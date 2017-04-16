Black Hat 2017之過去閱讀相關 整理@若渴計畫-未完 2017.4.16 <ajblane0612@gmail.com> AJMachine 時間上來不及做完，等一個月之後補充，議題方向為自己覺得驚人的exploit技巧
Outline • process injection • post-exploitation tools • cache-side channel attacks • data orient attacks • UEFI firmware r...
Reference of Process Injection • Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 – htt...
Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 • 實作問題: process A要把code inject至process...
Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, black hat 2017 • 其實作者說明他自己...
Hollow Process Injection 寫惡意code至在process B配置的RWE 改寫suspended thread執行的address為惡意code 的entry pointer
Virtual Address Descriptor (VAD) Process Environment Block p.4 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzh...
p.17 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
Detecting Process Hollowing using Memory Forensics • Detecting from Parent Child Process Relationship. 固定由某parent呼叫 • Dete...
Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 打臉hollowfind偵測工具
Process B Malware (global atom tale) 知道unique value，可得字串 自動化設定字串與unique value的關係 文章寫作梗， GlobalAddAtom() 配置成null terminated...
! Process B Malware (global atom tale) 文章寫作梗， GlobalAddAtom() 配置成null terminated buffer (null string) RW permission QueueU...
Process B Malware (global atom tale) 文章寫作梗， GlobalAddAtom() 配置成null terminated buffer (null string) RW permission NtQueueA...
Process B Malware (global atom tale) 文章寫作梗， GlobalAddAtom() 配置成null terminated buffer (null string) ? RW permission NtQueu...
Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), Glo...
Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), Glo...
Post-exploitation Tools • Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 – https://www...
Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 • PowerMemory uses Windows PowerShell a...
argp, OR’LYEH? The Shadow over Firefox, 2015 • Shadow由 winDBG, gdb, LLDB基底，透過觀 察 記 憶 體 資 料 ， 來 得 知 firefox heap allocation...
Reference of Cache-side Channel Attacks • Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Counter...
Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 • 此篇目的提出解決機制。
Cache Architecture 此cache可以裝很多page Page table
Types of Cache-side Channel Attacks 假設條件 shared memory flushing instruction exists in ISA The Flush and Reload Attack The ...
The Prime and Probe Attack
How to Mitigate Cache Attacks • Cache Leakage Free Code Design – Secret independent execution flow (盡量不要有 if …if …，如果有就會有t...
How to Mitigate Cache Attacks • Page Coloring (OS ,hypervisor)
How to Mitigate Cache Attacks • Intel Cache Allocation Technology (OS/hypervisor + hardware) Allows OS/hypervisor to mark ...
[若渴計畫] Black Hat 2017之過去閱讀相關整理

  1. 1. Black Hat 2017之過去閱讀相關 整理@若渴計畫-未完 2017.4.16 <ajblane0612@gmail.com> AJMachine 時間上來不及做完，等一個月之後補充，議題方向為自己覺得驚人的exploit技巧
  2. 2. Outline • process injection • post-exploitation tools • cache-side channel attacks • data orient attacks • UEFI firmware rootkits
  3. 3. Reference of Process Injection • Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 – http://phrack.org/issues/62/13.html • Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 – https://breakingmalware.com/injection-techniques/atombombing- brand-new-code-injection-for-windows/ • Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, Black Hat 2017 – https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What- Malware-Authors-Don%27t-Want-You-To-Know-Evasive-Hollow- Process-Injection-wp.pdf – https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMX BtNkU
  4. 4. Rattle, “Using Process Infection to Bypass Windows Software Firewalls”, Phrack 2004 • 實作問題: process A要把code inject至process B， 假設要inject的code被compiler編譯的資料或者 function call為hardcode offset會是如何? -> process B那個位置並不是擺process A的資料或 者function call
  5. 5. Monnappa K A, “What Malware Authors Don’t Want You to Know - Evasive Hollow Process Injection”, black hat 2017 • 其實作者說明他自己寫的hollowfind工具可 偵測Hollow Process Injection https://github.com/monnappa22/HollowFind
  6. 6. Hollow Process Injection 寫惡意code至在process B配置的RWE 改寫suspended thread執行的address為惡意code 的entry pointer
  7. 7. Virtual Address Descriptor (VAD) Process Environment Block p.4 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
  8. 8. p.17 https://drive.google.com/drive/folders/0B9qqqzOjzwW9Yi1RVzhWMXBtNkU
  9. 9. Detecting Process Hollowing using Memory Forensics • Detecting from Parent Child Process Relationship. 固定由某parent呼叫 • Detecting by Comparing the PEB and the VAD structure. • Detecting using suspicious memory protection. 找到可疑RWE區塊，並把此塊送給VirusTotal 檢查是否是惡意程式。
  10. 10. Tal Liberman, “AtomBombing: Brand New Code Injection for Windows”, 2016 打臉hollowfind偵測工具
  11. 11. Process B Malware (global atom tale) 知道unique value，可得字串 自動化設定字串與unique value的關係 文章寫作梗， GlobalAddAtom() 配置成null terminated buffer (null string) RW permission GlobalGetAtomName() ?
  12. 12. ! Process B Malware (global atom tale) 文章寫作梗， GlobalAddAtom() 配置成null terminated buffer (null string) RW permission QueueUserApc(GlobalGetAtomName(), GlobalGetAtomName參數?) APC queue GlobalGetAtomName() QueueUserApc只能讓GlobalGetAtomName帶入一個參數， 但GlobalGetAtomName需要三個參數
  13. 13. Process B Malware (global atom tale) 文章寫作梗， GlobalAddAtom() 配置成null terminated buffer (null string) RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName() !! 要能使用NtQueueApcThread下，又能讓程式正常執行， 用反組譯軟體觀察CFG來帶入符合參數。
  14. 14. Process B Malware (global atom tale) 文章寫作梗， GlobalAddAtom() 配置成null terminated buffer (null string) ? RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName()
  15. 15. Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) APC queue GlobalGetAtomName() !!! *ROP gadgets ROP gadgets ROP:安排參數+函數位置 RWX Shell code *Shell code ROP gadgets如何起動? Shell code ret gadget memcpy gadget ZwAllocateVirtualMemory gadget 還需要push eax作為memcpy所使用的參數，可知他在x86_32架構下
  16. 16. Process B Malware (global atom tale) GlobalAddAtom()配置成ROP gadgets RW permission NtQueueApcThread(GlobalGetAtomName(), GlobalGetAtomName參數) NtQueueApcThread(NtSetContextThread(), NtSetContextThread參數) APC queue GlobalGetAtomName() !!!! *ROP gadgets ROP gadgets RWX Shell code *Shell code ? hThread -> target lpContext -> 可設定ESP/EIP-> ESP設置至ROP chain/ EIP設置ZwAllocateVirtualMemory Shell code 最後APC dispatcher 執行
  17. 17. Post-exploitation Tools • Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 – https://www.blackhat.com/docs/asia- 17/materials/asia-17-Braeken-Hack-Microsoft- Using-Microsoft-Signed-Binaries-wp.pdf – https://www.blackhat.com/docs/asia- 17/materials/asia-17-Braeken-Hack-Microsoft- Using-Microsoft-Signed-Binaries.pdf • argp, OR’LYEH? The Shadow over Firefox, 2015
  18. 18. Pierre-Alexandre, “Hack Microsoft Using Microsoft Signed Binaries”, Black Hat 2017 • PowerMemory uses Windows PowerShell and Microsoft debuggers. • 使用PowerMemory – 從記憶體接露passwords – 操作kernel object manipulation – Injecting and executing a shellcode in a remote process • PowerMemory輔助exploit更容易成功或可靠
  19. 19. argp, OR’LYEH? The Shadow over Firefox, 2015 • Shadow由 winDBG, gdb, LLDB基底，透過觀 察 記 憶 體 資 料 ， 來 得 知 firefox heap allocation行為，在某漏洞以之下，近而發 展exploitation。
  20. 20. Reference of Cache-side Channel Attacks • Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 – https://www.blackhat.com/docs/asia-17/materials/asia-17-Irazoqui- Cache-Side-Channel-Attack-Exploitablity-And-Countermeasures.pdf • Ferdinand Brasser, etc., “Software Grand Expose: SGX Cache Attacks are Practical” – https://arxiv.org/abs/1702.07521 • Stephan van Schaik, etc., “Reverse Engineering Hardware Page Table Caches” – http://www.cs.vu.nl/~herbertb/download/papers/revanc_ir-cs-77.pdf • Ben Gras, etc., “ASLR on the Line: Practical Cache Attacks on the MMU” – http://www.cs.vu.nl/~herbertb/download/papers/anc_ndss17.pdf
  21. 21. Gorka Irazoqui, etc., intel “Cache Side Channel Attack: Exploitability & Countermeasures”, Black Hat 2017 • 此篇目的提出解決機制。
  22. 22. Cache Architecture 此cache可以裝很多page Page table
  23. 23. Types of Cache-side Channel Attacks 假設條件 shared memory flushing instruction exists in ISA The Flush and Reload Attack The Evict and Reload Attack The Prime and Probe Attack
  24. 24. The Prime and Probe Attack
  25. 25. How to Mitigate Cache Attacks • Cache Leakage Free Code Design – Secret independent execution flow (盡量不要有 if …if …，如果有就會有timing attack風險 ) – Secret independent memory accesses (重要資料 實作加解密保護)
  26. 26. How to Mitigate Cache Attacks • Page Coloring (OS ,hypervisor)
  27. 27. How to Mitigate Cache Attacks • Intel Cache Allocation Technology (OS/hypervisor + hardware) Allows OS/hypervisor to mark cache lines as un- evictable

