Tuesday 9 October 2012
Friday 27 July 2012
Congratulations to the winners of the BlueHat Prize contest.
My entry was CounterHeapSpray:
CounterHeapSpray monitors the private memory usage of an application to guard against heap sprays. When the private memory usage of the application exceeds a predefined threshold, CounterHeapSpray assumes that a heap spray is ongoing and will pre-allocate virtual memory pages and populate these pages with its own shellcode. When the heap spray terminates and the exploit executes, code execution will transfer to CounterHeapSpray’s own shellcode. This shellcode will suspend all threads and display a warning message for the user. When the user clicks OK, CounterHeapSpray’s shellcode terminates the application.
By planting its own shellcode before the heap spray can fill the heap with malicious shellcode, CounterHeapSpray not only prevents execution of this malicious shellcode but is able to suspend the process and to inform the user of the attack.
Monday 14 May 2012
I wrote shellcode that calls ExitProcess for my TaskManager.xls spreadsheet.
Now I’ve added the asm files (sc-ep.asm for 32-bit and sc-64-ep.asm for 64-bit) for this shellcode to my library.
Remark that the 32-bit version assembler code, that was generated with my simple shellcode generator, has a ret instruction after the call to ExitProcess. This instruction will never be executed, as a call to ExitProcess does not return.
You can find this shellcode on my shellcode page.
Tuesday 1 May 2012
My TaskManager spreadsheet provides you with a couple of commands to terminate (malicious) programs. But sometimes these commands can’t terminate a process (for various reasons).
Today I’m adding a new command to our toolkit: injecting and executing shellcode in the target process. I’m providing 32-bit and 64-bit shellcode that calls ExitProcess. When this shellcode is injected and executed inside a process, the process will terminate itself.
Here I’m using the command “e ep64″: this command injects and executes the shellcode found in sheet ep64 (as hex strings) in process notepad:
The result is that notepad will terminate itself.
When using TaskManager on a 64-bit system, you’ll have to pay attention to the following: to terminate a 32-bit process, you inject 32-bit shellcode (ep32) and for a 64-bit process, you use 64-bit shellcode (ep64). And a 32-bit process can’t access a 64-bit process’ memory through the Windows API, so if you are using 32-bit Excel on a 64-bit machine, you won’t be able to inject shellcode into 64-bit processes.
FYI: If you want to know more about 32-bit and 64-bit processes on x64 Windows, I’ll bedoing a workshop at Brucon this year: “Windows x64: The Essentials”.
Friday 17 February 2012
The latest (IN)SECURE Magazine issue includes my article on White Hat Shellcode.
Thursday 2 February 2012
Last year I found great x64 shellcode for Windows on McDermott’s site. Not only is it dynamic (lookup API addresses), but it even handles forwarded functions.
And I modularized it so you can use it like my 32-bit shellcode.
Here’s the classic MessageBox example:
; x64 shellcode to display a "Hello from injected shell code!" MessageBox, then return to caller ; Written for NASM assembler (http://www.nasm.us) by Didier Stevens ; Source code put in public domain by Didier Stevens, no Copyright ; https://DidierStevens.com ; Use at your own risk ; ; History: ; 2011/12/27: Refactored functions to include file sc-x64-api-functions.asm %include "sc-x64-macros.asm" INDEX_KERNEL32_LOADLIBRARYA equ 0 * POINTERSIZE + STACKSPACE INDEX_MESSAGEBOXA equ 1 * POINTERSIZE + STACKSPACE APIFUNCTIONCOUNT equ 2 segment .text ; Setup environment sub rsp, STACKSPACE + ROUND_EVEN(APIFUNCTIONCOUNT) * POINTERSIZE ;reserve stack space for called functions and for API addresses LOOKUP_API KERNEL32DLL, KERNEL32_LOADLIBRARYA, INDEX_KERNEL32_LOADLIBRARYA lea rcx, [rel USER32DLL] call [rsp + INDEX_KERNEL32_LOADLIBRARYA] LOOKUP_API USER32DLL, USER32_MESSAGEBOXA, INDEX_MESSAGEBOXA, INDEX_KERNEL32_LOADLIBRARYA ; Display MessageBox xor r9, r9 lea r8, [rel TITLE] lea rdx, [rel HELLO] xor rcx, rcx call [rsp + INDEX_MESSAGEBOXA] add rsp, STACKSPACE + ROUND_EVEN(APIFUNCTIONCOUNT) * POINTERSIZE ret %include "sc-x64-api-functions.asm" KERNEL32DLL db "KERNEL32.DLL", 0 KERNEL32_LOADLIBRARYA db "LoadLibraryA", 0 USER32DLL db "USER32.DLL", 0 USER32_MESSAGEBOXA db "MessageBoxA", 0 HELLO db "Hello from injected shell code!", 0 TITLE db "Message", 0
Here’s what I changed exactly from the original MASM code:
1) non-volatile registers are preserved (by storing them on the stack)
2) building the DLL name for forwarded functions is done with a variable on the stack frame of lookup_api, and not of the caller
3) the address of LoadLibraryA is passed via r9, and no longer r15
4) lookup_api not only returns the function address in rax, but also stores it in memory at an address provided in r8
5) fixed the error handling bug (stack restoration)
6) added some EQUs to make it easier to use this code as a “library” (include)
You can get the code from my shellcode page. Look for filenames starting with sc-x64 in the zip file.
Tuesday 8 November 2011
Here’s a video of an exercise in my White Hat Shellcode Workshop I gave at Brucon in September.
Tuesday 4 May 2010
I wrote an article in Hakin9 magazine how to write shellcode with a C-compiler.
People before me have worked out methods to do this; the advantage of my method is that you can debug your shellcode inside the Visual Studio IDE.
The template can be found here.
Tuesday 13 April 2010
As it is easy to instantiate the CLR in a process and load an assembly from C-code, I developed shellcode to load a .NET assembly in the injected process.
This allows you to leverage the extended Framework Class Library in your penetration tests.