patching windows executables with the backdoor factory | derbycon 2013

Download Patching Windows Executables with the Backdoor Factory | DerbyCon 2013

Post on 08-May-2015




4 download

Embed Size (px)


Slides from my DerbyCon 2013 talk.


  • 1.Patching Windows Executables with the Backdoor Factory Joshua Pitts DerbyCon 2013

2. Other Potential Titles IM DOWN WITH APT (yeah you know me) Lassie, did Timmy fall in a Code Cave again?? Why I Cyber and How You Can Cyber too When ET met EMET (A Love Story) Hugging Your Way to the Top, One Hug at a Time How I Owned Your Mother 3. About Me US Marine, Pre-911: SIGINT Past: IT and Physical Security Auditor, Operational Security Lead, Malware and Forensic Analyst Current: Reverse Engineer, Pentester Python, C/C++, ASM (INTEL) I have certs.. Serious inquires only :P Currently work at Leviathan Security Group 4. Urban Dictionary 5. Overview History of Patching How I learned to patch binaries The Backdoor Factory Features Capabilities Demos (Live and Video) Mitigations Going forward 6. What is Patching Definition (Wikipedia): A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance. 7. For This Presentation My Definition: Adding or taking away content or functionality to a compiled binary. 8. Security Pros and Patching Red Teaming persistence in plain sight Pentesting/Social Engineering Salt all the parking lots! Research Just because :D Malware/Code analysis Break the anti-analysis code 9. History of Patching Good thing we dont do this with operating systems. 10. The MS Method MSP Windows install patch file. Contains at least two data transforms One updates the install database One has info that the installer uses for patching files The installer will then use this info to apply the patch from the cabinet file Yada Yada Yada 11. What does this mean? MS definition of patching is replacing old registry entries, dlls, and exes with new items Not the patching that were taking about today 12. How Key Gens/Crackers do it Find code branch(es) that validate(s) the softwares protection mechanism(s) Make it return to a value that meets a valid condition for approved/continued operation Sometimes its a function that returns a True/False (0/1) value after the check. 13. How Metasploit Patches msfvenom p windows/shell_reverse_tcp x psexec.exe The overwrite program entry method msfvenom p windows/shell_reverse_tcp x psexec.exe k The allocate and create thread and return to original program entry method (Keep) 14. MSF Overwrite program Entry - Before 15. MSF Overwrite program Entry - After 16. Pros/Cons PRO: Attacker receives a shell (or 17) :D PRO: Size of EXE not changed CON: No continued execution of program WIN - LOSE 17. MSF Create Thread Method (Keep) When debugging in Immunity Debugger 18. MSF Create Thread Method (Keep) Immunity is telling the truth, memory sections: Original memory sections: 19. Msfvenom x32 Keep Method Explained Two separate functions or stubs Part Two: The shellcode payloads that we all know Part One: Is not new, not so well known, but is awesome Looks like an un-named section of code that has RWE attributes (very suspicious) Very important for stager payloads 20. Pros And Cons of the Msfvenom Keep Method PRO: Attacker receives shell and the binary works normally for the user Thats a WIN-WIN CON: Should be easy for AV to catch CON: Size of binary has increased 21. MSFVenom Win64 Patching Support Only supports x32 Submitted a bug post on security street A feature request was submitted (#8383): 22. PE/COFF 23. The Portable Executable Format MS-DOS 2.0 HEADER and unused space OEM ID/INFO OFFSET to PE header MS-DOS 2.0 Stub and Reloc table And unused Space PE Header Section Headers Import pages (import/export info Base reloc info Resource info) Not much has changed in the last 20 or so years Must be backwards compatible (win8 must read the header) Easy to automatically manipulate dware/gg463125 24. The Common Object File Format (COFF) Format Microsoft COFF Header (machine type, number of sections, etc..) Section Headers Raw Data Code Data Debug Info Relocations This is included in the PE File Format The most important section for RE Includes: - Machine Type - Number of Sections - Size and Access (RWE) of Sections Typically includes the rest of the file Code, Data, Debug, Reloc (the actual sections) 25. End of PE/COFF 26. How I learned to Backdoor Windows Binaries Though the Offensive Security Cracking the Perimeter course Duh Manual Labor Time Consuming At first hours Now about 10-15 mintues Missing some important concepts: Working with the import table Working with staged payloads (stagers) Multi cave jumping win32 only (slight differences in x64 asm) 27. CTP Methods Append a new section of code Similar to the Metasploit msfvenom keep Named RWX section (e.g. .sdata, .moo, .what, etc) Use existing code caves for encoding/decoding shellcode in the appended section We looked at XOR encoding XOR encoding is no longer effective against AV 28. CTP Method 29. Code Caves? 30. Code Caves? A code cave is an area of bytes in a binary that contain a null byte pattern (x00) greater than two bytes. 31. How are code caves created? Not sure, so I did some research Or went on a quest 32. How are code caves created? Starting out, I assumed that a unicorn would know everything. So I went to defcon. And whats better than a unicorn at DEFCON!!! 33. How are code caves created? Hi Unicorn! Hi.. err, human! How are code caves made? I dont know. Aww. Want a beer? Pssst Check compliers o/ 34. How are code caves created? Tested the following x32 compilers: G++ - GNU C++ Cl.exe MS compiler linker. Lcc-win32 Mingw32-c++ 35. How are code caves created? Against this code: #include #include #include #include int array[600] = {0}; int main(int argc, char **argv) { printf("hello world"); return 0; } This Code is FREE as in BEER. 36. Find Code Caves Demo Code: Binaries: 37. How Are Code Caves Created? Results for code caves greater than 200 bytes in named sections (e.g. .text, .data, .idata, etc): Cl.exe : 7 G++: 4 Mingw32-c++: 3 Lcc-win32: 0 38. How Are Code Caves Created? Remember this line of code: int array[600] = {0}; Not one had a cave of at least 600 bytes. 39. How Are Code Caves Created? Lesson: If you want to minimize code caves in your code, carefully pick your compiler.** **More research could be done in this area.*** ***I dont write compilers**** ****Nor do I want too yet :P 40. Some Ideas Automation Split shellcode into smaller sections Use multiple code caves Non-sequential cave jumping Use user provided shellcode Combine the Metasploit Stager solution with the CTP code cave use 41. Solution: BDF x32 version released in March 2013 Supported only single cave jumping No x32 stagers support Python27 - Single Script Supports win32/64 Supports x32 stagers No stagers payloads for x64 yet. (Remember that bug feature request?) Code Cave injection (single and multiple) Support user-provided shellcode Some Randomization (different hash every time an EXE is created) Through random ones compliment in the code And different types of nops Injector Module 42. How BDF works Enumerates PE/COFF Header format Determines if binary is supported (win32/64 intel) Locates code caves that correspond to size of shellcode Patches executable in an attempt to return registers/flags to the original state for continued execution Patches entry location with a JMP to the first selected code cave/appended section Patches each user selected code cave 43. How BDF works Very primitive disassembler to do just what we need Reworked the x32 msfvenom stager keep stub to work in code caves and with user provided shellcode -x64 stager support is in the works Reworked a handful of useful metasploit payloads to allow for multiple code cave jumping 44. Original Way BDF Worked 45. Now You Can Do This 46. Or This 47. Demos Support Check (Live) Backdooring win32/64 binaries (Live) Append code cave Single code caving Code Cave jumping Mass backdooring (directory) - Live Provide your own shellcode - Live Prototyping shellcode (video) The injector module (video) 48. DEMO Support Check If not supported, then what? Email me with the disassembly of the entry function (from a legitimate email) Ill send you the opcode update 49. DEMO - Patch a file with shellcode win32/64 Append Pick a single Cave Multi-Jumps Note Non-stager payloads will hang if C2 is not available Payloads are patched in-line and not run in a separate thread 50. DEMO - Mass backdooring (directory) 51. DEMO - Prototyping shellcode 52. DEMO Injector Module Injector is the hunt and backdoor binary of doom. Use responsibly 53. DEMO - Provide your own shellcode Can be anything, just make sure it matches the process type (x32 for x32) Make sure you use ExitFunction=Thread or you will kill the parent process (not good) 54. Attack Scenarios or Methods Salting Parking Lots with USBs Hosting Rouge Exes Attacking system services Linux Setuid Attack for Windows Patching binaries that require elevated perms but might be in non-admin directories Sysinternal tools Setup files 55. Mitigations UPX encoding Self Validation AVs EMET 4.0+ Hash verification White Listing 56. Mitigations - UPX Encoding Not supported by BDF Unpack Patch Pack UPX is not protection against patching Could opens your up your Exe to potential weaknesses Are you unpacking to unprotected memory space? 57. Mitigations - Self Validation Team Viewer Round Robin Checking Find the check, patch it 58. Mitigations Anti-Virus I broke the rule and uploaded my samples to Virustotal for this presentation It really doesnt matter AV is dead 59. MSFVENOM keep vs MSVENOM non-keep vs BDF Cave Jumping MSFVENOM k t exe Hash: 6d