Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[若渴計畫] Challenges and Solutions of Window Remote Shellcode

672 views

Published on

就這麼不小心閱讀了相關shellcode知識。

會後討論與補充:
補充1. hash API 另一個目的是shellcode被static analysis會看不出這些hash value用來做什麼。
補充2.
p.35 p.36 pypassing Up-to-Standards Secure Corporate Environment

1. 文中採用Web Gateway(proxy AV): ProxySG : 設計概念 real-time protection for web content ,要做到豐富dynamic analysis不太可能。參考: https://www.symantec.com/products/secure-web-gateway-proxy-sg-and-asg

2. 以下參考https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/ 的內容擷取

`````````````````````````````````
define condition Meterpreter_ReflectiveDLL
; x86 payload
http.response.data.11.regex="^\x4d\x5a\xe8\x00\x00\x00\x00\x5b\x52\x45\x55"
end
``````````````````````````````````
可以推斷ProxySG 是signature-based AV 。不知道有沒有heuristic analysis就是了。

在64KB+meterpreter stage DLL的 http request封包,假設成功bypass,也就是說 proxy-AV 只檢查64KB,他可能相信大的封包是檔案,就給local AV檢查,於是就到target memory,殊不知在 in-memory 中做DLL injection至stager中,local AV也沒辦法檢查到了。

Published in: Education
  • Login to see the comments

[若渴計畫] Challenges and Solutions of Window Remote Shellcode

  1. 1. Challenges and Solutions of Window Remote Shellcode @若渴 2017.11.19 <ajblane0612@gmail.com> AjMaChInE
  2. 2. Outline • Overview of window remote shellcode • Some challenges and solutions – Antivirus – EMET – Firewall – Intrusion-Detection System (IDS)/ Intrusion- Prevention System (IPS) • Reference
  3. 3. Remote Shellcode [0][1] pipeprotocol process terminal process command sh
  4. 4. Windows Shellcode Skeleton in Assembly [12] • Getting EIP • Decoder • Getting addresses of required functions • Setup socket • Spawning a shell
  5. 5. Getting EIP – Why [12][13] • What is the problem with such a hardcoded address? Compiler move that code to another address space ????
  6. 6. Getting EIP [12]
  7. 7. Getting Addresses of Required Functions [2] Finding kernel32.dll LoadLibraryA GetProcAddress System calls not reliable
  8. 8. How to Finding kernel32.dll in ASLR? [2][3][4] Process Environment Block(PEB) fs:[0x30] Structured Exception Handling(SEH) fs:[0] Thread Environment Block +0x4 TOPSTACK fs:[0x18] not reliable
  9. 9. Finding kernel32.dll- PEB “The process of determining the kernel32.dll base address involves making use of the Process Environment Block (PEB). The operating system allocates a structure for every running process that can always be found at fs:[0x30] from within the process. The PEB structure holds information about the process’ heaps, binary image information, and, most importantly, three linked lists regarding loaded modules that have been mapped into process space. The linked lists themselves differ in purposes from showing the order in which the modules were loaded to the order in which the modules were initialized. The initialization order linked list is of most interest as the order in which kernel32.dll is initialized is always constant as the second module to be initialized.” [2]
  10. 10. Finding kernel32.dll- SEH “Windows NT based versions the top-most entry in the SEH list can always be found at fs:[0] from within the process. With this in mind, one can walk the list of installed exception handlers until they reach the last one. When the last one is reached the address of the function pointer can be used as a starting point for walking down in increments of 64KB, or 16 × 4096 byte pages. In Windows, DLL’s will only align on 64KB boundaries. At each 64KB boundary a check can be performed to see if the two characters at that point are ‘MZ’. These two characters mark the MSDOS header that is prepended to portable executables.” [2]
  11. 11. Address Resolution of Required Functions • PEB parsing [5] – This method uses the Process Environment Block(PEB) data structure to locate the base addresses of loaded DLLs and finding their function addresses with parsing the Export Address Table(EAT) • Hash API search [5] – For quickly finding required functions EAT IAT DLL Required Functions hash hash?=
  12. 12. Functions You maybe Want to [6] • WinExec • CreateProcessW • CreateProcessA • LoadLibraryExA • LoadLibraryExW • OpenFile • CreateThread • CreateRemoteThread • GetProcAddress • LoadModule • CreateFileA • CreateFileW • _lopen • _lcreat • CopyFileA • CopyFileW • CopyFileExA • CopyFileExW • MoveFileA • MoveFileExW • LockFile • GetModuleHandleA • VirtualProtect • OpenProcess • GetModuleHandleW • MoveFileWithProgressA • MoveFileWithProgressW • DeleteFileA
  13. 13. Challenges of Shellcode for Antivirus [7][8] • Static signature analysis – Signature analysis is based on a blacklist method – EX: YARA [9] • Static heuristic analysis – In this case the AV will check the code for patterns which are known to be found in malwares. There are a lot of possible rules, which depends on the vendor • Dynamic analysis – These days most AV will rely on a dynamic approach. When an executable is scanned, it is launched in a virtual environment for a short amount of time. Combining this with signature verification and heuristic analysis allows detecting unknown malwares even those relying on encryption. Indeed, the code is self-decrypted in AV sandbox; then, analysis of the “new code” can trigger some suspicious behavior.
  14. 14. Bypassing Challenges of Shellcode for Antivirus [7][8] • Bypassing static signature analysis/ static heuristic analysis – Decryption [10][11] – Obfuscation [7] – Non-standard languages for windows binaries [25] • Bypassing dynamic analysis
  15. 15. Obfuscation
  16. 16. The Veil-Framework [25] • Obfuscated code • Encrypted code • Non-standard languages for windows binaries – Python, Ruby, Perl, Go, etc.
  17. 17. Bypassing Dynamic Analysis [7][8] • Allocate and fill 100M memory • Hundred million increments • Attempt to open a system process • Attempt to open a non-existing URL • Action which depends on local username • What the fuck is NUMA? • What the fuck are FLS? • Check process memory • Time distortion • What is my name? • I am my own father • First open a mutex • Load fake library • Is debugger present • Number of Cores • Trap flag manipulation
  18. 18. Bypassing Dynamic Analysis - Hundred Million Increments [8] AV detection emulator
  19. 19. Proper Ways To Execute Shellcodes [7][8] • HeapCreate/HeapAlloc • LoadLibrary/GetProcAddress • GetModuleHandle/GetProcAddress • Multi-Threading
  20. 20. Challenges of Shellcode for EMET • Preventing EAT parsing techniques
  21. 21. Bypassing Challenges of Shellcode for EMET • IAT parsing [23] – Also holding the WIN API function addresses by the application
  22. 22. Challenges of Shellcode for Firewalls • Inbound detection • Outbound detection • Usually, firewall allow connection to popular services like port 25(SMTP), 53(DNS), 80(HTTP), etc.
  23. 23. Bypassing Challenges of Shellcode for Firewalls • Bypassing inbound detection – Reverse remote shellcode • Bypassing outbound detection (進去了要怎出 來),EX [12] :
  24. 24. Bypassing Outbound Detection • DLL/PE Injection to iexplore.exe, telnet, ftp, SSH and alike [13] • One-way shellcode [2][12] • Meterpreter HTTP, HTTPS and DNS stagers [21]
  25. 25. DLL Injection Overview – Step 1/2 [17]
  26. 26. DLL Injection Overview – Step 3/4 [17]
  27. 27. Execution Methods of DLL Injection [15] • CreateRemoteThread() • NtCreateThreadEx() • QueueUserAPC() • SetWindowsHookEx() • RtlCreateUserThread() • Code cave via SetThreadContext() • Reflective DLL
  28. 28. DLL/PE Injection to iexplore.exe [13] • Querying the register key, rather than referring to “c:...iexplore.exe” • CreateProcess() to open and keep browser windows hidden • WaitForInputIdle() to give processes time for initialization • WaitProcessMemory() to copy networking code • CreateRemoteThread() to run code • The injected procedure connects the web site and sends HTTP request
  29. 29. Reflective DLL Injection [16][18] Reflective DLL (= DLL-format PE file loader) reflective DLL is loaded by reflective DLL
  30. 30. DLL/PE/Process Hollowing Injection[19][20]
  31. 31. One-way Shellcode – Find Socket [12] (using anonymous pipe)
  32. 32. One-way Shellcode – Reuse Socket [12] The problem of the “Find Socket” method: • If the socket already been closed (the SO_REUSEADDR socket option)
  33. 33. One-way Shellcode – Rebind Socket [12] The problem of the “Rebind Socket” method: • using SO_EXCLUSIVEADDRUSE, thus reusing the address is not possible
  34. 34. The Meterpreter: a stager, and and stage [21][22][24]
  35. 35. An Up-to-Standards Secure Corporate Environment with the meterpreter/reverse_winhttp Payload [14][22]
  36. 36. Bypassing An Up-to-Standards Secure Corporate Environment with the meterpreter/reverse_winhttp Payload [14][22] Thread 1Thread 2 local proxy with port 8080 reverse_winhttp LHOST=127.0.0.1 LPORT=8080 NTLM authentication + HTTP requests trust local proxy and go through the corporate proxy
  37. 37. Reference • [0] How To Make A Reverse TCP Backdoor In Python - Part 1 – https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-1/1038 • [1] How To Make A Reverse TCP Backdoor In Python - Part 2 – https://0x00sec.org/t/how-to-make-a-reverse-tcp-backdoor-in-python-part-2/1040 • [2] Understanding Windows Shellcode – http://www.hick.org/code/skape/papers/win32-shellcode.pdf • [3] Windows Reverse Shell Shellcode I. – http://sh3llc0d3r.com/windows-reverse-shell-shellcode-i/ • [4] Windows Reverse Shell Shellcode II. – http://sh3llc0d3r.com/windows-reverse-shell-shellcode-ii/ • [5] Art of Anti Detection 3 – Shellcode Alchemy – https://pentest.blog/art-of-anti-detection-3-shellcode-alchemy/ • [6] NT shellcodes prevrntion Demystified – http://www.phrack.org/issues/63/15.html#article • [7] Art of Anti Detection – 1 Introduction to AV and Detection Techniques – https://www.exploit-db.com/docs/40900.pdf • [8] Bypass Antivirus Dynamic Analysis - Limitations of the AV Model and How to Exploit Them – https://wikileaks.org/ciav7p1/cms/files/BypassAVDynamics.pdf • [9] YARA – http://virustotal.github.io/yara/
  38. 38. • [10] Code Segment Encryption – http://blog.sevagas.com/?Code-segment-encryption • [11] Hide Meterpreter Shellcode in Executable – http://blog.sevagas.com/Hide-meterpreter-shellcode-in-executable • [12] History and Advances in Windows Shellcode – http://phrack.org/issues/62/7.html – https://www.blackhat.com/presentations/bh-asia-03/bh-asia-03-chong.pdf • [13] Using Process Infection to Bypass Windows Software Firewalls – http://phrack.org/issues/62/7.html • [14] Evade Egress Restrictions with Staged Payloads – https://blog.cobaltstrike.com/2013/11/15/evade-egress-restrictions-with-staged-payloads/ • [15] Inject All the Things – http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/ – https://github.com/fdiskyou/injectAllTheThings/ – Microsoft Visual Studio Express 2013 for Windows Desktop • [16] Reflective DLL Injection – https://www.dc414.org/wp-content/uploads/2011/01/242.pdf – https://github.com/stephenfewer/ReflectiveDLLInjection • [17] Windows DLL Injection Basics – http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
  39. 39. • [18] DOUBLEPULSAR Usermode Analysis: Generic Reflective DLL Loader – https://countercept.com/our-thinking/doublepulsar-usermode-analysis-generic-reflective-dll- loader/ • [19] Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques – https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey- common-and-trending-process – https://github.com/secrary/InjectProc • [20] Process Hollowing – https://github.com/m0n0ph1/Process-Hollowing • [21] Metasploit - The Exploit Learning Tree – https://www.exploit-db.com/docs/27935.pdf • [22] Meterpreter Stage AV/IDS Evasion with Powershell – https://arno0x0x.wordpress.com/2016/04/13/meterpreter-av-ids-evasion-powershell/ – https://github.com/Arno0x/PowerShellScripts/blob/master/proxyMeterpreterHideout.ps1 • [23] Teaching Old Shellcode New Tricks – https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2017- Teaching_Old_Shellcode_New_Tricks.pdf – https://github.com/secretsquirrel/fido • [24] Deep Dive Into Stageless Meterpreter Payloads – https://blog.rapid7.com/2015/03/25/stageless-meterpreter-payloads/ • [25] The Art of AV Evasion - or Lack Thereof – https://www.slideshare.net/CTruncer/the-art-of-av-evasion-or-lack-thereof – https://github.com/Veil-Framework/Veil

×