SLIDE 1
DLL Shell Game and other misdirections
SSTIC 2019
06/06/2019 Synacktiv Lucas GEORGES
DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 - - PowerPoint PPT Presentation
DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 - - PowerPoint PPT Presentation
DLL Shell Game and other misdirections SSTIC 2019 06/06/2019 Synacktiv Lucas GEORGES Table des matires Introduction 1 2 Tools DLL Redirections 3 Vulnerabilities 4 Conclusion 5 Whoami Twitter : @_lucas_georges_ Reverser @
SLIDE 2
SLIDE 3
3/43
Whoami
Twitter : @_lucas_georges_ Reverser @ Synacktiv Located in Rennes;p
SLIDE 4
4/43
Dynamic Link Library (DLL) Dependencies
Win32 API
Applications
TOTO.EXE TATA.EXE TITI.EXE user32.dll kernel32.dll ws2_32.dll advapi32.dll gdi32.dll etc ... ntdll.dll Subsystem Servers System Services Critical Processes
Native API
ntoskrnl.exe Kernel mode User mode
SLIDE 5
5/43
Missing DLL
SLIDE 6
6/43
Missing DLL?
SLIDE 7
7/43
Missing Export
SLIDE 8
8/43
Missing????
SLIDE 9
Table des matières
1
Introduction
2
Tools
3
DLL Redirections
4
Vulnerabilities
5
Conclusion
SLIDE 10
10/43
Windbg
SLIDE 11
11/43
Dependency Walker
SLIDE 12
12/43
Dependency Walker on a modern binary
SLIDE 13
13/43
Dependency Walker on a modern binary
SLIDE 14
14/43
Dependencies
SLIDE 15
15/43
DEMO
DEMO TIME!
SLIDE 16
Table des matières
1
Introduction
2
Tools
3
DLL Redirections
4
Vulnerabilities
5
Conclusion
SLIDE 17
17/43
Diagram
Process Initialization Load Dependencies Dynamic Load kernelbase!LoadLibraryEx
LdrpInitializeProcess LdrpLoadDependentModule
Apiset ? Apiset Resolution WinSxs ? WinSxs Resolution Y Y N N LdrpPreprocessName DLL Redirection KnownDll ? Load from \KnownDLLs DLL Search order Load from Disk Y N LdrpLoadDllInternal LdrpMapDllNtFilename DLL Search
LdrpSearchPath + LdrpResolveDllName LdrpLoadKnownDll
Load from SysWow64 in System32 ? (opt) Wow64 layer
SLIDE 18
18/43
Apisets
HOST DLLs API SET NAMESPACE
TOTO.EXE api-ms-win-core-debug-l1.dll IsDebuggerPresent DebugBreak OutputDebugStringA OutputDebugStringW ContinueDebugEvent WaitForDebugEvent DebugActiveProcess DebugActiveProcessStop CheckRemoteDebuggerPresent WaitForDebugEventEx
call DebugBreak
Kernel32.dll ... DebugBreak ... HeapCreate Export Address Table api-ms-win-core-heap-l1.dll HeapCreate HeapFree ... ext-ms-win-security-srp-l1 AiEvaluatePlugin AppIDFreeAttributeString ... api-ms-win-wsl-api-l1-1 WslConfigureDistribution WslGetDistributionConfiguration WslIsDistributionRegistered srpapi.dll ... DebugBreak ... HeapCreate Export Address Table WslLaunch WslLaunchInteractive WslRegisterDistribution WslUnregisterDistribution
SLIDE 19
19/43
WinSxS
SLIDE 20
20/43
PE manifest
Embedded PE manifest for Opera’s installer <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"> </assemblyIdentity> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> </requestedPrivileges> </security> </trustInfo> </assembly>
SLIDE 21
21/43
PE manifest
Embedded PE manifest for Chrome executable <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <dependency> <!-- "Microsoft.Windows.Common-Controls" dependency --!></dependency> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="74.0.3729.169" version="74.0.3729.169" language="*"></ assemblyIdentity> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <!-- runAsInvoker --!></trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS> <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS> <supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS> <supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS> <supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS> </application> </compatibility> </assembly>
SLIDE 22
22/43
PE manifest
C :\Program Files (x86)\Google\Chrome\Application\74.0.3729.169\74.0.3729.169.manifest <assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'> <assemblyIdentity name='74.0.3729.169' version='74.0.3729.169' type='win32'/> <file name='chrome_elf.dll'/> </assembly>
SLIDE 23
23/43
KnownDlls
SLIDE 24
24/43
KnownDlls
SLIDE 25
25/43
KnownDlls
ntdll.dll!LdrVerifyImageMatchesChecksumEx
SLIDE 26
26/43
DLL Search Order
Source : https ://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-search-order
SLIDE 27
27/43
System32 folder redirection
Implemented in wow64 binaries (wow64cpu.dll, wow64win.dll and wow64.dll) Original Path Redirected Path
"C:\Windows\SysWow64\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\System32\ntdll.dll" "C:\Windows\SysWow64\ntdll.dll" "C:\Windows\Sysnative\ntdll.dll" "C:\Windows\System32\ntdll.dll"
Exemptions
"C:\Windows\System32\catroot" "C:\Windows\System32\catroot2" "C:\Windows\System32\driverstore" "C:\Windows\System32\drivers\etc" "C:\Windows\System32\hostdriverstore" "C:\Windows\System32\logfiles" "C:\Windows\System32\spool"
SLIDE 28
28/43
Diagram
Process Initialization Load Dependencies Dynamic Load kernelbase!LoadLibraryEx
LdrpInitializeProcess LdrpLoadDependentModule
Apiset ? Apiset Resolution WinSxs ? WinSxs Resolution Y Y N N LdrpPreprocessName DLL Redirection KnownDll ? Load from \KnownDLLs DLL Search order Load from Disk Y N LdrpLoadDllInternal LdrpMapDllNtFilename DLL Search
LdrpSearchPath + LdrpResolveDllName LdrpLoadKnownDll
Load from SysWow64 in System32 ? (opt) Wow64 layer
SLIDE 29
Table des matières
1
Introduction
2
Tools
3
DLL Redirections
4
Vulnerabilities
5
Conclusion
SLIDE 30
30/43
Asus Delayload plant
SLIDE 31
31/43
Asus Delayload plant
The binary can’t be rewritten But any user can write a file or a folder in the same folder Let’s find a DLL to plant!
SLIDE 32
32/43
Asus Delayload plant
SLIDE 33
33/43
Asus Delayload plant
SLIDE 34
34/43
Asus Delayload plant
SLIDE 35
35/43
Asus Delayload plant
SLIDE 36
36/43
WinSxS redirection launcher.exe copy installer.exe from C:\Program Files\Opera\${version}\installer.exe
into a temporary directory, C:\Windows\Temp\opera autoupdate\
launcher.exe calls CreateProcess on the temporary executable installer.exe is executed and also drops a temporary DLL C:\Windows\Temp\Opera_installer_${timestamp}.dll which is then loaded in the installer.exe’s proces. C:\Windows\Temp\opera autoupdate\installer.exe is automatically deleted when the process exits.
SLIDE 37
37/43
WinSxS redirection
Embedded PE manifest for Opera’s installer <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"> </assemblyIdentity> </dependentAssembly> </dependency> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel> </requestedPrivileges> </security> </trustInfo> </assembly>
SLIDE 38
38/43
WinSxS redirection
SLIDE 39
39/43
WinSxS redirection
SLIDE 40
40/43
WinSxS redirection
Demo
SLIDE 41
Table des matières
1
Introduction
2
Tools
3
DLL Redirections
4
Vulnerabilities
5
Conclusion
SLIDE 42
42/43
Conclusion
Lien vers le projet : https ://www.github.com/lucasg/Dependencies.git
SLIDE 43
MERCI DE VOTRE ATTENTION