Didier Stevens

Monday 6 December 2010

HeapLocker

Filed under: My Software,PDF,Vulnerabilities — Didier Stevens @ 0:00

HeapLocker is a new tool I’m releasing to mitigate heap spray attacks. But be patient, don’t use this version (V0.0.0.2) yet for other reasons than experimenting! I’m still testing newer versions that I’ll release soon.

HeapLocker uses 5 mitigation techniques.

1) Like EMET, HeapLocker will pre-allocate virtual memory pages to protect the addresses often used in exploits with heap sprays. HeapLocker can go one step further than EMET: it can inject its own shellcode to warn the user in case of an attack:

2) HeapLocker can also pre-allocate memory page zero, like EMET.

3) To detect heap sprays in action, HeapLocker monitors private memory usage:

4) HeapLocker can monitor the application’s memory for NOP-sleds:

5) The last technique, monitoring the application’s memory for specific strings, proved to be very successful to detect malicious PDF documents:

I will detail these techniques in upcoming posts.

Wednesday 1 December 2010

Runasil

Filed under: My Software,Windows 7,Windows Vista — Didier Stevens @ 9:56

Because I didn’t find a program to start an application with a given integrity level from “Image File Execution Options”, I wrote runasil.

The following command launches notepad.exe with a low integrity level, instructing notepad to open test.txt:

runasil.exe notepad.exe test.txt

To automatically launch notepad via runasil.exe, using “Image File Execution Options”, create this registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe and create a value debugger equal to “runasil.exe -d” (don’t forget option -d).

You can also specify the integrity level via an option:

  • -l for low
  • -m for medium
  • -h for high
  • -s for system

By default, runasil launches the application with a low integrity level.

Don’t forget you need at least Windows Vista to use integrity levels, and that a process can’t create a new process with a higher integrity level than itself.

Download:

runasil_V0_0_0_1.zip (https)

MD5: 5B8CE64715903DD7EEF4AF3B89E6E6FD

SHA256: 15841A9D9985E626C5B70B4BC3B2BF2CD68C38102B6BB1D92BA352D19F5C8A65

Friday 19 November 2010

Quickpost: Adobe Reader X

Filed under: PDF,Quickpost — Didier Stevens @ 18:03

In case you’ve not read Adobe’s announcement: Adobe Reader X is out. Use Adobe’s FTP server if you want to avoid their download manager.

Protected Mode Adobe Reader comes with a sandbox (like Internet Explorer, Microsoft Office 2010, Google Chrome) designed to prevent malware from writing to important system components.

If you’re interested in the design details of the sandbox, I recommend Kyle Randolph’s excellent series of posts.

To benefit the most of Adobe Reader’s sandbox, you need to use a Windows version that supports integrity levels (Windows Vista or later). Windows XP will not offer you this protection.

And don’t become complacent about patching your sandboxed applications. Because if there exists a vulnerability that allows one to escape from a sandboxed application, say in IE7 Adobe Reader X, then one can use this vulnerability to escape from other sandboxes, like IE7 Adobe Reader X, based on the same low integrity level design.

Quickpost info

Monday 15 November 2010

Password Auditing With a Password Filter

Filed under: My Software — Didier Stevens @ 10:47

A TechEd Europe attendee asked Marcus Murray about password auditing. He expressed his worry about the confidentiality of audited passwords. This question reminded me about an often overlooked feature of Windows: password filters.

A password filter is generally used to implement custom password policies, but can also be used for password auditing and pentesting purposes. It is a DLL loaded by the LSA (on a stand-alone machine or a domain controller) and called each time a new password is set. The DLL is designed to check the new password according to custom password policies, and reply back to the LSA if it accepts the new password or rejects it.

But you could also write a password filter that accepts all passwords, while building statistics about the new passwords or while (secretly) logging them.

I wrote a simple password filter to report on password length. By using this password filter, the passwords never leave the LSA. The main advantage of this password auditing technique is that it will not reveal actual passwords. The disadvantage is that it does not report on existing passwords, but only on new passwords (changing a password or setting an initial password). So it will take some time to report on all passwords, depending on your password expiration policy (assuming you have one).

My password filter builds a histogram of the length of all new passwords, limited to a password length of 14 characters (this is an arbitrary limit and can be changed in the code). This report is written to file C:\NewPasswordStats.txt and looks like this:

0: 1
1: 0
2: 1
3: 0
4: 0
5: 0
6: 0
7: 0
8: 4
9: 0
10: 0
11: 0
12: 0
13: 0
14: 0
>=15: 2

As you can see, my test system has one password of 0 characters long, one of 2 characters long, 4 of 8 characters long, and 2 of 15 or more characters long.

I recommend you change the ACLs of the report so that only admins can read it (or change the code to store the report in an ACLed directory). When the machine is rebooted, the statistics are reset to zero and the last report is renamed to C:\NewPasswordStats.bak. To prevent the loss of your statistics, you need to save this backup before the next reboot.

If you plan to expand my code to build more sophisticated statistics, please keep the integrity of the LSA and the confidentiality of its data in mind. If you pass the passwords around to functions in your code, be sure to erase all confidential data securely after use with SecureZeroMemory. If you plan to provide input to your password filter (for example the previous password statistics after a reboot), be sure to validate your input as to not introduce vulnerabilities in the LSA. And don’t make your statistics so specific that they can be used as a guide to quickly crack your passwords. Think about performance too: the password filters runs inside a critical process, you don’t want it to take too much time to audit/validate a password.

Here’s how to install a password filter. I tested this password filter on Windows XP SP3 and Windows 2003 (domain controller), but not on a production machine, so please use this in a test environment first should you consider using this password filter.

Download:

NewPasswordStats_V0_0_0_1.zip (https)

MD5: FAF362F49C7B3FA8CCE7AF600B6D91A8

SHA256: 3D9BBD195F55FBB8F6CE523B3E7BE95A531725570336C55911EE0F312FE95A4D

Monday 8 November 2010

EnforcePermanentDEP

Filed under: My Software,Windows 7,Windows Vista — Didier Stevens @ 0:45

Like its name reveals, EnforcePermanentDEP is a DLL to switch on permanent DEP in the loading process.

When loaded inside a process, this DLL will call SetProcessDEPPolicy with argument PROCESS_DEP_ENABLE, hereby enabling DEP permanently on the loading process. After this, DEP can’t be disabled anymore for this process.

Once DEP is set, this DLL unloads itself. There is no need for this DLL to remain loaded once it has enabled DEP. This is done via the entry point DllMain function which returns FALSE for DLL_PROCESS_ATTACH, hereby making that the DLL doesn’t remain loaded inside the process.

To load this DLL inside a process, you can add it to the import table of the target process (EnforcePermanentDEP.dll exports function Dummy), use LoadDLLViaAppInit or use your own preferred injection method.

Download:

EnforcePermanentDEP_V0_0_0_1.zip (https)

MD5: B0A89B0CE8DC5BA2472B3D744D40E4A3

SHA256: 525BA6EF82BD2B0ABD30DAD0D676CE085A9FA6E0DE3E3A8A0ADD6DF050F5A635

Sunday 31 October 2010

Quickpost: Adding Certificates to the Certificate Store

Filed under: Encryption,Quickpost — Didier Stevens @ 13:31

A couple of people asked me how to get self-signed certificates recognized by Windows.

For example, when you check the digital signature of one of my programs (like ariad.exe), you’ll see this:

The digital signature is valid, but the root certificate used in the signature is not trusted. This is because this root certificate is not installed in the repository of trusted root certificates. I’ll show you how to achieve this, but understand that by installing a new root certificate, you automatically trust all signatures and subordinate certificates issued by this root certificate authority.

The first 2 methods I’ll present add the new root certificate to your own certificate repository (i.e. the one associated with your account). This means that under other user accounts, the new root certificate will not be trusted. The third method explains how to add the new root certificate to the computer’s repository, so that it is trusted by all users.

Say you’ve a root certificate, like one created using this method. Here’s how to install it in your account’s “Trusted Root Certificate Authorities” certificate store:

And from now on, all executables signed by this root certificate authority (or it’s subordinate authorities) are trusted:

As the root certificate we used in this example is good for all purposes, and because your certificate store also integrates with Internet Explorer, SSL certificates issued by this certificate authority will also be trusted by Internet Explorer.

If you don’t have the root certificate to install, you can also get it installed from the AuthentiCode signature like this:

And from here on, you follow the same steps as in the first method;

If you want to install certificates for all users, you’ll need to follow another method. But because this other method requires a certificate file, I’ll show you how to extract a certificate file from an AuthentiCode signature:

Follow the second method to view the root certificate, but instead of installing the certificate, look at the Details tab and export the certificate:

To install a root certificate for all users, you’ll need to start the Microsoft Management Console (mmc.exe) as an administrator:

And now you can import the root certificate following the same steps as in the first method:

Tuesday 26 October 2010

Update: LoadDLLViaAppInit

Filed under: My Software,Update — Didier Stevens @ 9:04

This new version of LoadDLLViaAppInit allows you to load more than one DLL inside a process. You separate the DLL names with a semi-colon (;).

For example, to load DLLs hook-createprocess.dll and EnforcePermanentDEP.dll inside process acrord32.exe, you configure this:

acrord32.exe    hook-createprocess.dll;EnforcePermanentDEP.dll

Download:

LoadDLLViaAppInit_V0_0_0_2.zip (https)

MD5: F458DAEAB1A3E68870EE0608E2A1FFFC

SHA256: 9C8BA52A68893F33E0019CC64264C24A7EEC09C5D0DAE6F43C110ACFD45E621F

Sunday 17 October 2010

setdllcharacteristics

Filed under: My Software,Windows 7,Windows Vista — Didier Stevens @ 20:39

The PE-file format specifies flags to enable DEP and ASLR. You can set these flags with a hex-editor or a PE-file editor.

Because I need to set DEP and ASLR flags in a script, I wrote a C-program to read, set or clear these flags (together with another flag to check AuthentiCode signatures, more about this later).

It’s a standard C program, you can compile it under *nix too.

The option handling is simple, you can’t combine flags into one option string. For example, to set DEP and ASLR, you issue the following command:

setdllcharacteristics +n +d program.exe

This will not work:

setdllcharacteristics +nd program.exe

Don’t forget that by changing these flags on signed executables, the signature is not valid anymore. But that shouldn’t be a problem to run the program.

Later, I’ll post tools to force DEP (and maybe ASLR) without changing the PE file.

And I also updated the PE-file format template for the 010 editor to support these 3 flags.

Download:

setdllcharacteristics_v0_0_0_1.zip (https)

MD5: F96358BF90AA4D8C6B32968B2068BFCB

SHA256: 5A9D3815F317C7C0FF7737F271CE0C60BE2CB0F4168C5EA5AD8CEF84AD718577

Monday 11 October 2010

PDF, DEP, ASLR and Integrity Levels

Filed under: PDF,Vulnerabilities,Windows 7,Windows Vista — Didier Stevens @ 8:41

Frequently targeted document handling applications should be coded defensively and protect themselves with Windows security features like DEP, ASLR and Integrity Levels, just to name a few.

I tested a couple of PDF rendering applications: Adobe Reader, Foxit Reader and Sumatra PDF. If the application did not use DEP, ASLR or Integrity Levels, I changed some settings to make the application use these features. Setting DEP and ASLR is just setting a flag in the DllCharacteristics member of the Image Optional Header structure. You can do this with a hex editor, a PE-file editor, or a new tool (setdllcharacteristics) I’ll release soon. Using a Low Integrity Level is done by setting the appropriate ACE in the DACL of the application executable, see my post Integrity Levels and DLL Injection for details.

Adobe Reader 9 uses DEP and ASLR. It does not run with a Low Integrity Level by default. Configuring acrord32.exe to run with a Low Integrity Level fails, the application doesn’t run. It is said that the upcoming Adobe Reader 10 with sandboxing technology will run at a Low Integrity Level.

Sumatra PDF 1.1 uses DEP and ASLR. It does not run with a Low Integrity Level by default. Configuring SumatraPDF.exe to run with a Low Integrity Level succeeds, the application runs fine. Some preferences might get lost, but they are not important to me.

With version 4.2 of Foxit Reader released about a week ago, Foxit Software added support for DEP and ASLR. Setting Foxit Reader to use a Low Integrity Level results in a malformed opening dialog box:

Apart from this, Foxit Reader appears to work fine at Low Integrity Level, but don’t be fooled. At Low Integrity Level, Foxit Reader can’t read or set its preferences. For example, you won’t be able to disable JavaScript. Even if you disabled JavaScript with Foxit Reader running at Medium Integrity Level (the default), Foxit Reader running at Low Integrity Level will enable JavaScript. So you’re better off not using a Low Integrity Level for this version. I’ve talked to Foxit Software and they’ll fix this.

If your favorite application isn’t discussed here, you can easily check how it performs with Sysinternals’ Process Explorer. Just add columns DEP, ASLR and Integrity to Process Explorer’s main view and run your application.

Integrity Levels and DLL Injection

Monday 4 October 2010

LowerMyRights

Filed under: Malware,My Software,Vulnerabilities — Didier Stevens @ 0:30

Last year I posted about some techniques and tools to restrict the rights of applications on Windows XP when you run with admin rights. I mentioned a new tool, LowerMyRights, which I forgot to publish. So here it is.

You would use LowerMyRights.dll only if the other tools and techniques are not appropriate for your specific case. LowerMyRights is useful when you can’t create a new process with restricted rights, but when you’ve to restrict the rights of an existing process.

When this DLL is loaded inside an existing process, it will check a whitelist and a blacklist to decide if it has to restrict the process’ rights (it also checks if it’s running on Windows XP). If the application’s name if found in the blacklist and not in the whitelist, LowerMyRights will do its job.

First, it will remove all the privileges of the primary token, except the SEChangeNotifyPrivilege.

Second, it will create a restricted token (with ACLs denying Administrator and Power Users rights) and use this token for impersonation (it uses impersonation because Windows doesn’t allow modifications to the ACLs of a primary token).

This impersonation is also a weak point of LowerMyRights compared with the other tools: exploit code can switch back to the unrestricted primary token by calling RevertToSelf.

You can load LowerMyRights inside all processes by adding it to the AppInit_DLL registry key, but be careful, this might cripple your system as it is loaded inside every process (even at boot time), so please test first.
Or else you use LoadDLLViaAppInit, or add it to the import table like explained here.

The whitelist (lowermyrights.wl.txt) is just a text file with a list of applications to whitelist (i.e. not lower the rights). You must use full pathnames in the whitelist.
The blacklist (lowermyrights.bl.txt) is just a text file with a list of applications to blacklist (i.e. to lower the rights). You must not use full pathnames in the whitelist, but just the application’s name.
The idea I had with this different operation of the whitelist and blacklist, is that you would be able to whitelist specific applications while blacklisting copies/fakes of these applications.
An example with notepad will make this clear: by adding c:\windows\system32\notepad.exe to the whitelist and notepad.exe to the blacklist, you would be able to use the original notepad.exe with full rights, while copies of notepad (located at other locations) or other programs with the name notepad.exe would be restricted. With hindsight, I don’t think this dual list feature is useful, but I left it in anyways (the program is a year old, I used it for a year and I haven’t modified it).

Download:

LowerMyRights_V0_0_0_3.zip (https)

MD5: FF937173AB1CD2C7A9DF050D7ADF0696

SHA256: 9AA83F24031029F60862CAAE477B02DF0C0887BD6E9078A1E186FEF6DF873253

« Previous PageNext Page »

Blog at WordPress.com.