C, Windows, Red Team and Me.
This article is on using C language compiler, understanding the Microsoft Windows OS layout and Red team techniques to evade Anti-virus detections by endpoints.
Lets Begin:
"OS?converts C code into assembly code via a compiler and into executable programs via?a linker". Too many jargons here, let me break it down.
C compiler-tool that translates human-readable C code into machine-executable code/assembly code. In the days of Python and other high-level languages, C Compiler is still relevant today.
Assembler - During the compiling process, assembly code is converted by the assembler into the machine code that can be understood by the chip.
Linker - When writing a program in a programming language like C or C++, the source code is first compiled by a compiler to create object files. These object files contain machine code that can be executed by the computer but are not yet complete programs because they may have unresolved external references to functions or variables that are defined in other object files. A linker is a program that combines one or more object files generated by a compiler to create an executable program or library.
Some additional terminology below to understand the relationships.
COFF - stands for Common Object File Format, when we compile a program in a programming language like C or C++, the compiler takes the source code and converts it into machine code that can be executed by the computer. This machine code is then saved in an object file, which is typically in the COFF format. COFF is used during the compilation and linking phase of program development
PE - (Portable Executable) format is a binary file format used by Microsoft Windows to store executable programs, libraries, and device drivers.PE is used during the deployment and execution phase of program development.
Function: A program/code that performs specific task like understanding typing keys via keyboard, clicking objects in mouse, executing a file etc.
Thread: From a code perspective, a thread can be thought of as a person responsible for executing code.
Process: can be thought of as a container for loading code.
Diagram: Section Headers Structure.
Section headers are an important part of the executable file format because they allow the operating system to correctly load the program or library into memory and execute it. After Compilation in C, the source code will be segmented to different sections which includes separate start, end address in memory as per the diagram above.
With our understanding of some basics, now work for red team.
So how to infect a normal program with shellcode in the form of a worm?
The core idea is to put a malicious section in the normal program to hold the malicious code and point the program entry to the malicious code so that the infected program will trigger our malicious code directly?after execution.
Examples can be searched on internet for common shellcode, whose function is to?pop up a?BrokenByte?window when it?is triggered, downloading malware, reverse shells, memory injection modules, and so on.
if we run a program signed with digital signatures from known and valid companies (for example, a Microsoft update package, an installer in a large company, and so on), and replace the mounted PE module in the process with a malware module, can we run the malware as a trusted program? Yes – this is the core of the?famous?process hollowing?(RunPE)?attack technique.
If we can map a malware module to memory before the executable loader starts to modify the executable and replace the?PEB->ImageBaseAddress?primary module address from the original module with the image base address currently being ejected by the malware, then we can successfully hijack the normal program?execution process.
It is possible to analyze with well-known forensic tool?Process Explorer?shows that after the test software malware runs, a process named?GoogleUpdate?can be created as an example. Instead of running the?GoogleUpdate?binary, a pop-up window can be displayed with the malware. It can also be confirmed that the digital signature is undamaged and is valid for verification purposes. The attack technique did not modify any static code at all and was achieved by simply replacing the main module in the dynamic phase to trick the?application loader.
This technique has been used by?Ocean Lotus, a Vietnamese national cyber-army organization.
Next, lets discuss Thread Environment Block?(TEB) and the?Process Environment Block?(PEB), and how attackers use these features in malicious software.
The Thread Environment Block (TEB) is a data structure that is created by the operating system for each thread of an application. It contains information about the thread's state, such as its register values, stack pointers, and other context information.
The Process Environment Block (PEB) is a data structure that is created by the Windows operating system for each running process. It contains information about the process, such as the process's executable file name, command line arguments, environment variables, and loaded modules.
For a single process, there can be multiple threads. So, there is only one PEB in a process but several TEBs at the?same time. Thread: From a code perspective, a thread can be thought of as a person responsible for executing code. Process: can be thought of as a container for loading code.
领英推荐
Many Red Teams or attackers who conduct attacks on local machines often encounter antivirus software, endpoint defense products, or event logging monitoring, and expect their attack?commands to be undetected?or untraceable. The?process hollowing?(RunPE) technique we looked above,?proposed an idea:?If we create a child process with bogus parameters and the actual execution reads the attack parameters that we have placed, can this bypass local monitoring?by antivirus?
For example, ransomware often uses the?vssadmin delete shadows /all /quiet?command to delete a user’s backup data. Each antivirus software will strictly check whether the process parameter of the?vssadmin?program contains the preceding command to avoid this kind?of attack:
Parameter forgery is a common attack, where the calls can be made to open a command prompt and execute our back end scripts.
This technique is often used to attack the whitelists of antivirus software or corporate protection.?
DLL side-loading or DLL hijacking is a classic hacking technique that is documented in MITRE ATT&CK? as the attack technique Hijack Execution Flow: DLL Side-Loading, Sub-technique T1574.002 (attack.mitre.org/techniques/T1574/002/).
The core principle is to replace the loaded system DLL with one designed by the hacker to take control of the execution of a process. This means that by precisely placing the right malicious DLL module, the hacker can run it as any EXE process, for example, by pretending to be a system service process with a digital signature.
DLL side-loading is a technique that is often abused by APT groups for either exploiting, bypassing antivirus software, or backdoor persistence. As long as the DLL file can be written to the filesystem, the execution process can be controlled. You should bear in mind that this technique can often be used in a variety of variations for exploit or protection purposes.
These techniques are often used by attackers to develop deshells, fileless attacks, and staged payloads to escalate privileges, bypass antivirus software, or hide backdoors.?
Relocation design of PE modules.?
Relocation technique can allows us to mount an EXE or DLL In any memory space we want with our own application loader.?
Convert any DLL module into shellcode.?This classic technique has been widely used in the wild and in commercial attack suites, such as Metasploit and?Cobalt Strike.
Writing shellcode by hand is too costly for complex attack action. Modern attackers prefer to develop their malware in C/C++ and convert the EXE files to shellcode for use. There are two main reasons for this: one is that handwritten shellcode is costly and time-consuming and it is difficult to develop complex backdoor designs, elevated privileges, or lateral movement features; the second is that shellcode is often used as code to hijack the execution in only a?first-stage exploit.
A?software packer?is often used by cyber forces to compress the size of executables, to avoid antivirus static signature checks, or even to counter researchers’ reverse engineering analysis.
Different packers are designed for different tasks. In practice, they are usually divided into?two categories:
?A common saying in Chinese forums is?"When you can’t beat an antivirus, use an unpopular packer to get rid?of it."
Digital Signatures:
Windows users install anti-virus software, update systems regularly, choose the source of downloads carefully, and double-check that applications are digitally signed by reputable technology companies. However, are these security practices really enough to keep hackers at bay?
Authenticode digital signatures
Authenticode?is a code-signing technology developed by Microsoft that helps users to check the publisher who signed the program. It also ensures that the signed program has not been tampered with by attackers during transport. Additionally, the signature used to sign must be verified by trusted?certificate authorities?(CAs)?to?ensure that the file being signed actually comes from?the publisher.
WinVerifyTrust can be used as an example to use?GoogleUpdate.exe?file for Google Chrome, test to confirm that it had a Google digital signature and that the signature was still valid and had not expired when the file properties popped up in?File Explorer?by right-clicking and selecting?Content. This can confirm that the WinVerifyTrust? can be used to correctly identify whether any program has an?Authenticode?digital signature and?to verify that it is?still valid.
Mock signatures
Mock signatures are common these days, where the malicious code can be made to be believed as signed from trusted authorities. Ransomware?Petya?attack in the wild,?which was observed by Kaspersky researcher Costin?Raiu,?as signed by Microsoft.
It is?characterized by the use of major national leaks (such as EternalBlue, SMB vulnerabilities, and MS Office-related vulnerabilities for phishing) as a standard infection route, and has wreaked global havoc on large government and private sector organizations, such as airports, subways, and banks.?
?So after downloading any program from an unknown source, it is important not only to check whether it has a digital signature but also to check more closely that the signature is still valid in order to avoid the execution of a digital signature specially created?by hackers.
There are ways to bypass the digital signature verification process on Windows systems, including attacking?CryptSIPGetSignedDataMsg?by forging a digital signature in any program, attacking?CryptSIPVerifyIndirectData?by hiding a backdoor in the signature structure from the fingerprint calculation process, and attacking?CryptSIPVerifyIndirectData?by?Skipping Normalization.
In my college days when studying my electronics and engineering degree, there was the x8086 digital processor programming labs. When studying it that time, was wondering is it that exciting to do machine level programs. But now in 2023, the large-scale attacks involve understanding the machine level coding, the basics of C programming and of course there is Windows and Operating Systems and with a Red Team Hat on me, the possibilities are endless.