UAC Turn Off Method: WinNT Simda

  • ISecurityEditor WinNT/Simda method, used to turn off UAC, works from Windows 7 up to Windows 10th1 100136

1. ucmMasqueradedAlterObjectSecurityCOM
* Purpose:
* Change object security through ISecurityEditor(SetNamedInfo).

2. ucmSimdaTurnOffUac* Purpose:
* Disable UAC using AutoElevated undocumented ISecurityEditor interface.
* Used by WinNT/Simda starting from 2010 year.


Software Exploitation in Windows Environment: Part 1

Part 1

  • ​Fuzzing and crash dump analysis
  • From crash dump to working exploit lab in WinDBG

Here  is  a  very  basic  program  to  help  us  explore  our  exploit  environment.  The
basic_vuln  program  reads  in  a  binary  file  and  displays  the  first  64  hexadecimal
bytes  from  that  file.  The  program  prints  various  meta  data  such  as  the  location  of
variables  and  functions  in  the  process  address  space.  This  meta  information  will
help  simplify  the  exploitation  process  as  we  are  learning.  

There  is  an  obvious  overflow  in  line  27  where  the  fread  call  reads  128  bytes  into  a  64  byte
Buffer.  This  leads  to  a  traditonal  stack  overflow,  among  other  possibilites. 

In  this  case  we  create  a  file  of  128  bytes  of  0xdeadbeef.  This  will  overflow  the  64  byte
buffer  in  the  hexdump_file  function,  smashing  the  stack,  and  generating  a  crash dump.


First*we*set*a*break*point*before*the*fread*call*in*hexdump_file*that*will*ul)mately*corrupt* the*stack,*so*we*can*check*out*the*stack*before*its*destroyed.*In*this*case*I*switch*to*source* mode,*open*up*the*disassembly*window,*put*my*cursor*on*the*push*ecx*before*the*call*to* fread,*then*tell*windbg*to*run*to*cursor.*Once*the*break*point*before*fread*is*hit,*I*can* inspect*the*saved*frame*pointer*and*saved*return*address*on*the*stack*with*ddebp*L2.* Everything*looks*sane*at*this*point*since*the*stack*hasn’t*been*smashed.*

IDC Script: Coloring Unusual Instructions: Anti-Analysis

#include static main() {
auto start, end, addr, mnem, count, opnd, opnd1, opnd2; 

start = SegStart( ScreenEA() ); 
nd = SegEnd( ScreenEA() ); 
addr = start; count = 0; 
while( addr < end ) { 
mnem = GetMnem( addr ); 

// Common VM detect instructions if( mnem == “sidt” || mnem == “sgdt” || mnem == “sldt” || mnem == “smsw” || mnem == “str” ) { Message( “%08x: Found %s\n”, addr, mnem );
SetColor( addr, CIC_ITEM, 0x0088ff ); // orange 

// Read Time Stamp Counter if( mnem == “rdtsc” ) { 
Message( “%08x: Found %s\n”, addr, mnem ); 
SetColor( addr, CIC_ITEM, 0xff8800 ); // blue 

// Exception Handling or other PEB/TEB access opnd = “”; 
opnd1 = GetOpnd( addr, 0 ); 
opnd2 = GetOpnd( addr, 1 ); 
if( strstr( opnd1, “fs:” ) > -1 ) { 
opnd = opnd1; 

else { 
if( strstr( opnd2, “fs:” ) > -1 ) opnd = opnd2; 
if( opnd != “” ) { 
Message( “%08x: Found %s\n”, addr, opnd ); 
SetColor( addr, CIC_ITEM, 0xff8888 ); // purple 

addr = NextHead( addr, BADADDR ); 
count = count + 1; 
Message( “Processed %d instructions from %08x to %08x\n”, count, start, end ); 

Generic Reverse Engineering Algorithm

​Source: OpenSecurityTraining

  1. Gather information
    • IAT (Import Address Table)
    • Strings
    • Dynamic analysis
  2. Identify function of interest
  3. Identify CALLs
  4. Identify algorithms and data structures
  5. Pseudo-code it!
    • If having trouble, draw the memory and CPU and map what happens at each instruction
  6. Rename function(s), argument(s), variable(s)
  7. Add comments
  8. GOTO 2

Manual Malware Unpacking

Unpacker Tail Transitions

  • often (not always) found at the end of unpacking code
  • Usually comes in one of the following forms:
  • jump immediate (jmp 0401234)
  • Jumps generally take 1 byte operand, while transitions from unpackers to application code require a larger operand (e.g. 4 bytes)
  • push / ret
  • A push followed by a return is fishy as the pushed value becomes the return address
  • The unpacker may have a constant or set a register that it jumps to
  • pusha / popa
  • Not a transition technique, but usually used for restoring registers to entry-point state
  • Hardware Breakpoint on one of the saved registers may halt debugger just before transition to OEP
  • View ESP in dump, select one of the 4 byte aligned values, and set bp (f2)

When a tail jump is unidentifiable, attempt to locate OEP by a section hop

  • Generally code resides in single section of the PE file.
  • Hops between sections are unusual and occur often in the transition from unpacker stubs to application code
  • OllyDump automates the search for such a hop and attempts to break when found

Beware of self-modifying code

  • How Software Breakpoints work
  • Debugger stores a copy of the byte at the breakpoint address
  • This byte is replaced with 0xCC
  • When the address is reached, the debugger swaps in the original byte
  • How self-modifying code works
  • A byte or block is read from memory
  • Optional transformations are applied
  • The byte is written (original location or elsewhere)
  • Self-modify reads may read wrong (0xCC) byte
  • Self-modify writes may overwrite breakpoints
  • Use Hardware breakpoints when possible (4 in 32-bit)

Breaking on common events

  • Debuggers often allow breaking on Library Load/Unload
  • Packers often end with a series of LoadLibrary / GetProcAddress calls
  • Could set a breakpoint on common start-up functions
  • GetCommandLineA, GetVersion
  • Catch is they have to be loaded and available for breakpoints

Extracting Malicious Shellcode From PDF

Source: OpenSecurityTraining

  1. PDFStreamDumper
  2. Load -> Pdf File
  3. View objects list in left-side box
    • Tools -> About Listview Colors
  4. choose object of interest (click on it to select)
    • to export as-is: Right-click object number in left-side box -> Save Raw Stream
    • to deal with JavaScript…
      1. click on object in left-side box, to select it
      2. click Javascrip_UI (in the menubar)
      3. modify JavaScript so that you remove the exploit line(s) and just have a variable that contains the shellcode
      4. add to the end of the JavaScript box (replacing VAR_NAME): tb.writeFile(“C:\\shellcode.bin”,VAR_NAME)
      5. click the Run button

Debugging C Code in Microsoft Visual Studio 2015

Source: Intro to Intel  x86, OpenSecurityTraining
1 – Fix C++/ Linker Setup Properties
* Program Database (/Zi)
* Disable Security Check
* __cdecl (/Gd) or __stdcall (/Gz)
* Linker/Enable Incremental Linking (No)
2 – Breakpoint on Main -> Go to Disassembly
3 – Windows/Memory -> Address on ESP (hexadecimal display and 4-byte integers)
4 – Windows/Registers