SlideShare una empresa de Scribd logo

Binary Planting Techniques and Persistence

Source Conference
Source Conference

SOURCE Barcelona 2011 - Mitja Kolsex

TecnologíaNoticias y política
1 de 36
Descargar para leer sin conexión
ACROS PUBLIC © ACROS Advanced (Persistent) Binary Planting SOURCE Barcelona 2011 Mitja Kolsek ACROS d.o.o. mitja.kolsek@acrossecurity.com www.acrossecurity.com
ACROS PUBLIC Page 2 SOURCE Barcelona 2011 BINARY PLANTING QUICK SUMMARY (DLL hijacking, DLL preloading, Unsafe library loading...)
ACROS PUBLIC Page 3 SOURCE Barcelona 2011 DLL, EXE you bad guy
ACROS PUBLIC Page 4 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
ACROS PUBLIC Page 5 SOURCE Barcelona 2011 EXE Search Order CreateProcess(“SomeApp.exe”) 1. The directory from which the application loaded 2. Current Working Directory (CWD) 3. C:WindowsSystem32 4. C:WindowsSystem 5. C:Windows 6. PATH
ACROS PUBLIC Page 6 SOURCE Barcelona 2011 EXE Search Order ShellExecute(“SomeApp.exe”) 1. Current Working Directory (CWD) 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. PATH
ACROS PUBLIC Page 7 SOURCE Barcelona 2011 Our Past Research • Extended scope: Launching EXEs • Improved attack vector: WebDAV • We looked at 200+ leading Windows apps • Found 500+ binary planting bugs (120+ EXE, 400+ DLL) • Guidelines for developers http://www.binaryplanting.com/guidelinesDevelopers.htm • Guidelines for administrators http://www.binaryplanting.com/guidelinesAdministrators.htm • Free Online Binary Planting Exposure Test http://www.binaryplanting.com/test.htm • Advanced binary planting (COM-Servers) • Executing code through IE8 on Windows XP – two clicks only • Executing code through IE9 on Windows 7 – right click, add to archive
ACROS PUBLIC Page 8 SOURCE Barcelona 2011
ACROS PUBLIC Page 9 SOURCE Barcelona 2011 PERSISTENCE #1 - PERSISTENCE IN SOFTWARE #2 – PERSISTENCE ON COMPUTER
ACROS PUBLIC Page 10 SOURCE Barcelona 2011 #1 - PERSISTENCE IN SOFTWARE (Everywhere You Look)
ACROS PUBLIC Page 11 SOURCE Barcelona 2011 Microsoft (Sysinternals) Process Monitor 1. Filter: Path Contains <our-path> 2. Launch Application 3. Exclude irrelevant entries 4. Look for DLL and EXE accesses 5. Plant DLL/EXE 6. Re-launch Application 7. If successful, see call stack
ACROS PUBLIC Page 12 SOURCE Barcelona 2011 Example: Real Player I used to load rio500.dll from CWD. Wait... I still do. Publicly reported in February 2010 by Taeho Kwon and Zhendong Su http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
ACROS PUBLIC Page 13 SOURCE Barcelona 2011
ACROS PUBLIC Page 14 SOURCE Barcelona 2011 False Positives
ACROS PUBLIC Page 15 SOURCE Barcelona 2011
ACROS PUBLIC Page 16 SOURCE Barcelona 2011 Hidden & Remote
ACROS PUBLIC Page 17 SOURCE Barcelona 2011
ACROS PUBLIC Page 18 SOURCE Barcelona 2011 Cleaning The Table
ACROS PUBLIC Page 19 SOURCE Barcelona 2011
ACROS PUBLIC Page 20 SOURCE Barcelona 2011 Real Player on Windows XP (mpeg)
ACROS PUBLIC Page 21 SOURCE Barcelona 2011 Real Player on Windows XP (avi)
ACROS PUBLIC Page 22 SOURCE Barcelona 2011 Example: Opera I fixed a DLL hijacking bug but what the heck is this “EXE planting”? Windows XP: dwmapi.dll (fixed in 10.62)
ACROS PUBLIC Page 23 SOURCE Barcelona 2011
ACROS PUBLIC Page 24 SOURCE Barcelona 2011 Binary Planting Issues Found Real Player • WinXP: RealPlay.exe loading planted rapi.dll upon startup • Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup • RealPlay.exe loading planted rio500.dll upon exit • RealPlay.exe loading planted rio300.dll upon exit • RealShare.exe loading planted pnrs3260.dll upon startup Opera • WinXP: Opera.exe loading planted rundll32.exe upon opening a downloaded ZIP
ACROS PUBLIC Page 25 SOURCE Barcelona 2011 #2 - PERSISTENCE ON COMPUTER (Turning Downloads Folder Into a Minefield)
ACROS PUBLIC Page 26 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
ACROS PUBLIC Page 27 SOURCE Barcelona 2011
ACROS PUBLIC Page 28 SOURCE Barcelona 2011 Planting a “Persistent Mine” (cryptbase.dll)
ACROS PUBLIC Page 29 SOURCE Barcelona 2011
ACROS PUBLIC Page 30 SOURCE Barcelona 2011 Planting a “Persistent Mine” (msiexec.exe)
ACROS PUBLIC Page 31 SOURCE Barcelona 2011
ACROS PUBLIC Page 32 SOURCE Barcelona 2011 Downloads folder “mine field” problem Why is it cool? Persistent – “download today, exploit months later” Installers usually get elevated privileges Whose fault is it? Installers loading DLLs from their neighborhood is expected behavior Browsers keep downloads on disk until manually deleted Chrome download dialog is clickjackable Chrome trusts EXE files from already visited sites InstallShield calls “msiexec.exe” without full path How could it be fixed? All downloaded executables should have modified names: Cryptbase(0).dll, msiexec(0).exe
ACROS PUBLIC Page 33 SOURCE Barcelona 2011 Binary Planting: Guidelines For Researchers Stay current Make sure you’re working with the latest version of the product Make sure your O/S is up to date Try different O/S versions Different DLLs, different drivers, codecs etc. Try different data files Different formats (file extensions), different content Try it from remote ShellExecute will issue a security warning when launching from a share Locate the culprit Check the call stack to find which module is responsible for the bug, then check the module’s details to find the author
ACROS PUBLIC Page 34 SOURCE Barcelona 2011 Binary Planting: Guidelines For Developers Use only absolute paths LoadLibrary(“relative.dll”) - FAIL CreateProcess(“notepad.exe”) – FAIL ShellExecute(“cmd.exe”) - FAIL CWD use Set CWD to a safe location, quickly Call SetDllDirectory(“”) Observe file system operations on all supported O/S versions Different DLLs, different drivers, codecs etc. Maximize code coverage Different formats (file extensions), different content
ACROS PUBLIC Page 35 SOURCE Barcelona 2011 Resources Tools Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645 Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028 Files “Malicious” DLL www.binaryplanting.com/demo/windows_address_book/wab32res.dll www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll “Malicious” EXE: C:WindowsSystem32calc.exe (what else?) Knowledge www.binaryplanting.com blog.acrossecurity.com
ACROS PUBLIC Page 36 SOURCE Barcelona 2011 Pregunt(e|a)s Mitja Kolsek ACROS d.o.o. www.acrossecurity.com mitja.kolsek@acrossecurity.com Twitter: @acrossecurity

Recomendados

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 

Recomendados

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019Alexandre Borges
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsWardell Motley, NSA IAM\IEM
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsDamir Dobric
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisChetan Ganatra
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)DynamicInfraDays
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10ErnestoFernndezProve
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysisn|u - The Open Security Community
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple FeaturesMuhammad Najmi Ahmad Zabidi
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and EcosystemPatrick Chanezon
 
Android..!!
Android..!!Android..!!
Android..!!Parthik Poshiya
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Oleksandr Tryshchenko
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016Robert Lemke
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016Patrick Chanezon
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 

Más contenido relacionado

Similar a Binary Planting Techniques and Persistence

DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019Alexandre Borges
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsWardell Motley, NSA IAM\IEM
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsDamir Dobric
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisChetan Ganatra
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)DynamicInfraDays
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and EcosystemPatrick Chanezon
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Oleksandr Tryshchenko
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016Robert Lemke
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016Patrick Chanezon
 

Similar a Binary Planting Techniques and Persistence (20)

DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface Applications
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core Applications
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and Ecosystem
 
Android..!!
Android..!!Android..!!
Android..!!
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016
 

Más de Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 

Más de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
 

Último

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Último (20)

Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Binary Planting Techniques and Persistence

  • 1. ACROS PUBLIC © ACROS Advanced (Persistent) Binary Planting SOURCE Barcelona 2011 Mitja Kolsek ACROS d.o.o. mitja.kolsek@acrossecurity.com www.acrossecurity.com
  • 2. ACROS PUBLIC Page 2 SOURCE Barcelona 2011 BINARY PLANTING QUICK SUMMARY (DLL hijacking, DLL preloading, Unsafe library loading...)
  • 3. ACROS PUBLIC Page 3 SOURCE Barcelona 2011 DLL, EXE you bad guy
  • 4. ACROS PUBLIC Page 4 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
  • 5. ACROS PUBLIC Page 5 SOURCE Barcelona 2011 EXE Search Order CreateProcess(“SomeApp.exe”) 1. The directory from which the application loaded 2. Current Working Directory (CWD) 3. C:WindowsSystem32 4. C:WindowsSystem 5. C:Windows 6. PATH
  • 6. ACROS PUBLIC Page 6 SOURCE Barcelona 2011 EXE Search Order ShellExecute(“SomeApp.exe”) 1. Current Working Directory (CWD) 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. PATH
  • 7. ACROS PUBLIC Page 7 SOURCE Barcelona 2011 Our Past Research • Extended scope: Launching EXEs • Improved attack vector: WebDAV • We looked at 200+ leading Windows apps • Found 500+ binary planting bugs (120+ EXE, 400+ DLL) • Guidelines for developers http://www.binaryplanting.com/guidelinesDevelopers.htm • Guidelines for administrators http://www.binaryplanting.com/guidelinesAdministrators.htm • Free Online Binary Planting Exposure Test http://www.binaryplanting.com/test.htm • Advanced binary planting (COM-Servers) • Executing code through IE8 on Windows XP – two clicks only • Executing code through IE9 on Windows 7 – right click, add to archive
  • 8. ACROS PUBLIC Page 8 SOURCE Barcelona 2011
  • 9. ACROS PUBLIC Page 9 SOURCE Barcelona 2011 PERSISTENCE #1 - PERSISTENCE IN SOFTWARE #2 – PERSISTENCE ON COMPUTER
  • 10. ACROS PUBLIC Page 10 SOURCE Barcelona 2011 #1 - PERSISTENCE IN SOFTWARE (Everywhere You Look)
  • 11. ACROS PUBLIC Page 11 SOURCE Barcelona 2011 Microsoft (Sysinternals) Process Monitor 1. Filter: Path Contains <our-path> 2. Launch Application 3. Exclude irrelevant entries 4. Look for DLL and EXE accesses 5. Plant DLL/EXE 6. Re-launch Application 7. If successful, see call stack
  • 12. ACROS PUBLIC Page 12 SOURCE Barcelona 2011 Example: Real Player I used to load rio500.dll from CWD. Wait... I still do. Publicly reported in February 2010 by Taeho Kwon and Zhendong Su http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
  • 13. ACROS PUBLIC Page 13 SOURCE Barcelona 2011
  • 14. ACROS PUBLIC Page 14 SOURCE Barcelona 2011 False Positives
  • 15. ACROS PUBLIC Page 15 SOURCE Barcelona 2011
  • 16. ACROS PUBLIC Page 16 SOURCE Barcelona 2011 Hidden & Remote
  • 17. ACROS PUBLIC Page 17 SOURCE Barcelona 2011
  • 18. ACROS PUBLIC Page 18 SOURCE Barcelona 2011 Cleaning The Table
  • 19. ACROS PUBLIC Page 19 SOURCE Barcelona 2011
  • 20. ACROS PUBLIC Page 20 SOURCE Barcelona 2011 Real Player on Windows XP (mpeg)
  • 21. ACROS PUBLIC Page 21 SOURCE Barcelona 2011 Real Player on Windows XP (avi)
  • 22. ACROS PUBLIC Page 22 SOURCE Barcelona 2011 Example: Opera I fixed a DLL hijacking bug but what the heck is this “EXE planting”? Windows XP: dwmapi.dll (fixed in 10.62)
  • 23. ACROS PUBLIC Page 23 SOURCE Barcelona 2011
  • 24. ACROS PUBLIC Page 24 SOURCE Barcelona 2011 Binary Planting Issues Found Real Player • WinXP: RealPlay.exe loading planted rapi.dll upon startup • Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup • RealPlay.exe loading planted rio500.dll upon exit • RealPlay.exe loading planted rio300.dll upon exit • RealShare.exe loading planted pnrs3260.dll upon startup Opera • WinXP: Opera.exe loading planted rundll32.exe upon opening a downloaded ZIP
  • 25. ACROS PUBLIC Page 25 SOURCE Barcelona 2011 #2 - PERSISTENCE ON COMPUTER (Turning Downloads Folder Into a Minefield)
  • 26. ACROS PUBLIC Page 26 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
  • 27. ACROS PUBLIC Page 27 SOURCE Barcelona 2011
  • 28. ACROS PUBLIC Page 28 SOURCE Barcelona 2011 Planting a “Persistent Mine” (cryptbase.dll)
  • 29. ACROS PUBLIC Page 29 SOURCE Barcelona 2011
  • 30. ACROS PUBLIC Page 30 SOURCE Barcelona 2011 Planting a “Persistent Mine” (msiexec.exe)
  • 31. ACROS PUBLIC Page 31 SOURCE Barcelona 2011
  • 32. ACROS PUBLIC Page 32 SOURCE Barcelona 2011 Downloads folder “mine field” problem Why is it cool? Persistent – “download today, exploit months later” Installers usually get elevated privileges Whose fault is it? Installers loading DLLs from their neighborhood is expected behavior Browsers keep downloads on disk until manually deleted Chrome download dialog is clickjackable Chrome trusts EXE files from already visited sites InstallShield calls “msiexec.exe” without full path How could it be fixed? All downloaded executables should have modified names: Cryptbase(0).dll, msiexec(0).exe
  • 33. ACROS PUBLIC Page 33 SOURCE Barcelona 2011 Binary Planting: Guidelines For Researchers Stay current Make sure you’re working with the latest version of the product Make sure your O/S is up to date Try different O/S versions Different DLLs, different drivers, codecs etc. Try different data files Different formats (file extensions), different content Try it from remote ShellExecute will issue a security warning when launching from a share Locate the culprit Check the call stack to find which module is responsible for the bug, then check the module’s details to find the author
  • 34. ACROS PUBLIC Page 34 SOURCE Barcelona 2011 Binary Planting: Guidelines For Developers Use only absolute paths LoadLibrary(“relative.dll”) - FAIL CreateProcess(“notepad.exe”) – FAIL ShellExecute(“cmd.exe”) - FAIL CWD use Set CWD to a safe location, quickly Call SetDllDirectory(“”) Observe file system operations on all supported O/S versions Different DLLs, different drivers, codecs etc. Maximize code coverage Different formats (file extensions), different content
  • 35. ACROS PUBLIC Page 35 SOURCE Barcelona 2011 Resources Tools Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645 Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028 Files “Malicious” DLL www.binaryplanting.com/demo/windows_address_book/wab32res.dll www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll “Malicious” EXE: C:WindowsSystem32calc.exe (what else?) Knowledge www.binaryplanting.com blog.acrossecurity.com
  • 36. ACROS PUBLIC Page 36 SOURCE Barcelona 2011 Pregunt(e|a)s Mitja Kolsek ACROS d.o.o. www.acrossecurity.com mitja.kolsek@acrossecurity.com Twitter: @acrossecurity