Abusing Native Shims for Post Exploitation
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 109 | |
| Author | ||
| License | CC Attribution 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/36314 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Software testingExploit (computer security)TrailRepresentation (politics)Software testingDirectory serviceTwitterWebsiteInformation securityComa BerenicesPoint (geometry)Slide ruleSoftware developer
00:57
Internet service providerLevel (video gaming)WebsiteMultiplication signBitField (computer science)Aeroelasticity
02:06
Cache (computing)Computer fileLatent heatGame theoryComputer programmingProcess (computing)Operator (mathematics)Vulnerability (computing)Computer hardwareParameter (computer programming)Disk read-and-write headFunctional (mathematics)Cartesian coordinate systemOperating systemBitDensity of statesCASE <Informatik>DatabaseHard disk driveLine (geometry)CodePatch (Unix)SoftwareGraphics processing unitSource codeWindowVirtual machineMobile appRevision controlSystem callNeuroinformatikPhysical systemMultiplication signSoftware developerSemiconductor memoryBlogMiniDiscMemory managementBuffer solutionParallel computingSoftware bugInheritance (object-oriented programming)Software maintenanceData storage deviceSynchronizationObservational studyStapeldateiCommitment schemeOvalPlastikkarteProgrammer (hardware)LengthLocal ringState of matterSoftware testingComputer fileSimulation
07:51
Asynchronous Transfer ModeDatabaseCodeInheritance (object-oriented programming)System callTable (information)Address spaceProcess (computing)Asynchronous Transfer ModeConfiguration spaceDatabaseOperating systemRight angleWindows RegistryProcess (computing)Electronic visual displaySystem administratorComputer programmingStructural loadBitLibrary (computing)Functional (mathematics)WindowInheritance (object-oriented programming)HookingComputer fileCodeAddress spaceTable (information)Integrated development environmentSemiconductor memoryLevel (video gaming)SeitentabelleRootData structureGastropod shellSoftware frameworkWordMobile appCodeNP-hardOperator (mathematics)RootkitPhysical system
10:30
SoftwareDatabaseGoodness of fitProcess (computing)Artificial lifeSoftware development kitCrash (computing)LeakConfiguration spaceEnterprise architecturePatch (Unix)Multiplication signSemiconductor memoryInformationComputer file
11:40
Demo (music)Revision controlInformationPatch (Unix)Installation artSystem administratorCartesian coordinate systemComputer fileMessage passingMiniDiscWindows RegistryAsynchronous Transfer ModeComputer programming
13:05
Mobile appComputer programmingCartesian coordinate systemNeuroinformatikProcess (computing)WindowQuicksortSystem administratorAntivirus softwareInstallation artDatabaseComputer fileMiniDiscVideoconferencingDirectory serviceRootRight angleAdobe AcrobatMultiplication signComputer animation
15:19
Video gameInstallation artMultiplication signSource codeComputer animation
16:15
FreewareDemo (music)Installation artRevision controlInformationPatch (Unix)Level (video gaming)Revision controlComputer fileInformationPerturbation theoryContext awarenessDatabasePatch (Unix)1 (number)BitSystem administratorGoodness of fitData conversionPower (physics)GodOnline helpMultiplication signComputer animation
17:41
Installable File SystemWindows RegistryPhysical systemKey (cryptography)Computer fileComputer networkForceData integrityProxy serverMalwareComputer programmingDebuggerString (computer science)Office suiteRight angleSinc functionDatabaseRule of inferenceVulnerability (computing)Windows RegistryConfiguration spaceSet-top boxSystem callSystem administratorSoftwareComputer fileProcess (computing)Physical systemVirtual machineInstallation artDrop (liquid)Demo (music)Uniform resource locatorMenu (computing)WindowSystems integratorBootingGroup actionCybersexCartesian coordinate systemLoginDefault (computer science)MiniDiscMultiplication signSpacetimeMechanism designType theoryLocal ringSimilarity (geometry)Key (cryptography)Ocean currentForcing (mathematics)Electronic program guideStructural load
21:50
Proxy serverDemo (music)FlagControl flowProcess (computing)Windows RegistryOrder (biology)Level (video gaming)AuthorizationSampling (statistics)MalwareVolume (thermodynamics)Multiplication signWindowComputer programmingFilm editingRight anglePhysical system2 (number)Hard disk driveMiniDiscMereologyComputer fileDirection (geometry)Category of being
23:26
Proxy serverMalwareNumberComputer programmingMalwareSampling (statistics)Food energySet (mathematics)Group actionPatch (Unix)Family1 (number)Goodness of fitDefault (computer science)Installation art
24:29
MalwareRootkitStack (abstract data type)BitFamilyComputer crimeCybersexProxy serverPlug-in (computing)Bounded variationGroup action2 (number)
25:07
Group actionSet-top boxComputer file
26:00
SpeciesSample (statistics)MalwarePatch (Unix)IP addressIncidence algebraMalwareRun time (program lifecycle phase)Windows RegistryDomain nameSoftware testingDependent and independent variablesCodeGoodness of fitComputer fileEnterprise architecturePhysical systemMiniDiscMathematicsFunctional (mathematics)Speech synthesisNeuroinformatikUniform resource locatorBitMathematical analysisInjektivität
27:32
outputInformationComputer-assisted translationVirtual machineSoftwareHookingComputer programmingFunction (mathematics)Computer animation
28:19
QuicksortRevision controlLevel (video gaming)Computer fileFunctional (mathematics)CASE <Informatik>Key (cryptography)Connected spaceVirtual machineBitUniform resource locatorConfiguration spaceInjektivitätMultiplication sign
29:33
Multiplication signComputer fileComputer-assisted translationWeightRight angleService (economics)2 (number)PasswordLecture/ConferenceComputer animation
30:27
2 (number)Computer fileComputer fontSoftwareShared memoryControl engineeringVirtual machineComputer animation
31:13
Computer fileSet (mathematics)Computer programmingWindowException handlingParameter (computer programming)Profil (magazine)Right angleBitFilter <Stochastik>Control engineeringComputer animation
32:13
Computer fileSoftwareShared memoryOperator (mathematics)Physical systemProfil (magazine)PasswordKey (cryptography)Data storage deviceOperating systemSystems integratorINTEGRALComputer animation
32:51
Radio-frequency identificationGame theorySI-EinheitenCodeMalwareLoginBootingVirtual machineRevision controlFlow separationBitComputer animation
33:35
YouTubeVideoconferencingWindows RegistryHydraulic jumpRight angleComputer fileComputer animation
34:12
Key (cryptography)Ocean currentMalwareRevision controlWindows RegistryComputer fileProcess (computing)Core dumpDefault (computer science)WindowComputer animation
35:32
SoftwareCodeChainComputer programmingRevision controlWindows RegistryBitMalwareRun time (program lifecycle phase)Structural loadMachine codePatch (Unix)InjektivitätComputer programmingPhysical systemCategory of beingControl flowChainNumberBranch (computer science)Point (geometry)InfinityLibrary (computing)Exception handlingComputer animation
37:21
MalwareMalwareCodePatch (Unix)Loop (music)Hydraulic jumpGastropod shellPhysical systemComputer programming
38:25
MalwareRun time (program lifecycle phase)Patch (Unix)Set-top boxComputer fileFunction (mathematics)DatabaseConfiguration spaceComputer programmingPhysical systemKey (cryptography)Default (computer science)Windows RegistrySingle-precision floating-point formatCodeResultantPatch (Unix)Computer wormExclusive orBinary multiplierMalwareLengthType theoryGastropod shell
40:25
Revision controlCache (computing)ParsingWindowGoodness of fitRevision controlComputer programmingNumberBitComputer forensicsConfiguration spaceProcess (computing)Sinc functionGroup actionNeuroinformatikInstallation artCustomer relationship managementCartesian coordinate systemInformationCuboidAsynchronous Transfer ModeMultiplication signDatabasePatch (Unix)ParsingOcean currentWeb browser
43:01
Process (computing)Scripting languageGamma functionPort scannerCategory of beingData structureWindowProcess (computing)Integrated development environmentComputer fileFlagWindows RegistryOnline help1 (number)Scripting languageBlock (periodic table)Mobile appDependent and independent variablesBitPlug-in (computing)SpacetimeOpen sourceGastropod shellPower (physics)
44:30
MethodenbankOpen sourceMathematical analysisRead-only memoryComputer forensicsSoftware frameworkLine (geometry)Plug-in (computing)InformationSample (statistics)Proxy serverControl engineeringPhysical systemInformation securityProcess (computing)CodeVector potentialDebuggerSemiconductor memoryComputer fileMiniDiscSoftware frameworkComputer forensicsOpen sourceSet-top boxGoodness of fitHash functionMedical imagingStructural loadGame controllerVulnerability (computing)Process (computing)Library (computing)CodeException handlingWindowProxy serverBitClient (computing)Mechanism designInformation securityInjektivitätAddition
45:53
InformationDatabaseInformation securityDatabaseInformation securityReverse engineeringContext awareness1 (number)BlogCartesian coordinate systemSeries (mathematics)
46:33
Open sourceFunctional (mathematics)EmailTwitterCASE <Informatik>Structural loadPlug-in (computing)Multiplication signCartesian coordinate systemBlogString (computer science)
Transcript: English(auto-generated)
00:00
My name is Sean Pierce and this is abusing native shims for post exploitation. That's what it says. Track 101. Good morning. There's more people here than I thought there would be. I'm going to assume everyone is hungover. So just get this
00:22
show on the road. About me. My name is Sean Pierce. I have a CISSP and a few other certs. That's my Twitter handle. If you want to email me about any of this stuff, SDB at secure Sean dot com. GitHub and SDB dot tools or sites that I can control. Or that GitHub directory. There we go.
00:41
Just as a disclaimer, I'm not a pen tester. I'm not a developer. And I'm not an eyesight representative. They are my employers. And then you might think, oh, why are you using their slides? It's because they look really nice. And to that point, I just want to say that I love who I work
01:04
for and there's just a bunch of great people there and really smart and they're just fantastic and I just cannot say enough good things about them and they do threat intelligence. And if you want to know more about them, that's their website. So why am I here? Well, when I was 21, my dad
01:22
took me to Las Vegas and we were sitting down at the Rio buffet and he's like, what do you want to do today? And I saw someone walk by with a black hat bag. I was like, no way. And so I tracked him down and I was like, oh, is this going on right now? And he's like, no, but Def Con is. So I found it in Riviera. I snuck in and bought a T-shirt. And I had a
01:45
great time. That's some really cool people and it really encouraged me to get into this field a lot more. And my dad passed away a few years ago and I think he'd be really proud that I was giving this talk here today with you all. And
02:01
he really is the reason why I'm here. So getting on to the talk. So a bit of history behind application compatibility. It's kind of funny and it's the reason why I think Microsoft has such a dominant place in the market because they go to so much effort to keep with application compatibility.
02:22
Like an enormous amount of effort that you cannot even really imagine. And like just as a simple case study, the original Sim City that ran on Windows 3.1 or DOS 3.1, whatever, had a free after use vulnerability. It's a free after use bug. So it would free some memory, call the free
02:44
function, say I'm done with this memory and still continue to use it. And that's terrible. But lucky for it, the old operating system didn't really use a whole lot of memory. It didn't really have a whole lot of concurrent processes running and it didn't really take it back all that much. And
03:03
then in the new operating system, Windows 95, the memory manager was way more efficient and had processes that it would actually want memory all the time. So this program would crash quite frequently. And of course if you're a user and you install your old favorite game on a new operating system with a
03:21
nice new computer and it keeps crashing all the time, you're going to blame the operating system. And Microsoft really couldn't have this. And even like one of the heads of the Windows dev team, he drove down with his pickup truck to a local egg head store when there were still egg head stores and he filled up his pickup truck with every game he could buy off the shelf from the store and drove it back
03:42
to Redmon and said to his developers, everyone take at least three games and it has to work on Windows 95. It just has to. And so they would hard code things into the operating system to watch for certain crappy code that was written by random people all over the world. And they would account
04:03
for that in the operating system. Which is kind of terrible, but it was what they needed to do to maintain such application compatibility. And there are other case stories and I encourage you to read the old new thing, one of the Windows developers and testers, he had this blog called the old
04:21
new thing and he put it into a book and some of the stories are pretty funny. Like he had one where the graphics card manufacturer wrote this driver and in the driver specifications you have to implement this function that basically says, takes in one parameter and says do you support this? Return, Boolean, true or false? And this
04:41
graphics card manufacturer simply returned true for everything. Which is terrible because that's how the operating system determined if it should do something in hardware or software. And so Microsoft called them up and was just like, hey, WTF. And they were just like, we don't care. Honestly,
05:01
we don't care. And even if we did, we'd have no way of pushing out a patch and even if we wanted to do that, that card is old and we don't even support that anymore and we don't even have the source code for it anymore. Which is apparently a really common problem. And so Microsoft built their own database of what graphics card supported what and
05:22
they hooked that function and then they just did it all themselves. So Microsoft goes to great lengths to make sure that this stuff still works. And it's not just for third party bad code or, you know, just dumb programmers. It's also for OS bugs because certain programmers leaned on certain
05:42
features or lack thereof in the operating system such as this case study of a synchronous buffer commit. Basically when you call a write function and you think you're writing some data to the disk, you're actually just putting it into the buffer and the operating system will write things efficiently to the hard drive and batches or whatever else.
06:04
But if you have like a database program, that's not so good because you need to guarantee that your file, that your database is in a certain state. Now, Windows had this function where it would basically say write everything to disk. Flush the buffer. Synchronous buffer commit to
06:21
the disk. Great. So you can guarantee that it worked. And developers love this because it was really efficient. They saw that there was almost no performance impact. And then they moved to like a newer version of the operating system, Windows 95, and they noticed their database program was going really, really slow. And it turned out Microsoft never
06:41
actually implemented that function. It was a knob. It didn't actually do anything. So when they thought they were like flushing something to disk, it wasn't at all. Which is terrible. So what was Microsoft to do with these programs that are now running super slow? They'd knob out the function again. So which is hilarious. This line where the
07:07
operating system pretends or lies about something frequently happens between versions of Windows. Like Windows 7. Like that's the major version of 7. But there were so many
07:20
programs that had bugs and how it determined what version something was. They just called it Windows 6.1. Like that's the function call. That's what it returns is Windows 6.1 instead of 7. Because so many applications would run on Windows 7. So they do crazy things like that. And they also
07:43
have a lot of line when it comes to 64 bit or 32 bit apps running on 64 bit machines. I'll have some examples here in a bit. So a while ago Microsoft tried to stop hardcoding values into the operating system. And they
08:00
started to bundle a bunch of stuff together. So there's a mode and there's a shim. So a fix is one of these little things. This is just if you right click on a program and then go to properties and go to the compatibility tab. Here you can say run as administrator or have certain
08:25
display setting like that. And that's a fix. It's a single thing that does one little thing. A mode is a bunch of fixes bundled together. So if you say compatibility mode right here, then you say I want Windows XP, SP3 or this or that
08:43
and you get a whole bunch of fixes that are already put together. And these configurations are bundled together in what they call a shim database file or an SDV file. So what actually happens when a process is being shimmed? Well some parent process will call a function like create
09:02
process or shell execute or something like that. And when it gets down to the lower level API calls, the operating system NTDLL checks the registry to see if this child process should be shimmed. And then it sets an undocumented environment variable called appcompat or underscore
09:21
underscore appcompat. I do believe maybe one underscore. And it will specify what it needs to do. And then the child process does a similar kind of checking to make sure it should be shimmed as well. So it typically works in that a
09:40
table, a data structure in memory called the import address table holds all the addresses for the operating system function calls that that program is going to use. And this is cool because most hooking, including this root compatibility framework, will use that table to hook in
10:04
whatever it wants to manipulate. So when I say shim, I'm usually talking about the code that sits in between the import address table and the rest of the Windows API. And they made some great hooking libraries and they told no one about it. Like if you try to dynamically load something like with load
10:21
library, it hooks that too. If you try to get the export address table for one of the DLLs, it will get that too. So they do this stuff pretty well. So the official uses for shims are not just for third parties, but a good use example is a fix it patch. So if you are seeing exploit against your
10:46
enterprise and it's a zero day and you tell Microsoft and they're like okay, okay, we'll patch it come Tuesday, patch Tuesday in a month and you're just like I can't wait for that, they'll give you a fix it patch. And if you crack that open, you'll see that's actually just a shim database
11:01
file, an SDV file with certain configurations and usually that has some kind of patching information. And a lot of times it's not like a super elegant fix, but it will like worse comes to worse, it will cause a memory leak or it will crash the process before it gets exploited. So it's a better solution than getting exploited. Emit, the
11:23
enhanced mitigation experience toolkit uses shimming as well to get a process and either like up its security by like saying you must enforce ALSR, you must enforce DEP and other stuff like that. And it's really quite effective. So I
11:43
want to introduce to you the tool that Microsoft released that lets us make our own shims. And it's called the application compatibility administrator. And I want to show you a cool undocumented trick. And the text like I said
12:05
is a little small. You need to be administrator to run this. Well, you need to be administrator to install the shim and I'll tell you why in a minute. So here I created
12:25
a fix. I specified putty.exe is the program that I wanted to shim. And I said here's the file on disk. I'll tell you why in a minute it wanted the file so badly. Now you'll see here
12:41
that there's a bunch of fixes that Microsoft has already made. Or I'm sorry, modes. And they provide all this internally and that's really cool of them. But they provide like 300 some odd fixes. Some of them like API tracer, API logger, read bios, reroute registry keys, file
13:04
pass. Fun stuff. Now if you go to where that program is and you open up a command line and then you run the application
13:21
compatibility administrator from the command line with the option of slash X, everything will look normal and you go through the same sort of thing. I'll specify that putty should be the program, my target program. Now you'll notice that
13:44
instead of like the 300 and some odd fixes we had, we now have 800 and 8. A lot of them are very special. They're very specific to a program. So you see like Adobe acrobat 5 or Norton antivirus or something like that. And that's fun. It's
14:02
cool to see how Microsoft was manipulating those particular processes. Now I just specified one of my favorite fixes called inject DLL. As you can imagine, it allows us to inject any arbitrary DLL even over a UNC path into any process we
14:21
choose. And it runs with that process's rights. So here I'm just specifying a DLL that I stored in the root directory. Now earlier I chose putty. I had to browse to putty and say I want this executable. And this is the reason why
14:41
because it went and analyzed that file and said here's a check sum, here's a bunch of stuff I can trigger off of, compile time and all that. And I can use that to trigger and execute my shim. I removed all of those and said I just wanted to trigger off the name putty.exe. I'll let this video
15:03
run. So I have to save a shim database file beforehand. I just specified the file name and I'm saving it to disk. I'm going to use a program called SDB inst, an installer for SDB files that's found on every Windows computer out there.
15:23
Installing it on the command line here. You should pay attention to this tool because we'll talk about it later. And I'll say installed successfully. And then it's
15:49
installed. So now every time I execute putty, there's my DLL.
16:07
Jesus, I've never met a more grabby speaker in my life. No, it's just I always run out of time in all my practice talks. I'm sorry. Then we'll get this over quickly. We also have Mike on stage. Mike is a new attendee. He's
16:21
representing all you new attendees. So how's he doing? Question for the crowd. What the fuck are you doing here at 10 a.m. on Sunday? You must be some kind of god or something. Anyway, there you go. First time attendee. DefCon. Thank you for coming. Let's talk about putty now.
16:58
Also, I really like more of a conversation. So if someone has
17:02
more of a question, feel free to yell out. But I do have to roll pretty fast on this. Okay. Everyone good on that? Just made a shim and installed it with Microsoft's tool. Now this is the public version of the tool. They have a private version which shows them more information and gives them a bit
17:20
more capability on a lot of things. And I'll show you some of those things in a minute. But one of them, one of the major ones is hot patching. This public tool has no awareness of hot patching. But in shim database files you can specify that something be hot patched. And that is crazy powerful. So I said you need to be administrator and you
17:48
install a shim and that's all SDB did. So basically it copied my SDB file that was on the desktop and then dropped it into a windows folder so it can't be messed with and made
18:01
two registry entries. The first one specifies that there is a program putty.exe that doesn't need to be shimmed. And then the second one right under it installed SDB. This is a GUID that points to this one. And it specifies exactly the path on disk of my shim database file, the SDB file. And
18:23
I've played with this and it's funny because you can actually specify go in there and change that to a UNC path so you can actually have your shim database loaded over the network instead. Which is hilarious. So those are the registry keys that I was referring to. So they're current high key local
18:44
machine. That's why you need admin privileges. But if you include it from a live disk and you're able to edit the registry, you don't need to be admin. And those are the default file locations. It will drop the copied SDB file into. Now if you use SDB, the standard installer that's found
19:00
on all the windows machines and you install something, it will add that fix to the add remove programs. It will add that shim to the add remove programs menu. And you can just click it and say uninstall and it will pop it out. Bad guys I've seen have used this. It will use SDB and install it. Install their shim, do their thing and then immediately
19:21
uninstall it because they don't want it showing up here. And that's really weird to me because all it does is add those registry keys. That's all you need. So if they just added those registry keys, they wouldn't have this show up. But I've never seen a bad guy manually install something to the registry or manually install a shim. So
19:42
there's a simple YAR rule that I put up there and it keys off the magic value. So what can we do with this? This more maliciously. We can do targeted persistence. Obviously if putty is run every single time, there is some stuff I can
20:01
grab from it or whatever. I'll show a demo in a second. But we already kind of had that. There is this registry key that malware has used. It's been around for a while. And if you have a program name in it and then you have the string debugger, then it will execute your debugger instead of this
20:20
program. So we have a similar type of persistence mechanism. But shims are way more powerful. We can do some API logging. We can terminate any application we want. There's a terminate EXE fix. I don't know why that's a fix. But there's just crazy things you can do with it. Since you're already in the process space, you can capture all the
20:41
credentials that are going through. You can redirect application logs. You can snoop slash redirect network traffic. You can trojanize any application like we saw with putty.EXE. And cyber espionage groups have used this before. Like there was one group that was very interested in SCADA systems. So when they compromised a machine, they dropped a shim database file which would just
21:02
key off that SCADA software running. So if the software never ran, they wouldn't care and they wouldn't get a callback. But if it did run, it would grab this information and execute their malicious code and send back some config stuff. So we can also force vulnerable DLL loading. So I can specify
21:21
that an old DLL should be loaded instead of the nice new one. So I can reintroduce a 10-year-old vulnerability into a system if I ever get kicked out. I can subvert system integrity. I'm going to show an example of that. I can do what I could have done in the past, UAC bypassing, but Microsoft just patched that. I was just like, ah, just right
21:45
before my talk. So and since I'm a malware guy, I'm really into malware obfuscation. I'll let you read that for a second. So in Windows Vista, if you all will remember, there
22:03
was a UAC prompt popping up left and right all over the time because processes needed to elevate their privileges to do something. Legitimate things like direct access to the hard drive or write to the registry or even sound volume is the one that's usually targeted. And people didn't like that. So
22:22
Microsoft quietly added this little feature and didn't document it anywhere. And the manifest file, the manifest part of the binary called auto elevate and it would set that equal to true. And if that was correct, then that program when it launched would automatically elevate to system
22:40
level authority. Which is hilarious. They didn't think it was that big a deal because you have to be signed by Microsoft in order for this property to work. But with shims, there's a cool little fix called redirect EXE that says, oh, you see that program running? No, run this one instead. You know, just because. And run it with the
23:01
same privileges. So the common tactic would be to install a shim and you have your malware on disk. And you say, okay, I want to run sound volume. But wait a second, redirect EXE, run this thing instead and my malware now has the system
23:21
level privileges that sound volume did. So that's fun. And here's a little sample of the drydex malware using it. It would run SDB ends, again, making this, you know, add remove programs entry and, you know, whatever else. And it would just use this redirect EXE fix for its malware because it
23:43
wanted to install as hyper-religious. A number of malware families have used this. Much more recently in the past year, it's become more widely used. I think after the Microsoft fix, it won't be used as much. However, the
24:00
Microsoft patch was an optional patch and didn't install by default, just FYI, depending on your policy settings. So black energy, good kit, roaming tiger, search protect, I actually got infected with it when I began doing my research. It's just a potentially unwanted program. It's not that
24:20
big a deal. Uftar, update, spelled weird, drydex and there's the big ones. So black energy, particularly the second variation, is an interesting piece of malware because it's been around for a while. Originally used for cyber crime and then picked up for use by cyber espionage and got way more
24:43
sophisticated with 64-bit plug-ins, root kits and all this other fun stuff. And it used shimming for a UAC bypass. It was the first malware family to do so, at least that I know of. And they also did something else slightly interesting. They used another fix called disable NX show UI, which was it disables the NX bit so you can execute stuff
25:05
on the stack. So that was funny. The second espionage group to do something interesting with it was called roaming tiger. It was outed by ESETs. Anton, I don't want to butcher his last name. This group was outed last year as well by eyesight, by my company. They called it Sandworm.
25:24
They attributed it to the Sandworm team. This group was outed by ESET at zero nights last year as well. And here we can see, well, it may not be very easy to see, but we're using John Erickson, his STB explorer to analyze this STB
25:44
file that they would drop. And they would basically say I don't want any of the Microsoft predefined fixes, although there are plenty. I want my own fix, which you can do. And they said their fix applies to explore.exe. And all
26:02
you need to do to make a custom fix is to make a DLL that exports two functions and then you need a shim that says use this DLL. That's where the fix is. Pretty simple to do. So I'd like to show some examples of how a pen tester might use this stuff or how malware might use this in the future. There's anti-analysis examples I'll get to in a bit.
26:25
But I really like the idea of old to new, where you take a crappy old piece of malware with some hard coded IP address or registry key value or path name or whatever and when it runs on a system that you've compromised, you can specify, hey, change this at run time. This IP address is
26:43
actually this IP address. This registry value is this. This is actually exfiling to this location. So if an incident responder ever came across from a computer, eventually probably would, and finds that this malware is running and you can make it some simple thing and he dumps it or he gets it off a disk and he runs it in a sandbox and he says, oh, it's
27:01
just doing something really simple. It's peeking out to this IP address. It's doing this. And the IP address has been dead. I'll search my enterprise for that IP address or domain name or whatever. I don't see it. Okay. We're good. That was hard coded. No way to change it. Little does he know that it was changing dynamically at run time. And incident responders for y'all out there should be aware that
27:23
STB files can modify things like that at run time. Putty.exe I showed earlier with inject DLL fix, we can, where's my mouse? There it is. We can inject an arbitrary DLL and
27:45
there's a cool little program out there called Putty Writer by a guy named Adrian Fertuna. I'm sorry, Adrian, if I just butchered that. But it's cool in that it's a DLL that when injected into Putty will hook the basically input
28:03
and output networking and will use a connect back to send you that information. So all you have to do, I just ran Putty on the left to show you that it is Putty. On the right, I've set up a Linux machine. I've started net cat
28:21
listener. And here I'll go through the same sort of deal where I, you know, make a fix and apply it to Putty for inject DLL and I specify Putty Writer. And Putty Writer will be injected from then on, no matter where you execute Putty from, as long as you're executing it on this machine,
28:40
it will inject Putty Writer. It will connect back to my shell and show me everything that that user is doing, which is awesome. And you can also configure Putty Writer to execute a command upon connection. So, you know, if I were doing malicious things, I would just specify the
29:00
command of, you know, put this key into your authorized key files under the dot SSH folder so I can now get in or drop some connect back thing. There I'm specifying I don't want any of those things in case Putty came out with a new version. Although I guess they could change those send
29:23
and receive function locations. So I'm going to fast forward it a bit because I don't have a whole lot of time. So
29:41
there I am installing the shim from the command line then deleting the file. Now here I'm running Putty and Putty Writer was automatically injected and made a connect back to my net cat listener on the right. And here you can see I am legitimately just using Putty to log in and I can see all
30:04
the key strokes that are coming across. Including the user name and password, which will happen in just like two seconds because the SSH service was being super slow. And there you have it. So I can watch everything they are doing. I can inject a command in there. Fun stuff. The
30:31
second example I'm going to show you here is where I'm going to use the correct file path fix to redirect a path. Now over on
30:43
the right there's a network share that I've opened up. A machine called controller slash catch is the share name. So here I'm making a shim specifying Firefox. I highly encourage all of you to check this out and look at every
31:00
single one of these fixes documented and otherwise. Because there is a lot of fun to be had with these things. So normally with the correct file path fix, with the correct file path fix, it would fix some program that was
31:23
hard coded to C colon slash documents and settings to C colon slash users. And that was from Windows XP to Windows 7. A lot of programs apparently made that mistake. And that's terrible. But they did that. They had lots and lots of path
31:40
redirects for that kind of thing. And with that slash or dash B parameter, I'm saying don't do that. Don't do anything except for what I'm specifying right here right now. And I do that right here. I found the Firefox profile and then I give it a semi colon and give it the new path, slash controller slash catch. I remove all those parameters, all
32:05
the filters that it could trigger off of. I'm going to fast forward this a little bit. I'm saving the file and installing it. Deleting that, the original SDB file. And then I'm executing Firefox and here over on the right it's
32:22
redirecting all of its stuff over across to my network share, which is awesome. There's the keys key 3.DB which is where Firefox stores its password for that user. And there was no prompting from Mozilla from Firefox that the profile was changed or corrupted or anything because it
32:41
is being lied to by the operating system, which is hilarious. Another example. I mentioned subverting system integrity. That's kind of a big thing for me at least because I really prefer stealth and misdirection when it comes to war games, red teaming, all that fun stuff. And here I'm demonstrating auto runs. Awesome, fantastic tool by Mark
33:06
Raskanovich, system internals where it will show you tons and tons of places where malware will really enjoy planting some code because that's how it can get automatically executed when either a user logs in or when the machine boots up. I
33:20
have several versions. Sorry, I'm going to rewind this a little bit. I have compiled Dexter, which is POS malware and it's right there on the desktop, POS.exe. And I executed it and it deleted itself. And I'm showing in
33:41
this little video that I'll post on YouTube. I'll post all my stuff online eventually. And we can see with auto runs it's detecting that registry key has something really suspicious in it. And you can even right click and go jump to value and it will pull up regedit and show the exact
34:03
registry key that it found that was so weird. So here I've made a shim, which is awesome if I don't say so myself. And here I'm redirecting the file pass, the registry keys so that when it looks for that particular
34:22
registry key, which is a particularly common one, which is the current version, Microsoft Windows NT run registry key, it redirects it to an empty registry key. So auto runs, all these versions will not detect my malware anymore. Furthermore, I chose some other tools in there like
34:40
process explorer, proc dump and I just added the terminate exe fix. So as soon as someone tries to execute any of those, they'll just fail. No way around that. Well, I say that you can easily just change the name of the process or change the name of the file and it won't be shimmed anymore. So that's hilarious. I can shim auto runs and even better, I've
35:06
also added a shim for regedit. So registry, the registry editor built into Microsoft will not detect my malware anymore. It will not see that malware key. Now, the
35:21
latest version of auto runs does something a little different and so my default registry redirect shim doesn't really work on it. So it will show up for the latest version but none of the prior versions. So here, let me back up just a little bit. So for here, it showed up in the
35:44
latest version 13.4 and I said go to this registry key and it's not there for regedit. Which is hilarious. Okay. So
36:00
moving on to the malware which is my favorite thing because I really like malware. I broke it down to three categories. Benign executables which we saw like putty where you can use a lot of fixes to make it malicious like inject DLL or load library redirect which is an awesome fix as well. And we can also do hot patching where we could just hot patch
36:22
in, just overwrite the OEP and we can't, the original entry point for the executable for those of you who don't know. Or we could make our own ROP chain and use native code there to build out some malicious stuff. That's a little tedious. So the next category is I would say
36:41
dependently malicious software. Dependently malicious executable. And there can be some kind of kill switch in your program and your malware that without a shim installed on the system, it wouldn't be able to get around. Like we can hot patch all the jump instructions of the program and
37:01
redirect the program flow at run time to actually do your malicious deeds. Tons and tons of ways to do this. There is just an infinite number of ways you can make something bad or from bad to worse. And the last category was an obfuscated executable where it is clearly malicious but it will just fail to do anything without the shim. So an example
37:23
of the dependently malicious software would be something like this where I have some shell code up there that I want to execute and I use just MSF venom to pull it out and I'm sorry for those of you who can't see. I just got some Metasploit shell code and here I have some assembly that
37:44
was label, jump to label. And that produces the EBFE instruction which is an infinite loop. It just jumps to itself over and over again. So if you execute this program, it will just stop right there. It will just jump to itself over and over and over again. No way around that. So there
38:02
is a shim here that I made with SDB Explorer that will create a patch that just knobs out that EBFE instruction. So when this malware is running on the intended victim system, it will be malicious. It will actually call the shell code. If not, the IR guy who dropped it in a sandbox will think that
38:24
nothing is happening. And this is how I make and install that SDB file. So I use John Erickson's SDB Explorer.exe slash C and have that config file. And then that's the output of the program. Specify output.SDB and then I install
38:45
it with SDB ends. You can also use John Erickson's SDB Explorer to install an SDB file stealthfully by just adding the registry keys and not using SDB ends. So just FYI. Here's
39:02
something more obfuscated. I have some, this is, don't try to actually mess with this code because I just shortened it to make it easier to read. I have some shell code up there, malicious shell code. And then right below it I have the shell code key. I made it the same length. And then I do some
39:21
simple XOR obfuscation where for byte for byte, key to shell code, it does an XOR and then tries to execute the result. And you might be thinking, okay, why not use a single byte key or multibyte key or something like that. Well, this is because I can make a shim that patches over this key with a value that I choose. So I can decrypt this
39:43
to literally anything I want. So by default I can make it benign and then maliciously with the right patch I can say I want these bytes now to be some metasploit code or I now want these bytes to be something else. So I can do that quite easily. And I think that's quite exciting
40:02
because when you have this kind of packer type stub in the shim, it will only be produced dynamically on the target system
40:23
if you so choose. So for those of you who just want straight up persistence, here is the config for patching explorer.exe for Windows 7, 64 bit, Windows 7, x86 and Windows 8. So sorry, I'm going to have to run through this
40:42
real fast. Current prevention from this, I don't like just releasing malicious tools, I made a number of good tools, but what can defenders do? Well, you can disable shimming through group policy, but that's not recommended because Windows uses this stuff internally, like I believe, i.e. when you go into compatibility mode, it's actually using a
41:00
shim. If there's a program named install.exe, it's automatically elevated through shimming. This is kind of important. If you have install.exe, it's automatically elevated in Windows. You can remove the shim engine, the thing that's actually doing the patching. That's not
41:20
recommended either because like I said, lots of other things use it like emit. You can remove the STB installer. That's a good start, unless you are applying fix it patches to things. But you can just, bad guys can just use the manual entry method, the manual install method. And you can
41:41
always just allow no administrative access to that box. You know, but that's probably never going to happen. So the current tools out there, I've already talked about most of them, the public application compatibility toolkit and the manager and the installer, STB in, on every Windows computer, STB Explorer, will make shims and explore
42:02
them, show you the database values and all the cool undocumented pictures in there. Shims.exe was made by a guy, I think his name is like David Tometz or something like that. And I told him I was giving this talk and I was just, he's like, oh, that's cool, that's awesome. I was just like, hey, can I demo your tool? He's just like, yeah,
42:21
sure, go for it. I was like, yeah, can you send me like a trial version? He's like, no, you have to pay for it. I was just like, yeah, or you can just let me demo it, you know, or screenshots. He's like, no, you're going to have to pay for that. Whatever. There's a browser made by Mandiant. Since shims are checked all the time,
42:43
because processes begin execution all the time, this is a great, you know, they had to cache that information and that's a great place for forensic value that a program was executed. So that explores some of that. But none of these programs and nothing out there helps defend or prevent
43:01
malicious shims. So I made a number of tools and I broke them into three categories. One is for detection where you can scan a file for, you can scan something so you can determine if it will be shimmed or not. It will just tell you, yes, this would have been shimmed and it will tell you the thing that would have been applied to it, the
43:21
fixes that would have been applied to it. There's a shim process scanner which will scan every process in the OS. I've tried it for Windows 7 64 bit but it seems to work. It does that through checking the DLLs loaded into the process to see if any of those are the shimming DLLs or app help
43:42
DLLs. It checks the registry and it checks the PEB flags because they're undocumented flags in the process environmental block structure that says whether something is being shimmed. Then I made just a really basic script to check for, to see if the DLLs are any of the process spaces.
44:05
And shim guard, I originally made this for the purpose of preventing shim from being installed but that was actually pretty hard to do because that I would have to like mess with the permissions and then when something tried to install to it and failed, it would notify me and that got a little too complicated. Then I just made
44:23
a power shell script to alert as well. Then I made two plug-ins for the response side of things, ones for volatility and ones for autopsy. Autopsy is an open source graphical forensic front end and it's really cool. You can load a disk image or whatever else and you can search for things
44:41
on it and I search for SDP files and in the future I'll like start doing more stuff with it and I like white listed a bunch of hashes for known good SDP files and volatility is open source memory, live memory framework and I made a plug-in
45:00
for that and search for SDP files. So just to wrap it up, I'd like to have these quotes from Microsoft. I give them a lot of crap but they've done an enormous amount of work and I appreciate them a lot but I love how the quotes say no shim is available to bypass the Windows 7 user account control except for the redirect EXE or the load library redirect. It says no
45:23
harmful code can be injected into the process except for the inject DLL fix or custom fixes. You're not opening any additional security vulnerabilities. You cannot use shims to bypass security mechanisms in Windows except for the disable advanced RPC client hardening fix or the disable
45:41
windows defender fix or the disable ALSR fix or the disable SEH fix or disable the NX bit fix. There's a few others out there that are pretty hilarious. I just want to note some prior work. I'm sorry for the guy that was trying to take a picture of that. I'll post it online. I promise.
46:02
Alex is a great reverse engineer. He started a blog series called secrets, the application compatibility database but didn't finish it. He stopped halfway through. I wish it was a shame because he never got to the really good stuff. And then I found these guys, they blogged about something a while back. I wish I found their blog a lot sooner but I didn't. Mark Baggett was one of the first ones I
46:23
think to talk about this in a security context at Derbycon and John Erickson talked about this last year at Black Hat Asia, particularly about the hot patching, the shim engine stuff. Special thanks to my peeps, John, Greg, Wyatt and Patrick. John for encouraging me. Greg for yelling at me.
46:42
Wyatt for helping me with volatility plug in because the documentation is terrible. And Patrick because I made a lot of my own functions and to prevent hooking I made a lot of my own string handling functions and he said it made him want to stab out his eyes. And that was good insight for me. Other resources about this stuff, I suggest checking out Raymond
47:02
Chin's blog. I just wanted to say I apologize. I am sorry. The application compatibility, I'm adding more load to this crap because I know so many people hate it and it's a pain to so many people. I don't think we have time for questions at all. Out in the hall I can. So I'll talk to
47:25
you. I'm a little hungry so I might like try to get some food while people are talking to me but there's my github and there's my twitter in case you realize I was cool and there's my email you can email me at. That's it.