Here, I propose to take it to a possible next, or at least parallel level.<\/p>\n
If you are familiar with the ROP gadgets you know that it relies on re-using pieces of code belonging to loaded libraries already present in memory. These are used to chain together code blocks that may execute code of attackers’ choice. By its sole nature ROP is a complex beast and while it can be, and is now fully automated, it most of the time relies on the fact that the final piece of code is just a regular payload that the ROP chain transfer the control to…<\/p>\n
I was wondering if it would be possible to re-use the ROP idea on a file-system level and build a library of high-level gadget-like signed executables and DLLs that could deliver the payload-like functionality, or at least its core building blocks. That would not only reduce the need to write the actual payload code – it would basically transfer the responsibility for the core functionality required by the attackers to signed libraries!<\/p>\n
If it sounds weird, or complicated, let’s think for a second about existing installers. They implement and provide functionality that every single piece of malware needs: spawn processes, read file, write files, copying, downloading, uploading, same with the Registry operations, and more.<\/p>\n
The installers have been abused by malware for a very long time, so it’s just a trivial example. I was thinking of something a little bit more refined and stealthy. Consider an example like this: a malicious document executes a macro; the macro drops a clean, signed executable produced by a well-known company – a file that not a single security solution can detect as malicious. It then instruments that signed executable to do all the dirty work. The chances are high that it would possibly bypass antivirus solutions, EDR, sandboxes and who knows, maybe even the Holy Grail – the whitelisting solutions.<\/p>\n
Now that I formulated the idea in my head it was time to do some legwork…<\/p>\n
I kicked off a number of searches within my files repository. After some poking around, eyeballing some code, a number of failed attempts I finally got lucky and hit the jackpot. To my surprise, I found a number of really interesting potentials!<\/p>\n
The first interesting reusigned binary I came across is described below.<\/p>\n
The nvuhda.exe and nvuhda6.exe are NVIDIA Uninstallers for 32- and 64-bit. When you execute them from a command line you will see the following screen:<\/p>\n
Hmm some of them look really interesting.<\/p>\n Using the ‘Help’ command we can retrieve more information about the commands:<\/p>\n <\/p>\n We can run a few tests:<\/p>\n It’s pretty much a Swiss-Army tool for doing a lot of legitimate operations on the system, but it could be certainly abused. The only issue is the UAC, because the file required Admin privileges in its manifest.<\/p>\n And… last, but not least – here’s the full list of commands:<\/p>\n Lots of research that concentrates on living off the land techniques focuses on finding legitimate OS binaries (both EXE and DLLs) that allow to: load unsigned DLLs by the signed EXE files, load code in an unexpected, unconventional way using … Continue reading ![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2017\/11\/nvuhda2.png\")
<\/a>The list of commands is shown below:<\/p>\n\n
<\/a><\/p>\n\n
nvuhda6.exe System calc.exe<\/pre>\n
\n
nvuhda6.exe Copy test.txt,test-2.txt<\/pre>\n
\n
nvuhda6.exe SetReg HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\malware=malware.exe<\/pre>\n
\n
nvuhda6.exe CreateShortcut test.lnk,\"Test\",\"c:\\windows\\system32\\calc.exe\",\"\",\"c:\\windows\\system32\"<\/pre>\n
\n
nvuhda6.exe KillApp calculator.exe<\/pre>\n
\n
nvuhda6.exe Run foo<\/pre>\n
\n
\n
\nCommand Name
\nIf <Command Name> is provided displayes syntax and description of that command otherwise displays all the avilable commands<\/li>\n
\nCommand
\nExecutes the given system command (returns immidiately)<\/li>\n
\nExact path to App + arguments
\ncall and wait untill app is done.<\/li>\n
\nName[=Value]
\nDefines the variable if not defined and Sets the its value to the given value.<\/li>\n
\nSection Name
\nruns all the commands in that section and returnd and continues executing commands after that line<\/li>\n
\nPath to an NVU File
\nExecutes all the commands in that file and returns<\/li>\n
\nPath to an NVU File
\nRun all the commands in this file and delete the file<\/li>\n
\nDirPath,Command
\nA dir will be applied to the given path and for each file found it sets variable {current file} to that file and calls the given command.<\/li>\n
\n[!]Exp1}[=%]{Exp2} then {Command}
\nExecutes command if Exp1 is the same as Exp2 for = or Exp1 has Exp2 for % if ! is added to the beging of Exp1 it will negate the result<\/li>\n
\nCommand
\nreEvaluates the given command and executes it<\/li>\n
\nFilename
\nOpens the given log files ad Logs all the commands in the given file<\/li>\n
\nN\/A
\nStops logging close the file<\/li>\n
\nmilisconds
\nWaits for a number of miliseconds passed before executing the next command<\/li>\n
\n{milisconds}, {BitmapPath}
\nShows the given bitmap for the given time number on the screen<\/li>\n
\n{Key,Value,LoopDelay,MaxLoopCount,TimeoutCommand}
\nAllows waiting for a specific registry key or value to be deleted<\/li>\n
\n{Variable} , INF name
\nLooks under the windows INF directory for additional NVIDIA display driver infs (oem*.inf). Returns TRUE if found.<\/li>\n
\n{Variable} = Local Path
\nReturns TRUE if path exists.<\/li>\n
\n{NVU File}, {Uninstall Reg key}
\nRuns the given file and deletes it. It also removes the given key from Add\/Remove Program list<\/li>\n
\nUninstall Display Reg key
\nUninstalls the given product from add remove programs. If it detects uninstall as its nvu it uses internal uninstall command otherwise calls the appropriate uninstall command.<\/li>\n
\n{Uninstall File} , {Display Name}
\nAdds Display name as the title to in Add\/Remove programs list and copies uninstall binary and script file to windows system directory<\/li>\n
\nPath to files to be deleted on reboot
\nPut the given file for delete in the next reboot. If the file exists it will ask user for the reboot when program ends.<\/li>\n
\nPath to file to be deleted
\nDeletes the given file if it exists, It also deletes a directory if it is empty. If the file is locked it will set the system to delete the file upon reboot<\/li>\n
\nPath to files to be deleted on reboot without reboot request
\nPut the given file for delete in the next reboot. If the file exists it will ask user for the reboot when program ends.<\/li>\n
\nSrcfile,DstFile
\nCopies a file from the given source to given dest<\/li>\n
\nSrcfile,DstFile
\nCopies a file from the given source to given dest only if source is a higher version.<\/li>\n
\nRegistry pattern matching string
\nDeletes regkey(s) matching the given registry key<\/li>\n
\nRegistry pattern matching string
\nOnly deletes regkey(s) matching the given registry key if they have no subkeys or values<\/li>\n
\nRegistry pattern matching string\\ame[=value]
\nFor all the matching registry paths, sets values if [=value] is present, creates subkeys otherwise<\/li>\n
\n{Variable} = {regkeypath\\name}
\nIf it finds name under regkeypath copies its value to the given variable, othewise does nothing.<\/li>\n
\nService Name
\nuninstalls the given service name<\/li>\n
\n{Enum Type} , {Hardware ID}, {Device type}
\nRemove any device matched with the given description from the system using setupdi calls.
\nEnum can be (PCI, EISA, etc), HWID usually is VEN_10DE and device type can be DISPLAY,HDC,MEDIA,NET,SYSTEM<\/li>\n
\n{Hardware ID}, {InfFullPath}
\nInstalls the given driver for any device matched with the given device ID from the system using setupdi calls.<\/li>\n
\n{Hardware ID}, {InfFullPath}
\nInstalls the given driver for any device matched using UpdateDriverForPlugAndPlayDevices for Win200 and above and InstallDriverEx for Win95 and Win98<\/li>\n
\n{Hardware ID}, {InfFullPath}
\nThis function first creates a device Installs the driver for this device using given inf. This function should work for all versions of Windows<\/li>\n
\nVariable Name = Full Path to Inf
\nSets the given variable to a string representing the inf’s GUID<\/li>\n
\n{WildCard} , {Section} , {Name} , {Value} , {[…]
\nit searches in all inf files under sysdir\\\\inf\\\\[Wildcard and OEM*.inf] and if it finds a match with given parameters it deletes it on reboot<\/li>\n
\nInffile} , {Section} , {Name} , {Value} , {[,…]
\nit searches in all inf files under sysdir\\\\inf\\\\OEM*.inf and if it finds a match with given parameters it deletes it on reboot<\/li>\n
\nGUID,{StrPattern1};{StrPattern2};….
\nPass in the GUID of the inf and the string patterns of the reg names to be deleted. It will remove all the reg names corresponding to the str pattern under the GUID 0001….. except in Properties)<\/li>\n
\nRegPathToEnumatrate} , {Command
\nEnumerates all keys matching the given regpath and when matched enumarates all names under that key then calls the given command {Current Reg name} and {Current Reg value} are set when the given command is executed<\/li>\n
\n{RegPathToEnumatrate} , {Command}
\nEnumerates all keys matching the given regpath and when matched calls the given command {Current Reg Key} is set then the given command is executed<\/li>\n
\nN\/A
\nThis is a legacy command to maintain backward compatibility.<\/li>\n
\nName=Value
\nAdds the given name to environment variables and sets its value<\/li>\n
\nWindowName
\nDisplays the GUI to uninstall whatever user chooses<\/li>\n
\nAppName
\nGiven an appname enumerates all the running app and kills its process if it is running<\/li>\n
\n{AppName}, {Message}
\nGiven an appname, sends its window a message<\/li>\n
\nLnkFile,Title,ProgFile,ProgArgs,ProgWorkingDir
\nCreates a shell link (shortcut)<\/li>\n
\n{Variable} = {path}
\nIt uses the first char of the path as drive letter and assigns the port number of that to the given variable name.<\/li>\n
\n{DeviceId},{Class},{Cmd}
\nIt enumerats all the devices present on the system if any device has {DeviceID} and is from the given {Class} then variable {Current Device} is set to that device ID and the given command gets executed.<\/li>\n
\nVariable Name = FolderCode
\nSets the given variable to the path of a special folder, identified by its CSIDL (check MSDN SHGetSpecialFolderPath Function)<\/li>\n
\nN\/A
\nReturns TRUE if RAID exists.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"