 likes •458 views

DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 Synacktiv Lucas GEORGES Table des matires Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5 Whoami Twitter : @_lucas_georges_ Reverser @

  1. DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 Synacktiv Lucas GEORGES

  2. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  3. Whoami Twitter : @_lucas_georges_ Reverser @ Synacktiv Located in Rennes;p 3/43

  4. Dynamic Link Library (DLL) Dependencies Applications TOTO.EXE TATA.EXE TITI.EXE Win32 API Subsystem Servers user32.dll kernel32.dll System Services ws2_32.dll advapi32.dll Critical gdi32.dll etc ... Processes Native ntdll.dll API User mode Kernel mode ntoskrnl.exe 4/43

  5. Missing DLL 5/43

  6. Missing DLL? 6/43

  7. Missing Export 7/43

  8. Missing???? 8/43

  9. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  10. Windbg 10/43

  11. Dependency Walker 11/43

  12. Dependency Walker on a modern binary 12/43

  13. Dependency Walker on a modern binary 13/43

  14. Dependencies 14/43

  15. DEMO DEMO TIME! 15/43

  16. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  17. Diagram DLL Redirection DLL Search Dynamic Load kernelbase!LoadLibraryEx Y N N Load from Apiset ? WinSxs ? KnownDll ? \KnownDLLs Y Y N LdrpLoadKnownDll Process Initialization Load Dependencies DLL Search order LdrpLoadDependentModule LdrpInitializeProcess Apiset Resolution WinSxs Resolution LdrpSearchPath + LdrpResolveDllName LdrpLoadDllInternal LdrpPreprocessName Load from in System32 ? SysWow64 (opt) Wow64 layer Load from Disk LdrpMapDllNtFilename 17/43

  18. Apisets TOTO.EXE api-ms-win-core-debug-l1.dll IsDebuggerPresent Kernel32.dll call DebugBreak DebugBreak OutputDebugStringA OutputDebugStringW ContinueDebugEvent WaitForDebugEvent Export Address Table DebugActiveProcess DebugActiveProcessStop ... CheckRemoteDebuggerPresent DebugBreak WaitForDebugEventEx ... HeapCreate api-ms-win-core-heap-l1.dll HeapCreate HeapFree ... api-ms-win-wsl-api-l1-1 WslConfigureDistribution srpapi.dll WslGetDistributionConfiguration WslIsDistributionRegistered WslLaunch WslLaunchInteractive WslRegisterDistribution Export Address Table WslUnregisterDistribution ... DebugBreak ext-ms-win-security-srp-l1 ... AiEvaluatePlugin HeapCreate AppIDFreeAttributeString ... API SET NAMESPACE HOST DLLs 18/43

  19. WinSxS 19/43

  20. </assembly> </dependentAssembly> </trustInfo> </security> </requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> <requestedPrivileges> <security> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> </dependency> </assemblyIdentity> publicKeyToken="6595b64144ccf1df" language="*"> version="6.0.0.0" processorArchitecture="*" type="win32" name="Microsoft.Windows.Common-Controls" <assemblyIdentity <dependentAssembly> <dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> PE manifest Embedded PE manifest for Opera’s installer 20/43

  21. </assembly> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> </compatibility> </application> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS> <application> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <!-- runAsInvoker --!></trustInfo> </dependency> </dependentAssembly> assemblyIdentity> <assemblyIdentity type="win32" name="74.0.3729.169" version="74.0.3729.169" language="*"></ <dependentAssembly> <dependency> <dependency> <!-- "Microsoft.Windows.Common-Controls" dependency --!></dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> PE manifest Embedded PE manifest for Chrome executable 21/43

  22. <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='74.0.3729.169' version='74.0.3729.169' type='win32'/> <file name='chrome_elf.dll'/> </assembly> PE manifest C :\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\74.0.3729.169.manifest 22/43

  23. KnownDlls 23/43

  24. KnownDlls 24/43

  25. KnownDlls ntdll.dll!LdrVerifyImageMatchesChecksumEx 25/43

  26. DLL Search Order Source : https ://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-search-order 26/43

  27. "C:\Windows\System32\spool" "C:\Windows\System32\ntdll.dll" "C:\Windows\System32\logfiles" "C:\Windows\System32\hostdriverstore" "C:\Windows\System32\drivers\etc" "C:\Windows\System32\driverstore" "C:\Windows\System32\catroot2" "C:\Windows\System32\catroot" "C:\Windows\Sysnative\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\System32\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" System32 folder redirection Implemented in wow64 binaries ( wow64cpu.dll , wow64win.dll and wow64.dll ) Original Path Redirected Path Exemptions 27/43

  28. Diagram DLL Redirection DLL Search Dynamic Load kernelbase!LoadLibraryEx Y N N Load from Apiset ? WinSxs ? KnownDll ? \KnownDLLs Y Y N LdrpLoadKnownDll Process Initialization Load Dependencies DLL Search order LdrpLoadDependentModule LdrpInitializeProcess Apiset Resolution WinSxs Resolution LdrpSearchPath + LdrpResolveDllName LdrpLoadDllInternal LdrpPreprocessName Load from in System32 ? SysWow64 (opt) Wow64 layer Load from Disk LdrpMapDllNtFilename 28/43

  29. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  30. Asus Delayload plant 30/43

  31. Asus Delayload plant The binary can’t be rewritten But any user can write a file or a folder in the same folder Let’s find a DLL to plant! 31/43

  32. Asus Delayload plant 32/43

  33. Asus Delayload plant 33/43

  34. Asus Delayload plant 34/43

  35. Asus Delayload plant 35/43

  36. WinSxS redirection launcher.exe copy installer.exe from C:\Program Files\Opera\${version}\installer.exe into a temporary directory, C:\Windows\Temp\opera autoupdate\ launcher.exe calls CreateProcess on the temporary executable installer.exe is executed and also drops a temporary DLL C:\Windows\Temp\Opera_installer_${timestamp}.dll which is then loaded in the installer.exe ’s proces. C:\Windows\Temp\opera autoupdate\installer.exe is automatically deleted when the process exits. 36/43

  37. </assembly> </dependentAssembly> </trustInfo> </security> </requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> <requestedPrivileges> <security> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> </dependency> </assemblyIdentity> publicKeyToken="6595b64144ccf1df" language="*"> version="6.0.0.0" processorArchitecture="*" type="win32" name="Microsoft.Windows.Common-Controls" <assemblyIdentity <dependentAssembly> <dependency> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> WinSxS redirection Embedded PE manifest for Opera’s installer 37/43

  38. WinSxS redirection 38/43

  39. WinSxS redirection 39/43

  40. WinSxS redirection Demo 40/43

  41. Table des matières Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5

  42. Conclusion Lien vers le projet : https ://www.github.com/lucasg/Dependencies.git 42/43

  43. AVEZ-VOUS DES QUESTIONS? MERCI DE VOTRE ATTENTION

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is Bash Shell Scripting? A shell script is a script written for the shell, or command

What is Bash Shell Scripting? A shell script is a script written for the shell, or command

What is Bash Shell Scripting? A shell script is a script written for the shell, or command line interpreter, of an operating system. The shell is often considered a simple domain-specific programming language . Typical operations

802 views • 15 slides
Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation:

Bourne (Again) Shell CIS 218 Bourne Again Shell Current GNU LINUX BASH Shell documentation: http://www.gnu.org/software/bash/manual/bashref.html Bash is an acronym for Bourne - Again SHell. The Bourne shell is the traditional

947 views • 37 slides
Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University 1 /

Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University 1 /

Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University 1 / 29 Introduction to Bank Runs Bryant (1980) and Diamond and Dybvig (1983): bank runs in the post-deposit game 2 / 29 Introduction to Bank

896 views • 78 slides
More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell

More Linux Shell Scripts Fundamentals of Computer Science Outline Shells and Shell Scripts Shell Variables and the Environment Simple Shell Scripting More Advanced Shell Scripting Start-up Shell Scripts Shells and Shell

367 views • 17 slides
CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU

CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU

Shell CSCE 625 TAMU CSCE 625: Artificial Intelligence Dr. Dylan Shell 1 Shell CSCE 625 TAMU 2 Shell CSCE 625 TAMU 3 Shell CSCE 625 TAMU 4 Shell CSCE 625 TAMU Pay attention to this: https://www.youtube.com/watch?v=vJG698U2Mvo 5 Shell

352 views • 8 slides
Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University

Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University

Bank Runs: The Pre-Deposit Game Karl Shell Yu Zhang Cornell University Xiamen University Balasko Festschrift NYU Abu Dhabi 16 December 2015 1 / 28 Multiple Equilibria I Renements 2 / 28 Multiple Equilibria I Renements I Samuelson

1.17k views • 81 slides
e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and

e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and

e-Bug Junior Game Junior Game Game Style Game Process Demo Game Mechanics and Learning Outcomes Feedback to date and evaluation plans Game Style Game style encompasses two genres of game o Platform game fast action

575 views • 22 slides
Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line

Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line

Bash shell SE 2XA3 Term I, 2020/21 Outline Shells Shell scripts Shell variables Command-line arguments For loops Conditionals Shell customization Environment variables Aliases Shells A Unix shell is a command-line interpreter

475 views • 18 slides
e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and

e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and

e-Bug Senior Game Senior Game Game Style Game Process Demo Game Puzzles and Learning Outcomes Feedback to date and evaluation plans Game Style Game is a detective game where the player investigates microbial problems.

572 views • 19 slides
Introduction to Shell Programming what is shell programming? about cygwin review of

Introduction to Shell Programming what is shell programming? about cygwin review of

Introduction to Shell Programming what is shell programming? about cygwin review of basic UNIX TM pipelines of commands about shell scripts some new commands variables parameters and shift command substitution

515 views • 35 slides
Bourne Shell Programming Topics Covered Shell variables Using options using getopts

Bourne Shell Programming Topics Covered Shell variables Using options using getopts

Bourne Shell Programming Topics Covered Shell variables Using options using getopts Using Quotes Reading Data Arithmetic On Shell Environment and subshells Passing Arguments Parameter substitution

826 views • 65 slides
Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution

Operating System API Case study: UNIX shell Unix shell Provides interactive command execution Was part of OS kernel initially, now a normal program The shell interface looks like this: $ _ Prompt Keyboard cursor Unix shell $ cat

474 views • 22 slides
Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with

Shell scripting with Haskell Franz Thoma Berlin, 2017-02-24 Overview Shell scripting with high-level languages The turtle library Scripts &amp; Dependency Management Parsing command line options A small application Conclusion Shell

537 views • 27 slides
Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your

Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your

Mehdi Azarmi Your default shell? (Bash or Tcsh) %echo $SHELL You may change your default shell %chsh USERNAME /bin/bash More in the CS help page http://www.cs.purdue.edu/resources/facilities/oracle/cs.sxhtml Note te :

92 views • 5 slides
The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands

The Shell What does a shell do? - execute commands, programs - but how? For built in commands run some code to do the command For other commands find program executable and .... run it. Other features: wildcards, pipes, redirection.

468 views • 18 slides
Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile

Introduction of Linux , oslab2020@163.com PART II Shell Script Compile &amp; Debug (for C) Text Editor (Vim, Sublime text, Atom) Shell Script A shell script is a program designed to be run by the shell. The various

375 views • 35 slides
Obfuscation: Positive Results and Techniques Benjamin Lynn Manoj Prabhakaran Amit Sahai

Obfuscation: Positive Results and Techniques Benjamin Lynn Manoj Prabhakaran Amit Sahai

Obfuscation: Positive Results and Techniques Benjamin Lynn Manoj Prabhakaran Amit Sahai Stanford University Princeton University Princeton University EUROCRYPT '04 Obfuscation Hide the internals of

721 views • 28 slides
OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft

OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft

OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft alexandre.ganea@ubisoft.com 2019 Bay Area LLVM Developers' Meeting, Oct.22-23 1 SUMMARY PART 1 PREAMBLE PART 2 EXPERIMENTS PART 3 PROPOSAL PART 4 NEXT

1.07k views • 58 slides
Leading in a Multi-Generational Organization March 15, 2018 Todays Expert Panel Diane

Leading in a Multi-Generational Organization March 15, 2018 Todays Expert Panel Diane

Maryland Association of Healthcare Executives presents: Leading in a Multi-Generational Organization March 15, 2018 Todays Expert Panel Diane Nicholas Director of Client Management NHS Solutions, Inc. Kelly Corbi Sr. Vice President

734 views • 46 slides
What is System identification Using experimental data obtained from input/output relations to

What is System identification Using experimental data obtained from input/output relations to

What is System identification Using experimental data obtained from input/output relations to model dynamic systems. disturbances input output System Different approaches to system identification depending on model class Linear/Non-linear

529 views • 48 slides
Modern processor design Hung-Wei Tseng Outline Achieving CPI &lt; 1 Improving

Modern processor design Hung-Wei Tseng Outline Achieving CPI &lt; 1 Improving

Modern processor design Hung-Wei Tseng Outline Achieving CPI &lt; 1 Improving instruction level parallelism SuperScalar Dynamic scheduling/Out-of-order execution Simultaneous multithreading 3 Instruction level parallelism

835 views • 23 slides
Introduction to Computing Principles

Introduction to Computing Principles

Introduction to Computing Principles 1 Software: code that runs on the hardware 2 What does run means? 3 How does that actually work? Software Machine Code

1.24k views • 33 slides
Project Report Guidelines Written report due Dec 6, 4:00pm Kalev Kask ICS 271 Fall 2016

Project Report Guidelines Written report due Dec 6, 4:00pm Kalev Kask ICS 271 Fall 2016

Project Report Guidelines Written report due Dec 6, 4:00pm Kalev Kask ICS 271 Fall 2016 271-fall 2016 Programming Project One report per team Grading is based on Quality of work Quality of report Length : 5-10 pages, not

438 views • 4 slides
Unix API 1 1 Changelog swtch() of animation 9 September 2019: exec and PCBs: remove init.

Unix API 1 1 Changelog swtch() of animation 9 September 2019: exec and PCBs: remove init.

Unix API 1 1 Changelog swtch() of animation 9 September 2019: exec and PCBs: remove init. val. from fjrst frame with arrows 4 September 2019: xv6: where the context is: mark where pointers point identifying what an address space is to

2.07k views • 128 slides

More recommend