Ero Carrera’s latest version of pefile has extra methods to handle the checksum of the PE header. My new disitool version uses these methods to correct the checksum when the signature is changed by disitool.
Tuesday 15 April 2008
Wednesday 19 March 2008
bpmtk: Spying on IE
I was asked if it’s possible to intercept IE’s HTTPS requests. It is, it’s not difficult, and you don’t need admin rights to do it on your own processes. In other words, a malware doesn’t even need admin rights to spy on your IE process, if said malware is also running under your user account.
We need to hook the API calls to WinINet functions, like HTTPOpenRequest. We can do this by patching the Delayed Import Address Table of executables calling WinINet functions. In our case, to spy on IE, we need to patch the DIAT of urlmon.dll. One simple way to hook these API calls, is to develop a DLL that will patch the DIAT, diverting the calls to our own functions. Our functions will just call the original functions while intercepting the data.
Here is an example for HTTPOpenRequest:
HookHTTPOpenRequestA is our hook function for HTTPOpenRequest. It will just output the flags, verb and objectname parameters to the debugger, and then call the original HTTPOpenRequest function with unmodified arguments (which we saved in variable OriginalHTTPOpenRequestA). BTW, if the declaration and use of OriginalHTTPOpenRequestA looks confusing to you, read the explanation of function pointers in C.
Patching the DIAT is easy, use the PatchDIAT function that I provide with my Basic Process Manipulation Tool Kit (it’s in iat.c).
PatchDIAT needs the name of the executable we want to patch (urlmon.dll), the name of the API to patch (wininet.dll), the name of the function to patch (HttpOpenRequestA), the address of our hooking function (HookHttpOpenRequestA) and a variable to store the address of the original function (OriginalHttpOpenRequestA). PatchDIAT returns S_OK when patching was successful.
We package everything in a DLL, while hooking some other functions, like InternetReadFile (to intercept actual data), and then inject this DLL in IE with my toolkit:
I’ve stored a test file on my server: https://DidierStevens.com/files/temp/test.txt. When you browse to this test file with the patched IE, you’ll see this in Sysinternal’s DebugView:
Lines 0 to 4 indicate the patching IE was successful.
Line 5 shows IE opening a connection to didierstevens.com on port 443 (that’s 1BB in hexadecimal).
Line 6 shows the preparation of an HTTPS GET request to file /files/temp/test.txt. Flags 00C00000 indicate HTTPS and keep-alive.
Line 7 shows that the call to InternetReadFile was successful and read 25 bytes (0x19).
Line 8 shows the actual data retrieved by IE: This is just a text file.
The next lines indicate we unloaded our DLL with success (thus undoing the patch).
As you can see, we can intercept data before it is encrypted by the HTTPS connection (/files/temp/test.txt) and after it is decrypted (This is just a text file.). This works because we patch the executable before it calls API functions that handle the encryption/decryption, so we get access to the unencrypted data.
I kept my demo DLL very simple to show you the basic principles. A complete spying program would have to hook more functions and tie all the data together to present it in a user friendly way.
It’s also simple to adapt my IE spying DLL to tamper with the data. For example, it could redirect IE to another web site by changing the lpszServerName argument before it calls the original InternetConnect function.
Wednesday 12 March 2008
bpmtk: DisableAMD
Remember my DisableAMD post? In stead of patching the EXE file, you can also use my Basic Process Manipulation Tool Kit to patch the running process.
There is a small difficulty, however. The check for the DisableCMD key is done when CMD.EXE is started, so to be successful, we have to start the program and change the DisableCMD string in memory before the check is made. Sounds impossible? Not really, the CreateProcess function allows you to create a new process with its main thread in a suspended state (this means that the program is not running). This gives you the opportunity to change the string in memory before it is used.
Use the start statement to start a new process in suspended state:
start cmd.exe
Change the string in memory:
search-and-write module:. unicode:DisableCMD unicode:DisableAMD
The main thread will be resumed after the last statement was executed (search-and-write in our example):
The cmd.exe window in the background was launched from the start menu (showing you that cmd.exe is disabled), while the cmd.exe window in the foreground was launched with the bpmtk (showing you the bypass of the GPO).
And did you notice that this screenshot is taken on a Windows 2008 server?
Next time, I’ll show some tricks to use the bpmtk in a restricted environment, like a Terminal Server.
Thursday 6 March 2008
bpmtk: Replacing Gpdisable
Gpdisable is a tool to bypass group policy as a limited user, posted by Marc Russinovich on his blog when he was still the owner of Sysinternals. But now that Sysinternals is owned by Microsoft, the tool is not available anymore.
My Basic Process Manipulation Tool Kit can replace Gpdisable, I’ll show how and give you one more trick.
LikeMarc did, you can inject a DLL that will patch the IAT to subvert NtQueryValueKey, but I’ll leave this technique for an upcoming post.
My example doesn’t require you to program a DLL to inject: since we want to hide the TransparentEnabled registry key, we will just rename the key in the process memory of the programs that impose Software Restriction Policies on us (like explorer.exe). Here is the bpmtk config file to achieve this goal:
dll-name advapi32.dll #rename TransparentEnabled to AransparentEnabled search-and-write module:. unicode:TransparentEnabled ascii:A
This will patch each process you’ve rights to and who has loaded advapi32.dll (this DLL enforces SRP).
But as Mark writes in his blog, this will not work for running processes because they have already cached the value of TransparentEnabled and are thus not querying the registry anymore. This is why many people reported that Gpdisable didn’t work for them. Gpupdate /force will force a refresh of the policies, and invalidate the cache.
But if you’re in a restricted environment, there’s a chance you’re prevented from doing a gpupdate. Here’s another way: set the variable _g_bInitializedFirstTime to 0, this will also invalidate the cache. For advapi32.dll version 5.1.2600.2180, this variable is at address 77E463C8. Our script becomes:
dll-name advapi32.dll #rename TransparentEnabled to AransparentEnabled search-and-write module:. unicode:TransparentEnabled ascii:A write version:5.1.2600.2180 hex:77E463C8 hex:00
Thursday 28 February 2008
Introducing the Basic Process Manipulation Tool Kit
For about a month or two now, I’ve been working on a toolkit to manipulate processes (running programs) on Windows. I’ve been using it mainly to research security mechanisms implemented in user processes, like Microsoft .NET Code Access Security.
Here are some of the design goals of the toolkit:
- the toolkit must support limited accounts (accounts that are not local administrators) as much as possible
- flexibility: provide a set of commands that can be assembled in a configuration file to execute a given task
- the toolkit must be able to operate as a single EXE, without requiring the installation of supporting environments like Python
- it must be a command-line tool
The toolkit has commands to search and replace data inside the memory of processes, dump memory or strings, inject DLLs, patch import address tables, … I’ll be posting examples in the coming weeks, illustrating how these commands can be used.
I’m releasing a beta version of the toolkit now, you can download it here.
This is an example of a configuration file (disable-cas.txt) to disable CAS for a given program (exactly like CASToggle does):
process-name CASToggleDemoTargetApp.exe write version:2.0.50727.42 hex:7A3822B0 hex:01000000 write version:2.0.50727.832 hex:7A38716C hex:01000000 write version:2.0.50727.1433 hex:7A3AD438 hex:01000000
It looks for processes with the name CASToggleDemoTargetApp.exe, and will then write to the memory of these processes to set a variable to 1 (hex:01000000). The address to write to depends upon the version of the DLL containing the variable. If the DLL has version 2.0.50727.42, we will write to address 7A3822B0. For version 2.0.50727.832, we will write to 7A38716C, … So in this configuration file, at most one write command will be successful and write to memory.
Launch the toolkit with the configuration file like this:
bpmtk disable-cas.txt
You can also use the toolkit to audit programs, for example to check if they protect secrets correctly. Let’s investigate how Firefox keeps passwords (I tested this with Firefox 2.0.0.12 English on Windows XP SP2):
I created a new Firefox profile, defined a master password and stored two passwords: one for Google (BigSecretGoogle) and one for WordPress (BigSecretWordpress).
This is the config file:
process-name firefox.exe strings address:on memory:writable regex:BigSecret
This config file will search inside the memory (only the writable virtual memory) of Firefox for strings containing the string BigSecret, and dump them to the screen, together with the address where they were found.
Let’s start Firefox and search inside the memory (bpmtk demo-firefox-passwords.txt):
No BigSecrets here. Now let’s navigate to Google mail. We are prompted for the master password, so that Firefox can complete our credentials on the login screen:
Let’s take another peek inside the memory of the Firefox process:
It should be no surprise that we find our Google password in memory (at 2 different addresses, the U indicates that we found a Unicode string).
Now let’s go to Firefox’s options and display the passwords:
The password manager displays the stored URLs and the usernames, but not the passwords. Let’s take another peek inside the memory of the Firefox process:
This time, Firefox has also decrypted our WordPress password (BigSecretWordpress), although it’s not displayed. It’s only displayed if we provide the master password a second time:
So although Firefox prompts you a second time for the master password to display all the passwords, the passwords have already been decrypted in memory before you provided the master password a second time.
Now I don’t have issues with this behavior of the password manager of Firefox, I don’t think it’s a security issue (I’ve an idea why it was programmed like this). But if Firefox was a perfect program, all passwords would only be decrypted when a user explicitly asks to display all passwords.
Do you make online payments with your credit card? Now that I’ve showed you how you can look for specific strings inside a running program with my toolkit, you should know how to use it to check how long your browser keeps your credit card number inside its memory. And can you find out how to use bpmtk to erase that number from your browser’s memory?
Let me finish with an appetizer: I’ve also developed a DLL that, once injected inside a process, will instantiate a scripting engine inside said process, and start executing a script inside the process. This allows you to inject a script inside a process, which can be handy for rapid prototyping or when you’re operating in a limited environment where you don’t have a C compiler to develop a custom DLL to inject. Of course, a script is not as powerful as a compiled C program, but I’m adding some objects to provide some missing functionality.
This script injector will be released with an upcoming version of the bpmtk.
Monday 28 January 2008
Update: A Windows Live CD plugin for my UserAssist utility
I noticed that I forget to update the Windows Live CD plugin for UserAssist.
From now on, I’ll update it each time I release a new version of my UserAssist utility.
You can download the plugin for the latest version here (https).
Wednesday 16 January 2008
XORSearch V1.3.0
Maarten Van Horenbeecks’s post gave me the idea for a new feature for my XORSearch tool: searching for a list of strings. This is achieved with the -f option, like this:
XORSearch -f urls malware.exe
urls is a text file containing a list of URLs to search for.
You’ll still have to use a script if you want to search in more than one file.
And there is something new about the XORSearch.exe in the ZIP file. First one to post a comment with the correct answer gets an honorable mention 😉
Tuesday 8 January 2008
Quickpost: Windows Server 2008 UserAssist Keys
My first post for 2008 has to be about Windows Server 2008.
It looks like the UserAssist entries for Windows Server 2008 have the same format as for Windows Vista, my UserAssist tool can also extract the data from Windows Server 2008:
Like Vista, the Windows Server 2008 browserui.dll file (version 6.0.6001.17051) contains only 5 UEME strings:
UEME_RUNPATH
UEME_CTLCUACount:ctor
UEME_CTLSESSION
UEME_RUNPIDL
UEME_RUN
Monday 3 December 2007
Looking for N800 Beta Testers, No Voyeurs Please ;-)
I’ve developed a new application for my N800, psurveil (Photo Surveillance). It automatically takes pictures with the N800’s build-in camera at regular intervals and stores them as jpeg files.
You can find the installation package here (unzip and copy the deb package to your N800) and the source code here. And be careful, it’s beta. On my N800, it takes about 30 seconds to start, and it doesn’t run as root.
So if you’ve got a baby and are looking for an excuse to get an N800, this turns your N800 in a baby monitor, kinda.
From the source code:
psurveil (Photo Surveillance) is a program for the Nokia N800.
It automatically takes pictures with the N800’s build-in camera at regular intervals
and stores them as jpeg files.
usage:
– Pop out the camera, and close all programs using the camera.
– Start psurveil. On my N800, it takes very long to start, sometimes a half minute.
– Use the menu to review the settings.
– Interval is the number of minutes between pictures.
– Repeats is the number of pictures to take, minus 1.
– Folder is the directory to store the pictures. The directory must exist.
Settings are stored with GConf, and there is no input validation.
– Click on the “Start surveillance” buttons to start the surveillance. A first picture
is immediately saved, and another picture every Interval minutes, and this Repeats times.
The filename of the jpeg is composed with the date & time when the picture was taken.
There is no monitoring of free diskspace.
Example:
The settings for this example are:
– Interval=1
– Repeats=3
– folder=/home/user/MyDocs/.images
These settings will take 4 pictures over a period of 4 minutes, starting when the button is clicked.
Pictures are stored in the Images folder:
20071127-194647.jpeg
20071127-194747.jpeg
20071127-194847.jpeg
20071127-194947.jpeg
I developed this program by merging the example_camera.c and example_alarm.c Maemo example programs.
There are some quirks in the real-time video display, they originate from the example_camera.c program.
If you know how to fix this, let me know.
I’m not an experienced Maemo developer (neither GTK developer), this is my first program for the N800,
so use this program at your own risk, and respect the privacy of others.
I put my code for this program in the Public Domain. For the code copy-pasted from the examples,
read the copyright below.
Todo (no guarantee that these ever get done):
– Input validation
– Folder creation
– Toggle to flip the picture
–
History:
22/11/2007 example_camera and example_alarm merged
23/11/2007 jpeg filename is current date & time
25/11/2007 0.1.3 added menu & menu functions
26/11/2007 coded settings dialog
27/11/2007 0.2.0 code review
28/11/2007 0.2.1 input validation for numbers in settings dialog
Monday 26 November 2007
Update: UserAssist V2.4.2
Just a small change in this new version: now you can disable the automatic loading of the local registry data when the UserAssist tool is launched. Use the “Load at Startup” menu command.
The setting is saved in Isolated Storage, in a file called UserAssist.config.
Didier Stevens 