Category Archives: LOLBins

Reusigned Binaries – Living off the signed land, Part 3

Posted on by

When I wrote two first parts of this series I used the title ‘reusigned binaries’. The title is of course very cheesy because it’s a portmanteau of ‘reuse’ and ‘signed’. How predictable…

Now… while in the meantime there was a lot going on in this space f.ex. the LOLBIN/LOLBAS ‘movement’ took off culminating in many cool Twitter posts and an excellent repo of LOLBin ideas and recipes collected by @Oddvarmoe, there is always… more.

Seasoned pentesters use reusigned binaries for a long time so it’s not a new concept.

The most obvious case scenarios are:

  • use native OS programs, and scripts that are signed and make them do something they are not supposed to (–> ‘traditional’ LOLBins helping to break detection rules focusing on process trees, offering various ways of side-loading, persistence, bypassing filters, etc.)
  • use popular, legitimate (and often signed) dual purpose tools and abuse them (e.g. nmap, netcat, psexec, etc.)
  • use common, legitimate non-OS software components (that are NOT dual purpose, and are very often signed) to do something they are not supposed to (–>LOLBins/Other sections e.g. NVidia’s nvuhda6.exe, PlugX abusing lots of legitimate apps for sideloading purposes; vulnerable /unpatched/ drivers that are signed, load beautifully and can be exploited, etc.)

The last item is very interesting. I believe this is potentially a part of the arsenal (and should be a subject of some serious research) of any futuristic offensive security team.

Let me give you an example…

While looking at a large corpora of driver installers (note: not drivers in a sense of kernel mode drivers, but more like drivers for peripherals like printer, scanner, etc.) I noticed the following

  • many of them reuse the same libraries/executables across many products of the same vendor
  • some of them do like using many modules that are often split across many files/libraries (atomic operations/library)
  • there are often no security checks in place – programmers write the modules in a context of their projects w/o thinking too much about security implications (why should they…, right?)
  • code is often ‘funny’ and includes debugging/verbose flags, test code, offensive, or anti-tampering code, etc. (if you need specific examples, just google ‘Conexant Keylogger’, ‘Sony rootkit’, ‘Denuvo protection’, etc.)
  • the code is SIGNED – let me repeat that!!!

So… when I first started thinking of this I did some poking around, combing through libraries and lots of code and I quickly found a number of signed DLL libraries that can be very easily abused to intercept keystrokes (i.e. build a foundation of a proper Keylogger!). Typically, one has to create a shared memory section named in a specific way, create a window receiving messages, sometimes create an event/mutex, sometimes prepare some structure in memory, call the API named something along the lines of ‘InstallHook’  and… a keylogger is born.

You know where it is heading…

I believe that further analysis of ‘clean’ software – no matter how popular as long as signed – will result in toolkits being developed that reduce the amount of ‘own’ offensive code and leveraging existing signed binaries to deliver the ‘bad’ part of the offensive work – one that modern blue teams try to find so much. Using signed binaries to do that is a really step forward as it may potentially fool many security products that so heavily rely on signing, reputation, whitelisting, and virustotaling. There is obviously a need to develop a binder code that makes it all work, but I guess this can be achieved either via VBS, VBA, mshta, msbuilder, powershell, c# snippets, or even instrumented execution of code that can be driven using signed binaries relying on scripts (e.g. windbg script, debugging via powershell, etc.). And of course, the opportunities of using unsigned plug-ins, documented and undocumented command line switches, etc.

It’s perhaps not a very practical post – I’ve been actually thinking a lot whether I should post a PoC of a keylogger based on one of the legitimate signed DLLs I found – but in the end I decided not to enter a dubious legal area I don’t have much experience with (I don’t’ want vendors to come after me, basically); still, I hope the post provides enough food for thought to carry on with your own experiments. All you need is a lot of clean signed samples (drivers, software), and some creative research ideas…

Beyond good ol’ Run key, Part 79

Posted on by

This persistence post targets users of Total Commander (TC).

I love TC and have been using it for many years. Quite frankly… I really can’t imagine working on Windows w/o using this tool, and I really pity anyone who is using Windows Explorer either by choice or by force. The other good alternative to TC is FAR, but its far (unintended pun) less popular, and definitely not present in the corporate environment as much as TC…

Anyway…

Being so popular makes TC an obvious target and since it has such a rich functionality it’s very easy to abuse these features to stay on the system persistently.

There are many ways to do it… I doubt I can cover all of them, but let’s jot down some notes:

  • The system of plug-ins is an easy target, so I will skip its description as it’s boring (okay, you just drop a DLL into TC’s plug-in directory and ensure it’s registered to handle some filetypes, of viewer, etc.). These are officially supported plug-in types:
    • Packer Plug-ins
    • File-system Plug-ins
    • Lister Plug-ins
    • Content Plug-ins
    • (note that existing plugins can be swapped, or be a subject to side-loading issues, etc.)
  • Not many people know about it, but the TC accepts command line arguments, including:
    • /i=name.ini – a different location of wincmd.ini file; a changed .ini file may include some extras
    • /INSTALLDRIVERQ- installs ‘cglptnt’ service pointing to C:\WINDOWS\system32\DRIVERS\cglptnt.sys that is copied there by TC – this file could be swapped
  • The next one is one that I kinda like as an idea as it’s quite subtle
    • TC offers a really cool functionality that allows you to quickly ‘jump to the directory’ from the menu
    • The function is activated by the CTRL+D keyboard shortcut
    • The actual ‘jump’ is implemented via a ‘cd’ command, so every new directory added to the menu will have a Command set to ‘cd <directory’:
    • You can change this ‘cd’ command to e.g. c:\windows\system32\calc.exe
    • Next time someone attempts to change the directory to Windows, the calculator will be spawn:
    • The caveat is that the directory itself is not changed in such case – I guess malware could send that sequence of keys to TC to force the directory change or simply modify the entry back to its original content and user would be none the wiser – the command would work the second time they try; since it’s not a typical persistence (it only works when the menu is used), it could be used as a ‘backup’
  • The TC can handle some UAC kinda graciously
    • For example, if you want to enter c:\Windows\CSC directory, you will get this message box:
    • Hitting ‘As Administrator’ will engage Tcmadmin.exe program that is located in the TC program directory; swapping this program with your own will make TC launch your own program anytime it handles UAC business

There are probably many other ways… and as a side note, since TC includes a native client for (S)FTP, it can be used to download/upload stuff as well…

So, in a way, TC is an ultimate… LOLBIN.

There you have it… but want to emphasize one thing – this post is not to scaremonger  you – TC is awesome and consider purchasing it, and… keeping an eye on its config files…