Windows Systems & Code Signing Protection by Paul Rascagneres

Windows systems & code signing
protection

Shakacon – 13-14 July 2016 – Paul Rascagnères - SEKOIA
Windows systems & code signing protection | About me
2
 Paul Rascagnères
 Member of the CERT SEKOIA
 Malware analysis
 Incident Response
 Security researcher
 Yo-yo player
 Offices in Luxembourg & Paris
 Located in Luxembourg

Windows systems & code signing protection | About me
3
 Due to questions yesterday:
Geography slide about Luxembourg
Area: 998 sq mi - 2,586 km2
Population: 576,249

Authenticode
4

Windows systems & code signing protection | Authenticode
5
 The code signing mechanism provided by
Microsoft is named Authenticode
 Based on certificate
 Support expiration date and Microsoft
manages a revocation list (for example if a
certificate is compromised)

6
 For the kernel mode, the driver signature is
mandatory since Windows 7 – 64 bits
 For the user mode, the binary signature is not
mandatory. “As a software publisher, there are
two reasons to sign your code: to prove its
Integrity and to develop its Reputation”1
.
1. https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/everything-you-need-to-know-about-authenticode-code-signing/

7

Kernel space implications
8

Windows systems & code signing protection | Kernel
9
 For the kernel mode, the driver signature is
 Is it the end of rootkit?

10
 For the kernel space, the driver signature is
 Is it the end of rootkit?

11
 I identified 2 ways used by rootkit developers
to bypass this protection:
 a “low cost” approach
 a “high end” approach

12
 “low cost”
 For developing reason, Microsoft provides a
test mode on Windows systems. A reboot is
required to enable this mode
 bcdedit.exe -set TESTSIGNING ON

13
 “low cost”
 For developing reason, Microsoft provides a
test mode on Windows systems. A reboot is
required to enable this mode
 bcdedit.exe -set TESTSIGNING ON
 The message is shown by winlogon.exe
(and attackers patch it, 1 test to alter)

14
 “high end”: Uroburos technique
 The malware developers used a vulnerability
to disable the driver signature
 CVE-2008-3431:
http://www.coresecurity.com/content/virtualb
ox-privilege-escalation-vulnerability
 Vulnerability in VBoxDrv.sys that allows to
switch an arbitrary kernel memory address to
0.

15
 The overwritten address was g_CiEnabled
(Ci is for Code Integrity)
 Before: kd> dq nt!g_cienabled ->
fffff800`02e45eb8 00000001
 After: kd> dq nt!g_cienabled ->
fffff800`02e45eb8 00000000

16
 The effect is to “switch” to test mode without
rebooting, without the message on the
desktop… but with the ability to use the
bcdedit.exe command to identify that the
machine is in test mode ;)

17
 the malware opens the VBoxDrv symlink;
 it loads ntoskrnl.exe;
 it locates g_CiEnabled;
 it uses DeviceIoControl() to switch
arbitrary address to 0
DeviceIoControl(VBoxDrv, SUP_IOCTL_FAST_DO_NOP,
g_CiEnabledAddr, 0, g_CiEnabledAddr, 0, &cb, NULL)
 Complete implementation there;
http://www.kernelmode.info/forum/viewtopic.php?t=3322&f=11

18
 “high end”: Derusbi technique
 The malware developers used a vulnerability
to disable the driver signature
 CVE-2013-3956:
https://www.novell.com/support/kb/doc.php?i
d=7012497
 Vulnerability in NICM.SYS that allows code
execution in kernel space.

19
 Analysis of the shellcode used during the
exploitation
0:001> g
[...]
String(24,24) at 0000000002c9d230: DeviceNicm
00000000`02c9d250 00000140
Breakpoint 6 hit
kernel32!DeviceIoControl:
00000000`76e067b4 ff25ce6e0800 jmp qword ptr [kernel32!_imp_DeviceIoControl
(00000000`76e8d688)] ds:00000000`76e8d688={KERNELBASE!DeviceIoControl
(000007fe`fda8a1e0)}
0:001> db @r8
00000000`0d0d0000 28 00 0d 0d 00 00 00 00-ff eb 45 00 ff ff ff ff (.........E.....
00000000`0d0d0010 08 20 ef 16 f9 33 8e 06-e5 44 0d 0e c2 72 0a 5e . ...3...D...r.^
00000000`0d0d0020 2c 02 44 0d 33 49 ae 72-30 00 0d 0d 00 00 00 00 ,.D.3I.r0.......
00000000`0d0d0030 9a 3f 2f 19 0f 36 81 62-25 14 bf 59 13 3b 9f 7b .?/..6.b%..Y.;.{
00000000`0d0d0040 8d 5b 7f 29 29 3f 98 65-86 bc a2 02 00 f8 ff ff .[.))?.e........
00000000`0d0d0050 48 b8 30 0e e8 00 80 f8-ff ff 8b 18 80 cb 08 89 H.0.............
00000000`0d0d0060 18 c3 cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................
00000000`0d0d0070 cc cc cc cc cc cc cc cc-cc cc cc cc cc cc cc cc ................

20
exploitation
$rasm2 -k windows -b 64 -a x86.udis -D "48b8300ee80080f8ffff8b1880cb088918c3"
0x00000000 10 48b8300ee80080f8ffff mov rax, 0xfffff88000e80e30
0x0000000a 2 8b18 mov ebx, [rax]
0x0000000c 3 80cb08 or bl, 0x8
0x0000000f 2 8918 mov [rax], ebx
0x00000011 1 c3 ret
kd> !address 0xfffff88000e80e30
[…]
Usage: Module
Base Address: fffff880`00e7b000
End Address: fffff880`00f3b000
Region Size: 00000000`000c0000
VA Type: SystemPTEs
Module name: CI.dll
Module path: [SystemRootsystem32CI.dll]

21
exploitation
 Before: kd> dd 0xfffff88000e80e30 L1
fffff880`00e80e30 00000006
 After: kd> dd 0xfffff88000e80e30 L1
fffff880`00e80e30 0000000e

22
exploitation
 Why this value?
 Let’s check CI.dll

23
 Mateusz ‘j00ru’ Jurczyk post2
01. VOID SepInitializeCodeIntegrity()
02. {
03. DWORD CiOptions;
04. g_CiEnabled = FALSE;
05. if(!InitIsWinPEMode)
06. g_CiEnabled = TRUE;
07.
08. memset(g_CiCallbacks,0,3*sizeof(SIZE_T));
09. CiOptions = 4|2; //0x6 by default
10.
11. if(KeLoaderBlock)
12. {
13. if(*(DWORD*)(KeLoaderBlock+84))
14. {
15. if(SepIsOptionPresent((KeLoaderBlock+84),L"DISABLE_INTEGRITY_CHECKS"))
16. CiOptions = 0;
17. if(SepIsOptionPresent((KeLoaderBlock+84),L"TESTSIGNING"))
18. CiOptions |= 8; //4 or 2 or 8 == 0xe
19. }
20. CiInitialize(CiOptions,(KeLoaderBlock+32),&g_CiCallbacks);
21. }
22. }
2. https://blogs.msdn.microsoft.com/ieinternals/2011/03/22/everything-you-need-to-know-about-authenticode-code-signing/

24
 Let’s check CI.dll
 0xfffff88000e80e30 == dword_7FF404C5E30
 This variable contains the CiOptions flags

25
 The effect is to “switch” to test mode without
rebooting, without the message on the
desktop and the bcdedit.exe command
shows that the machine is not in test mode
because the global flag was not modified…

26
 “high end”: GrayFish (Equation Group)
technique
 Sadly I don’t have the samples :’(
 Kaspersky report:
https://securelist.com/files/2015/02/Equation
_group_questions_and_answers.pdf
 “To bypass modern OS security mechanisms that block the
execution of untrusted code in kernel mode, GrayFish
exploits several legitimate drivers, including one from the
CloneCD program. This driver ( ElbyCDIO.sys ) contains a
vulnerability which GrayFish exploits to achieve kernel-level
code execution”

27
technique
 CVE-2009-0824
 Code execution in ElbyCDIO.sys
(CloneCD)
 But no samples hashes in the publication :’(
 So I asked & Kaspersky accepted to share
the samples with me…

28
technique
 CVE-2009-0824
 Code execution in ElbyCDIO.sys
(CloneCD)
 But no samples hashes in the publication :’(
 So I asked & Kaspersky accepted to share
the samples with me…
BUT

29
technique
 Kaspersky promised to provide me the
sample in March…

30
technique
sample in March… in April

31
technique
sample in March… in April… in May

32
technique
sample in March… in April… in May …
in June

33
technique
in June … and in July…

34
technique
in June … and in July…
 I’m still waiting :’(

35
 “high end”: HIDEDRV (APT28/Fancy
Bear/Sednit/…) technique
 I only have the 64 bits .sys file…
 No dropper :’(
 So I don’t know how the attacker bypass the
authenticode :’(
 If someone in the room have this dropper, do
not hesitate to contact me!!!

36
 “high end”: the same approach
 The malware developers use the same
approach with different implementation:
vulnerability exploitation on legitimate driver.

37
 What about the expiration date?
 In kernel space, we can perfectly load an
driver signed by an expired certificate…

38
 What about the revocation of certificate?
 Who really cares of CRL?
 The certificate of the vulnerable drivers
mentioned today are not yet revoked…
 It seems to be complicated to
systematically revoke certificates once a
vulnerability is found. (huge side effects)
 I’m not even sure that CRL works for
Kernel space…

39
 Extra trick
 The Atheros private certificate leak
 https://duo.com/assets/pdf/Dude,_You_Got_
Dell_d.pdf

40
 Extra trick

41
 Extra trick
 The Atheros private certificate can be used
to sign a driver - even if the cert is expired -
 On a fresh default Windows install, the driver
can perfectly be loaded - even if the cert is
expired -

42
 The future?
“Microsoft announced that Windows 10 would not allow installation of
drivers unless the driver was signed via the SysDev portal (that is, signed
by Microsoft, thought this will not require the driver to pass the HLK tests.”
source “The NT Insider May-June 2016”
Not implemented for Windows 10 RS2 Preview…

User space (new) implications
in Windows 10 TH2
43

Windows systems & code signing protection | User Space
44
 The protected processes
 Microsoft implemented a Signing Level in
Windows 8.
 Alex Ionescu perfectly documented this code
signing feature: http://www.alex-
ionescu.com/?p=146

45

46
 No more PROCESS_ALL_ACCESS, PROCESS_CREATE_PROCESS,
PROCESS_CREATE_THREAD, PROCESS_DUP_HANDLE,
PROCESS_QUERY_INFORMATION, PROCESS_SET_INFORMATION,
PROCESS_SET_QUOTA, PROCESS_VM_OPERATION, PROCESS_VM_READ,
PROCESS_VM_WRITE
 Welcome PROCESS_QUERY_LIMITED_INFORMATION
 Only available for Microsoft binaries… you
cannot create your own protected process :’(

47
 “Protecting Microsoft Edge against binary
injection”
 Communication by Microsoft:
https://blogs.windows.com/msedgedev/2015/
11/17/microsoft-edge-module-code-integrity/
 “The latest Windows 10 updates strengthen
Microsoft Edge with industry-leading
enforcement against loading unauthorized
DLLs into Microsoft Edge content
processes.” (latest == TH2)

48
injection”
 Documented
VS
Undocumented

49
injection”
 Mitigation Policy
typedef enum _PROCESS_MITIGATION_POLICY {
ProcessDEPPolicy,
ProcessASLRPolicy,
ProcessDynamicCodePolicy,
ProcessStrictHandleCheckPolicy,
ProcessSystemCallDisablePolicy,
ProcessMitigationOptionsMask,
ProcessExtensionPointDisablePolicy,
ProcessControlFlowGuardPolicy,
ProcessSignaturePolicy,
ProcessFontDisablePolicy,
ProcessImageLoadPolicy,
MaxProcessMitigationPolicy
} PROCESS_MITIGATION_POLICY, *PPROCESS_MITIGATION_POLICY;

50
injection”
 Mitigation Policy
typedef struct _PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY {
union {
DWORD Flags;
struct {
DWORD MicrosoftSignedOnly : 1;
DWORD StoreSignedOnly : 1;
DWORD MitigationOptIn : 1;
DWORD ReservedFlags : 29;
} DUMMYSTRUCTNAME;
} DUMMYUNIONNAME;
} PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY,
*PPROCESS_MITIGATION_BINARY_SIGNATURE_POLICY;

51
injection”
 How does it work?
 During a LoadLibrary() API call
-> the kernel calls NtCreateSection();
-> MiCreateSection() is called;
-> MiValidateSectionCreate() is called;
-> ci.dll (Code Integrity) is used in
order to check signatures

52
injection”
 Is it bulletproof?

53
injection”
 Does it bulletproof?
 For proper .dll injection via
LoadLibrary(): YES
 For dirty injection (shellcode injection, in
memory patching, …): NO
Code test:
https://github.com/SekoiaLab/BinaryInjectionMitigation/

Questions?
or awkward silence?
or applause to wake up your neighbour?
54

Windows Systems & Code Signing Protection by Paul Rascagneres

More Related Content

What's hot

Viewers also liked

Similar to Windows Systems & Code Signing Protection by Paul Rascagneres

More from Shakacon

Recently uploaded

Windows Systems & Code Signing Protection by Paul Rascagneres