Ad

Monday, June 16, 2014

Check out a free Pen testing website


What you will learn?

  • SQL injections
  • Authentication issues
  • Captcha issues
  • Authorization issues
  • Mass Assignment attacks
  • Randomness Issues
  • MongoDB injections

Requirements

  • A computer with a virtualisation software
  • A basic understanding of HTTP
  • Ability to write small scripts
  • Yes, that's it!

Thursday, September 26, 2013

Getting Up to date with Botnet's

As a Security consultant you will have to interact with botnets (Especially in financial networks). I wanted to give young security folks a good list of ways to stay on top of your botnet game.

1) Use network traffic and signatures sets to detect communication to C&C's from inside your network.

2) Keep in mind C&C's will often switch and you must have a view of the big picture to understand you might have a large scale attack from underground crime syndicates rather then several different attackers. (Know your enemy)

3)Best practice is to re-image the PC and more forward. Spend your time studying the malware in a sandbox, rather then having a reactive security response team.



Wednesday, August 28, 2013

DILL injection and Hooking _ A Malware Defense Guide

Trying to drill down to a botNet source and building a control plan,
when it has entered your network its not easy. You have to isolate,plan, and deploy changes sometimes all in the same day with no errors.
Not only do you have to understand the more you wait the less likely of a proper correction to a malware issue,
 it also will put you behind for future threats. You must PLAN robust solutions
which use your resources.
As a security professional you are the mystro of the cyber police and you will continue to need to decide on production changes to correct this issue and more then one right after the next.

Being able to make quick decisions in a fast moving environment while choosing wisely and effetely is the name of the game. Security is a community of cyber police who report similar situations and you are the detective to choose and use the best technologies and methods to mediate and correct your work place.
The Art of security...

Below is a great read I found from another blogger!

Please read and check out the reference links at bottom.



Introduction
In this article we will learn about DLL Injection and then using it to perform Inline Hooking in remote process with practical step by step illustrations.
This is the part of our free "Reverse Engineering & Malware Analysis Course".
You can visit our training page here and all the presentations of previous sessions here

In windows each process has its own virtual address space in which it can load and unload any DLL at any time. But that loading and unloading of DLL is initiated by the process itself. Sometimes we may want to load a DLL into a process without the process knowledge.
There are many reasons (legitimate or otherwise) to do it. For example a malware author may want to hide the malicious activity by loading a DLL into a trusted process or may want to bypass security devices while on the other hand a person may want to extend the functionality of the original program. But for both the activities steps are same.
Here we will discuss on various way to Inject our code/DLL into remote process with practical examples. Then we will extend it to hook specific API function in the target process to perform our own tasks.
DLL Injection
If I am not mistaken then approximately 45-50% malwares these days use code injection to carry out the malicious activities. So it is very crucial to understand the concept of DLL injection for amalware analyst.

I will demonstrate the technique using assembly programming language. If your development environment is not ready then i would highly recommend reading my previous article on "Assembly programming basics – A beginner's guide" to get starting with assembly programming language.
There are couple of method by which we can inject DLL into a process. The latest versions of windows enforce session separation so some of the methods may not work on the latest version of windows like windows 7/8.
Couple of Dll Injection Methods:
Window hooks (SetWindowsHookEX)
CreateRemoteThreada
App_Init registry key
ZwCreateThread or NtCreateThreadEx ? Global method (works well on all versions of windows)
Via APC (Asynchronous procedure calls)
In this article I will use CreateRemoteThread [Reference 1] method because it is the simplest approach and explains the overall logic. CreateRemoteThread will not work from windows vista onwards due to Session Separation/Isolation [Reference 4]. In such case you can use similar but undocumented function, NtCreateThread [Reference 2]
In fact it is not the problem with the CreateRemoteThread, it is the CsrClientCallServer method from Ntdll that returns false. If we can patch CsrClientCallServer to return success then we can inject DLL into a process using CreateRemoteThread itself. You can read more about it here.
Here I will focus on CreateRemoteThread on windows XP.
DLL Injection using CreateRemoteThread
There are primarily two situations
Inject DLL into a running process
Create a process and Inject DLL into it.
#2 is more suitable for this article because in later section I will cover hooking as well. While #1 is just the part of #2.Below is the line from MSDN about the CreateRemoteThread API.
Creates a thread that runs in the virtual address space of another process.
So it means CreateRemoteThread can create a thread into another process or we can say that it can execute
 a function into another process.
Let's look into its syntax.
      HANDLE WINAPI CreateRemoteThread(
  __in   HANDLE hProcess,                                               ?-------- 1
  __in   LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in   SIZE_T dwStackSize,
  __in   LPTHREAD_START_ROUTINE lpStartAddress, ?---------2
  __in   LPVOID lpParameter,                                           ?---------3
  __in   DWORD dwCreationFlags,                                  ?---------4
  __out  LPDWORD lpThreadId                                      
);
Mentioned parameters are critical for our task
  #1 – handle to the process in which the thread is to be created.
  #2 – A pointer to function or entry point of the thread that is going to be executed
  #3 – parameters to the function
  #4 – Creation state of the thread
We all know that kernerl32.dll export LoadLibrary API to load DLL at run time and also kernel32.dll is loaded by default into every process. So we can pass LoadLibrary address to #2 and parameter to LoadLibrary in #3. When we pass arguments in this order then CreateRemoteThread will execute LoadLibrary with its parameter in another process and hence loads the DLL into external process.
The only problem here is that parameter to LoadLibrary must be in target process. For example if we use LoadLibrary (#2) with "mydll.dll"(#3) as parameter to Loadlibrary then the name "mydll.dll" must be in our target process.
Fortunately windows provide API to do that as well. We can write into any process usingWriteProcessMemory and can allocate space into another process using VirtualAllocEx API. But Before that we need handle to our process, we can get that using OpenProcess or CreateProcessAPI.
So our order will be:
Use OpenProcess or CreateProcess API to get the handle of our target process
Use VirtualAllocEx to allocate space into our target process
Use WriteProcessMemory to write our DLL name into our target process
Use CreateRemoteThread to inject our DLL into our target process
Above steps are enough to inject our DLL into a process. Although to inject into a system process we first have to set se_debug privilege to our process (means the process that will inject DLL into another process) but for simplicity I am ignoring that part.
If you remember "two situations" from the beginning of this part then we need a bit of more work for #2 i.e
Create a process and Inject DLL into it.
We first have to create a process and after that we will use above steps to inject our DLL into newly created process.
Let's look into CreateProcess syntax:
BOOL WINAPI CreateProcess(
  __in_opt     LPCTSTR lpApplicationName,
  __inout_opt  LPTSTR lpCommandLine,
  __in_opt     LPSECURITY_ATTRIBUTES lpProcessAttributes,
  __in_opt     LPSECURITY_ATTRIBUTES lpThreadAttributes,
  __in         BOOL bInheritHandles,
  __in         DWORD dwCreationFlags,               ?-------- 1
  __in_opt     LPVOID lpEnvironment,
  __in_opt     LPCTSTR lpCurrentDirectory,
  __in         LPSTARTUPINFO lpStartupInfo,
  __out        LPPROCESS_INFORMATION lpProcessInformation
);
     
Here dwCreationFlags is the important parameter.  If you look into its definition on MSDN then you will see that it is used to control the creation of a process. We can set it to "CREATE_SUSPENDED" to create a process into suspended mode.

With CREATE_SUSPENDED flag CreateProcess will create the process and stop the execution of the main thread at the entry point of the thread. To start the process we can use ResumeThread API.
So our steps will be
Create Process in suspended state
Inject DLL into the process using above steps
Resume the process
Here is the complete program which mimics above steps
;Author: Amit Malik
;http://www.SecurityXploded.com
;No error checking

.386
.model flat, stdcall
option casemap:none

include windows.inc
include msvcrt.inc
include kernel32.inc

includelib kernel32.lib
includelib msvcrt.lib

.data
greet db "enter file name: ",0
sgreet db "%s",0
dreet db "enter DLL name: ",0
dgreet db "%s",0
apiname db "LoadLibraryA",0
dllname db "kernel32.dll",0

.data?
processinfo  PROCESS_INFORMATION <>
startupinfo STARTUPINFO <>
fname db 20 dup(?)
dname db 20 dup(?)
dllLen dd ?
mAddr dd ?
vpointer dd ?
lpAddr dd ?


.code
start:

invoke crt_printf,addr greet
invoke crt_scanf,addr sgreet,addr fname
invoke crt_printf,addr dreet
invoke crt_scanf,addr dgreet,addr dname
invoke LoadLibrary, addr dllname
ov mAddr,eax
invoke GetProcAddress,mAddr,addr apiname
mov lpAddr,eax

;create process in suspended state
invoke CreateProcess,addr fname,0,0,0,0,CREATE_SUSPENDED,0,0,addr startupinfo,addr processinfo
invoke crt_strlen,addr dname
mov dllLen,eax

; Allocate the space into the newly created process
invoke VirtualAllocEx,processinfo.hProcess,NULL,dllLen,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov vpointer,eax

; Write DLL name into the allocated space
invoke WriteProcessMemory,processinfo.hProcess,vpointer,addr dname,dllLen,NULL

; Execute the LoadLibrary function using CreateRemoteThread into the previously created process
invoke CreateRemoteThread,processinfo.hProcess,NULL,0,lpAddr,vpointer,0,NULL
invoke Sleep,1000d

; Finally resume the process main thread.
invoke ResumeThread,processinfo.hThread
xor eax,eax
invoke ExitProcess,eax

end start
     
Select console application in WinAsm and assemble the above code.  It should create a process and inject our DLL into it.
For eg: you can create calc.exe process and can inject urlmon.dll into it, by default calc.exe doesn't load urlmon.dll.



Hooking
Here is definition of Hooking from Wikipedia
In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a "hook"
Hooking is the most powerful technique available in computer software. A person can do almost everything on a system by applying hooks on the right locations.As stated in the definition that in hooking we intercept function calls or messages or events. Because it is taking the advantage of flow of execution so we can apply hooks on multiple locations from original file to system calls.
Primarily Hooks can be divided into two parts
User mode hooks
IAT (Import Address Table) Hooking
Inline Hooking
Call Patching in binary etc..
Kernel Mode hooks
IDT Hooking
SSDT Hooking etc..
In this article I will discuss Inline hooking technique which is one of the more effective hooking techniques.
Inline Hooking
In Inline hooking we overwrite the first 5 byte of the function or API to redirect the flow of execution to our code. The 5 bytes can be JMP, PUSH RET or CALL instruction.
Visually it can be explained by the following figures
Screenshot 1: Normal Call (Without hooking)

Screenshot 2: Call after hooking

As you can see in the above picture that the MessageBox function starting bytes are overwritten by JMP to MyHandler function. In MyHandler function we do our stuff and then transfer the control back to original function i.e MessageBox.
Now let's create a DLL that will hook MessageBox API and display our custom message instead of the real message.

To make a DLL we need following things:
MessageBoxA API address i.e pointer
Our function or code address i.e pointer
We can get MessageBoxA Api address using GetProcAddress.
Here are the steps:
Get MessageBoxA address
Get custom code or function address
Overwrite bytes at #1 with JMP to #2
Modify the parameter of original call
Transfer control back to #1
Here is the complete code deomonstrating Inline Hooking MessageBox function
;Author: Amit Malik
;http://www.SecurityXploded.com
;No error checking

.386
.model flat,stdcall
option casemap:none

include windows.inc
include kernel32.inc
include msvcrt.inc
include user32.inc


includelib kernel32.lib
includelib msvcrt.lib
includelib user32.lib


.data

tszMsg  db "Hello from Hooking Function",0
userDll  db "user32.dll",0
msgapi  db "MessageBoxA",0


.data?
oByte1 dd ?
oByte2 dd ?
userAddr dd ?
msgAddr dd ?
nOldProt dd ?

.code
LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
 .if reason == DLL_PROCESS_ATTACH
 invoke LoadLibrary,addr userDll
 mov userAddr,eax
   
 ; Get MessageBoxA address from user32.dll
 invoke GetProcAddress,userAddr,addr msgapi
 mov msgAddr, eax

    ; Set permission to write at the MessageBoxA address
 invoke VirtualProtect,msgAddr,20d,PAGE_EXECUTE_READWRITE,OFFSET nOldProt

    ; Store first 8 byte from the MessageBoxA address
 mov eax,msgAddr
 mov ebx, dword ptr DS:[eax]
 mov oByte1,ebx
 mov ebx, dword ptr DS:[eax+4]
 mov oByte2,ebx

 patchlmessagebox:
  ; Write JMP MyHandler (pointer) at MessageBoxA address
  mov byte ptr DS:[eax],0E9h
  ; move MyHandler address into ecx
  mov ecx,MyHandler
  add eax,5
  sub ecx,eax
  sub eax,4
  mov dword ptr ds:[eax],ecx
 
    .elseif reason == DLL_PROCESS_DETACH
    .elseif reason == DLL_THREAD_ATTACH
    .elseif reason == DLL_THREAD_DETACH
    .endif
    ret
LibMain endp


MyHandler proc
  pusha
  xor eax,eax
  mov eax,msgAddr
 
        ; change the lpText parameter to MessageBoxA with our text
  mov dword ptr ss:[esp+028h],offset tszMsg
 
        ; Restore the bytes at MessageBoxA address
  mov ebx,oByte1
  mov dword ptr ds:[eax],ebx
  mov ebx,oByte2
  mov dword ptr ds:[eax+4],ebx
 
        ; Restore all registers
  popa
 
        ;jump to MessageBoxA address (Transfer control back to MessageBoxA)
  jmp msgAddr
MyHandler endp

end LibMain
 
     
Select standard DLL under "New Project" tab in WinAsm and paste the above code into the editor area and assemble it.Now we have our DLL that will hook MessageBoxA and change the lpText parameter to our message.
We will inject this DLL into a "Hello world" program that I shown in my previous article "Assembly Programming – A beginner's guide"  with the help of our DLL inject program.
The output is shown in the below picture:

Conclusion
Both DLL injection and Hooking are powerful techniques and popularly used by malicious software as well as legitimate software from the years.
But as the saying goes if you have nuclear power then it is entirely depends on you whether you make a nuclear missile or use that power for solving problems.
References
Three ways to inject code into another process
Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7
MSR Detour Project - Hook SDK
Impact of Session 0 Isolation on Injection
Dill injection and Hooking