You are browsing the archive for Living off the land.

ShimBad the Sailor

March 18, 2020 in Anti-Forensics, Autostart (Persistence), Code Injection, Living off the land, LOLBins

Application Shims have been extensively covered by security researchers – a very comprehensive overview of the available techniques was presented at BH2015 (PDF warning) by Sean Pierce (@secure_sean who also happens to host a page dedicated to the subject at https://sdb.tools/).

I wondered if we could look at shims from a slightly different perspective, and this post is about it.

What if…

…we didn’t change anything, didn’t add any new entries, no custom databases etc.

What if…

We analyzed the existing shims and identified some that could do some interesting things for us? We would then need to fulfill the conditions required for shim to be triggered, and voila… we could now do things via a covert channel – that is, shim engine could be doing the dirty deed and a casual observer would be none the wiser.

Demo time.

On Windows 7, AOL Instant Messenger can be loaded via aim.exe with following versioninfo properties:

  • CompanyName = America Online, Inc.
  • ProductName = AOL Instant Messenger

When system detects such program it applies a SHIM:

The shim loads a library rtvideo.dll.

I took a basic example from masm32 package and changed the properties of the file accordingly:

and then compiled, renamed to aim.exe and the phantom DLL was added to the program by the shim engine.

This is just a basic example of what is possible/available.

Some of the shims create files, rename them, modify stack, fake reading files, etc. etc. . This offers a gamut of possibilities that are worth considering from various perspectives:

  • anti-sandbox, anti-analysis tricks
  • capture the flag tricks
  • after building a repo of shim gadgets one could potentially deliver a lot of functionality by using dummy, non-malicious files ran in a proper sequence
    • copy files
    • patch bytes (<win10)
    • load DLLs
    • run executables
  • the example with aim.exe is truly fascinating as it represents a possibly novelty type of code injection: phantom sideloading
    • we sideload that DLL with a predetermined name w/o calling any obvious function inside the .exe
    • in the example I am using a custom aim.exe that is just quick & dirty piece of test code; one could potentially find that legitimate, original aim.exe and play with that
    • the latter could be potentially signed
    • and even better, could be not even directly referring to rtvideo.dll
    • as such, it could be a signed .exe phantom sideloading a DLL with a predetermined name — and in some cases becoming a potential phantom lolbin as well
  • persistence is there too to consider

Now, this might have sounded a bit rosy, but reality is that analysing shims is a bit of a pain & options they offer are still pretty limited. Yes, the number of really useful shims is pretty low, let alone these that could be meeting all the cool requirements I listed above… As such, defenders shouldn’t worry about this trick too much… Until this topic is explored a bit more 🙂

Run DLL – Walk this way

February 14, 2020 in Anti-Forensics, Living off the land, LOLBins

The role of Rundll32 is to load DLLs.

On a 32-bit OS it is a very straightforward task, but when you mix architectures interesting things happen. One of a side-effects of having more than one architecture on the same box is that Windows On Windows (WOW) layer gets involved so that we can run 32- and 64- bit code at the same time.

This makes life of rundll32 developer harder. There are two version of rundll32 on a 64-bit Windows system: one inside system32 directory, and another one – in SysWOW64. But rundll32 users don’t want to known about these versions, couldn’t care less about multiple architectures, and when they run a command they simply expect their library to be loaded, and its function called.

When 32-bit rundll32.exe is called to load a 64-bit DLL, 32-bit rundll32.exe will spawn 64-bit version of rundll32.exe and that 64-bit DLL will be loaded there.

The very same happens when a 64-bit rundll32.exe is used to load a 32-bit library.

It’s like that… and that’s the way it is.

This is a well-known stuff and you are probably wondering where I am going with it.

Today most of applications are 64-bit, so one could exploit the rundll32.exe behavior I described in various ways:

Scenario 1

Set up a persistence Run key (or use any other common startup method) to point to rundll32.exe <name of a 32-bit library>

This will keep the persistence entry clean (points to a signed 64-bit rundl32.exe, even if full path is not explicitly set in a startup entry to point to c:\windows\system32\rundll32.exe), and will ensure cascading execution of a 32-bit rundll32.exe that will load the given 32-bit DLL (possibly malicious).

Scenario 2

Same as before, set up a persistence in any way you like, just pointing it to a rundll32.exe and using a file name of an existing, clean 32-bit DLL, and then place a malicious rundll32.exe under c:\windows\SysWOW64.

This will launch the malicious 32-bit rundll32.exe.