Defeating UAC Using Sysprep and Tilon/Pitou

  • 1 – Leo Davidson sysprep method, this will work only on Windows 7 and Windows 8, used in multiple malware;
  • 2 – Tweaked Leo Davidson sysprep method, this will work only on Windows 8.1.9600;
  • 3 – Leo Davidson method tweaked by WinNT/Pitou developers, works from Windows 7 up to 10th2 10532;


* Leo Davidson AutoElevation method with derivatives.
*
* UacMethodSysprep1   – Original Leo Davidson concept.
* UacMethodSysprep2   – Windows 8.1 adapted UacMethodSysprep1 (bypassing sysprep embedded manifest dlls redirection).
* UacMethodTilon      – Leo Davidson concept with different target dll, used by Win32/Tilon.
* UacMethodSysprep3   – Windows 10 TH1 adapted UacMethodSysprep1.
* UacMethodOobe       – WinNT/Pitou derivative from Leo Davidson concept

Typical malware UAC bypass:

  1. Creates a DLL in %temp%;
  2. Inserts code into the running explorer.exe, and explorer.exe moves dll from %temp% to C:\Windows\System32\sysprep\cryptbase.dll;
  3. C:\Windows\System32\sysprep\sysprep.exe is executed and sysprep.exe loads ;C:\Windows\System32\sysprep\cryptbase.dll with administrative privileges; and,
  4. C:\Windows\System32\sysprep\cryptbase.dll executes malware with administrative privileges
Picture

1.
/* ucmMasqueradedRenameElementCOM
*
* Purpose:
*
* Rename file/directory autoelevated.
*/
2.
/*
* ucmMasqueradedCreateSubDirectoryCOM
*
* Purpose:
*
* Create directory autoelevated.
*
*/
3.
/*
* ucmMasqueradedMoveFileCOM
*
* Purpose:
*
* Move file autoelevated.
*
*/
4.
/*
* ucmStandardAutoElevation2
*
* Purpose:
*
* Bypass UAC by abusing appinfo g_lpAutoApproveEXEList
*
* UAC contain whitelist of trusted fusion processes with only names and no other special restrictions
* Most of them are unknown, and list does not properly handled by system itself, use this fact.
*
*/
5. /* ucmStandardAutoElevation */

switch (Method) {

    case UacMethodSysprep1:

        //%temp%\cryptbase.dll
        _strcat(szSourceDll, CRYPTBASE_DLL);

        //%systemroot%\system32\sysprep      
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe    
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep2:

        //%temp\\shcore.dll
        _strcat(szSourceDll, SHCORE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodSysprep3:

        //%temp%\dbgcore.dll
        _strcat(szSourceDll, DBGCORE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

    case UacMethodOobe:

        //%temp%\wdscore.dll
        _strcat(szSourceDll, WDSCORE_DLL);

        //%systemroot%\system32\oobe\”
        _strcat(szTargetDir, L”oobe\\”);

        //%systemroot%\system32\oobe\setupsqm.exe
        _strcat(szTargetProcess, SETUPSQM_EXE);

        break;

    case UacMethodTilon:

        //%temp%\ActionQueue.dll
        _strcat(szSourceDll, ACTIONQUEUE_DLL);

        //%systemroot%\system32\sysprep
        _strcat(szTargetDir, SYSPREP_DIR);

        //%systemroot%\system32\sysprep\sysprep.exe
        _strcat(szTargetProcess, SYSPREP_DIR);
        _strcat(szTargetProcess, SYSPREP_EXE);

        break;

Picture


IDC Script: Coloring Unusual Instructions: Anti-Analysis

#include static main() {
auto start, end, addr, mnem, count, opnd, opnd1, opnd2; 

start = SegStart( ScreenEA() ); 
nd = SegEnd( ScreenEA() ); 
addr = start; count = 0; 
while( addr < end ) { 
mnem = GetMnem( addr ); 

// Common VM detect instructions if( mnem == “sidt” || mnem == “sgdt” || mnem == “sldt” || mnem == “smsw” || mnem == “str” ) { Message( “%08x: Found %s\n”, addr, mnem );
SetColor( addr, CIC_ITEM, 0x0088ff ); // orange 

// Read Time Stamp Counter if( mnem == “rdtsc” ) { 
Message( “%08x: Found %s\n”, addr, mnem ); 
SetColor( addr, CIC_ITEM, 0xff8800 ); // blue 

// Exception Handling or other PEB/TEB access opnd = “”; 
opnd1 = GetOpnd( addr, 0 ); 
opnd2 = GetOpnd( addr, 1 ); 
if( strstr( opnd1, “fs:” ) > -1 ) { 
opnd = opnd1; 

else { 
if( strstr( opnd2, “fs:” ) > -1 ) opnd = opnd2; 
}
if( opnd != “” ) { 
Message( “%08x: Found %s\n”, addr, opnd ); 
SetColor( addr, CIC_ITEM, 0xff8888 ); // purple 

addr = NextHead( addr, BADADDR ); 
count = count + 1; 
}
Message( “Processed %d instructions from %08x to %08x\n”, count, start, end ); 
}

Generic Reverse Engineering Algorithm

​Source: OpenSecurityTraining

  1. Gather information
    • IAT (Import Address Table)
    • Strings
    • Dynamic analysis
  2. Identify function of interest
  3. Identify CALLs
  4. Identify algorithms and data structures
  5. Pseudo-code it!
    • If having trouble, draw the memory and CPU and map what happens at each instruction
  6. Rename function(s), argument(s), variable(s)
  7. Add comments
  8. GOTO 2

Manual Malware Unpacking

Unpacker Tail Transitions

  • often (not always) found at the end of unpacking code
  • Usually comes in one of the following forms:
  • jump immediate (jmp 0401234)
  • Jumps generally take 1 byte operand, while transitions from unpackers to application code require a larger operand (e.g. 4 bytes)
  • push / ret
  • A push followed by a return is fishy as the pushed value becomes the return address
  • The unpacker may have a constant or set a register that it jumps to
  • pusha / popa
  • Not a transition technique, but usually used for restoring registers to entry-point state
  • Hardware Breakpoint on one of the saved registers may halt debugger just before transition to OEP
  • View ESP in dump, select one of the 4 byte aligned values, and set bp (f2)


When a tail jump is unidentifiable, attempt to locate OEP by a section hop

  • Generally code resides in single section of the PE file.
  • Hops between sections are unusual and occur often in the transition from unpacker stubs to application code
  • OllyDump automates the search for such a hop and attempts to break when found


Beware of self-modifying code

  • How Software Breakpoints work
  • Debugger stores a copy of the byte at the breakpoint address
  • This byte is replaced with 0xCC
  • When the address is reached, the debugger swaps in the original byte
  • How self-modifying code works
  • A byte or block is read from memory
  • Optional transformations are applied
  • The byte is written (original location or elsewhere)
  • Self-modify reads may read wrong (0xCC) byte
  • Self-modify writes may overwrite breakpoints
  • Use Hardware breakpoints when possible (4 in 32-bit)


Breaking on common events

  • Debuggers often allow breaking on Library Load/Unload
  • Packers often end with a series of LoadLibrary / GetProcAddress calls
  • Could set a breakpoint on common start-up functions
  • GetCommandLineA, GetVersion
  • Catch is they have to be loaded and available for breakpoints

Extracting Malicious Shellcode From PDF

Source: OpenSecurityTraining

  1. PDFStreamDumper
  2. Load -> Pdf File
  3. View objects list in left-side box
    • Tools -> About Listview Colors
  4. choose object of interest (click on it to select)
    • to export as-is: Right-click object number in left-side box -> Save Raw Stream
    • to deal with JavaScript…
      1. click on object in left-side box, to select it
      2. click Javascrip_UI (in the menubar)
      3. modify JavaScript so that you remove the exploit line(s) and just have a variable that contains the shellcode
      4. add to the end of the JavaScript box (replacing VAR_NAME): tb.writeFile(“C:\\shellcode.bin”,VAR_NAME)
      5. click the Run button