Andrew Cole and Rich Moulton - Making Everything Old New Again

oh that'll work okay so we're gonna be playing past the mic

then okay all right

identif

so how are we going to do these things we're going to teach you following we're teach you to access code that already exists on the box whether it's managed or native high high pockets High processes registry entries and connections going to teach you keep clean persists and Pro uh before we begin we'd like to thank you people uh starting of course with tyon it's awesome to get to do this research and then presented we' like to thank Microsoft particularly Jeff snowber for coming power shell in first place uh the easybook team which we'll talk about a little bit later and the power Shell community you know who you are power showell Community is awesome I

think it's the best community in the computer hacking world and it's just exploding and getting better by the minute there's a lot of really smart people with great ideas we perfectly happy to share their wisdom with everybody else all right so uh with that I'd like to take just a moment to more properly introduce ourselves before we go on to the content um as I said my name is Rich Molton I am awesome this I'm recently retired from the Air Force I was a u an Electronics technician I was a a assistance administrator a uh an analyst and finally a developer before I joined Pyon as a subject matter expert meaning basically security researcher Cole I'm Andrew Cole

everybody just calls me Cole um I got most of my computer training in the Army I was a uh journey and level CNO operator for the Army uh did that for a few years before that I was pretty much a hardware guy was a solder jockey I fixed the things when they broke um and since coming to Chiron I now get to do uh independent research content development and instruction so it's a pretty cool job all right so I promise you we're going to teach you how to maximize your fre movement through the network and to uh increase the chance of success of a sucess penetration test to begin with we're going to teach you how to access

uh native code on box what is native code native code is basically a bunch of ones and zeros string meaningless to you and I uh instructions to the computer basically on what to do it exists all over the Box um generally in the form of EX or dlls on Windows machine um and traditionally known as a wi3 API there is a lot of functionality that already exists on your box um that you can normally access through writing C or C++ code compiling it assembling it linking it and uh it's traditionally been very difficult for non-programmers to access this um recently with the Advent of theet framework talk about momentarily um the technology known as platform

invoke or P invoke has enabled uhet programmers to access this code on the box to gain more uh full control over the Box specifically um I would point you in the direction of the Microsoft developers network is Google msdn and you can find examples of how to use any of the functions that appear in win32 API uh online uh we've got an example here of accessing these uh win32 API through Powershell uh this example comes to us from Lee holes I think it was actually in his um his book the PO shell

cookbook so Le Holmes put together this example U called invoke Windows API the code is a little bit complicated I'm not actually going to walk through the entire code i' rather show you the example at the bottom

bigger basically what we're going to do here is uh use the3 132 API to create a hard length flow we're going to create a FL on the disc called link Target CeX or something to that effect and then we're going to create another file that uh points to the Contex of the first using l32 API the specific function that we're going to use uh appears on line 126 is create hard link and it appears in colel 32. powerwell script that Lee Holmes has put together together enables us to Simply specify the dll that we want to load the win32 API function call and then the parameters that the one pass to this uh this function and we

see at the conclusion of it what we end up with is hard link that points to our original file

so what we've done here again we've taken an existing file named tet. text we've called The Wind 32 API through Kel 32. to create a hard length that points to the original file this is a very simple example this may not perhaps be uh the most perent example for for red teers but the idea here is what's important the idea is you can access any win32 API functionality on box through Power I think that's no did not do okay so in addition to native code and 132 API uh we learned that you've also got access to manage code this should be a given perhaps and new power shell say buil on top of theet framework

but uh we'll go over that

again sometime a little longer than a decade ago Microsoft came out with the idea it would be nice if you could have an environment perhaps a virtual machine or a common language run time that would go and check all the parameters that you're putting into your functions so that could avoid things like uh pointers that point to nothing or perhaps to the wrong place uh perhaps um variables that uh that might overflow into other areas and so they created this whole common language run time that uh run what we call Managed code basically it's code that checks itself for validity this common language run time uh runs in a u is basically a a com

server very old Microsoft Technology called The NET Framework it exists in one single dll and what it does basically is it takes a highle language uh actually one of many highle languages either visual basic.net uh C Powershell C++ Donnet and it compiles it into an Intermediate Language F if you will that is then interpreted just in time in the common language from time that's the The NET Framework the nutshell and when we're running power shell basically what we're doing is we're taking another even higher level language and accessing the code from The NET Framework um take box see here I don't think I have an example of compiling code at this point but we we'll get to that later I will

show you instead a very simple example of how to call theet framework um create message

box what we have on the screen up above is a power script that loads a dll it's AET framework dll so it's it's an intermediate code it's basically the microsoft. Visual Basic D and uh devil there on line five say we're going to take microsoft. visual basic. interaction which is an object and we're going to call a static message called message box if some to put the text in the the first set of quotes in there the type of um box that we're going to create is going to be a yes no or cancel box a question box and it's going to have the title just the V siid unfortunately because there are some hackers here

today we don't have Internet access but if you were to go to Google and Google msdn at microsoft. visualbasic you could actually find the definition for this status static function and you would see what all the arguments are and uh and the other options available to you right now we're going to run it and we see that from Powershell we called this managed code to create a dialogue box again may or may not be something that you want to do in a penetration test maybe it might be uh more advantageous to a a password box that says you know please password again because you authenticate whatever the case may be go ahead and take a all

right so that nutshell is how to access managed code from box so far we've shown you how to access 132 API we've showed you how to access managed code from Powershell next we'll begin to talk about how you can use this to hide files processes registry entries and 's see here I was of loss where to begin with this because um this information is all kind of uh each module buil on the other but they uh I don't know it's kind of like a more a spiral rather than a latter so I'll just start with place to start start with looking um let's see here when you run a process and it calls other functions um the first thing it does

is create space on the stack and then it it jumps to this other function start doing this functionality when the function returns clean up that St basically like you never left when we hook a process what we do is we overwrite the pointer for that function call so that instead of going to the function that you intended to go to you go somewhere else take a det we'll use the term again a little later um traditionally in user mode rootkits they would use this functionality you would inject some code into a process so that when someone tries to do something like list processes or List files on this what you get instead is filtered output perhaps they'll do the call for

you they'll take the results filter out the results that they don't want to see and then present the rest to you um this works in user mode pretty well there are a couple of functions that you or processes that you cannot inject to into in modern Windows um and this basically boils down to reasons of uh digital Rights Management let's see there are certain protective processes that for reason the reason of enforcement of digital right they don't let you M from us so if you try to inject into these process you'll be blocked there are also system processes system threads created by the colonel that will not allow youest them basically those Cent crash allow you

them so uh fail user mode hooking you can go to C mode hooking you can use similar techniques using to trick the kernel the core of the operating system if you will to filter out results that we don't want the user to see um this has become more difficult recently because in 64bit Windows they have some technology that uh ensures that anything you try to inject the kernel has been signed by a proper uh Authority the technology that we're going to introduce in another live or so easy hook basically gets around this and U about so in the '90s people were doing this user mode hooking Cel mode hooking um it was all the ra all the pool Cas

were doing it and uh somebody figured out what was going on and they wrote a paper on it Dynamic binary modification basically you take a program that's operating it's running you change it while it's running and then you get to you get do other things um and then of course you can clean up just SEC before anybody realizes what's going on Microsoft at some point must have read this paper because they came out with a tool called Microsoft detour that actually uses this technique for legitimate purposes um code patching basically you find a function um is dangerous is doing something that intends to then go and hook it and change it while right

the great thing about detour is it allows you from C your C++ to go in as I said to any running process change the code while it's running unfortunately can't do that for managed code say from visual based.net C c.net or power until recently uh in 2008 Christopher I think pronoun right right and uh Jason St they came up with a tool called easy and uh it's kind of like myour but for managed code it allows you to hook native or managed code from manage Cod so again using C C+ Plus or po shell uh you can create hooks into code it works something like this there's an Assembly Language uh function that you inject that rewrites function

pointers you specify exactly which function it is you want to overwrite where you want to point instead and then the functionality that you want to haveen and U magic let's see here so we're going to show you momentarily how to do this from Powers shell um in the interest of simplicity we have simply uh written a couple of files to this and we execute the files on this though as probably most of you are aware it's uh it's just another step or two to be able to do this strictly from memory so with that let's take a look at the uh the example program that f. f

all right uh what you see before you is a little bit of C code and I'll show you momentarily when we get down to our modifications how we use this in pow shell but basically the front at the top end we've got a couple of using statements that says we're going to use this functionality and and the system is supposed to go find the DL that functionality we're creating a class called the Fon interface which is the actual D that we're going to inject into your native or manage code and we're going to define a couple of functions um these functions are really bad irrev we use them for our specific modifications but first make sure that

the D injection is in place all right that's is installed um on create file is going to watch for a process to use the create file function and when it does it goes out and writes the name of the file that was created report exception will let us know if there were any problems in the injection and P I guess was supposed to fun so the the me of the program here is the main function on line 43 uh basically see here you're going to call this program on the command line and pass it ACR this ID number to check make sure it exists and when it injects let you know that injected otherwise break and give you

ation go down a little bit further okay going to create a server um that the dll will talk back to um here 91 it's actually injection and if we press return for example we can exit at which point this exe will unload the D process so we'll see that action just go on to this is the actual dll that we're going to project uh we're calling the same system functionality um see here we got a class just called name um the important parts are line 16 we create a what they call a local hook which is basically a userland hook called cre file um lines 37 through 42 basically we're specifying that the function we

want to help is create file W and and it appears in colel 32. ask at this point how many of you in the room are currently consider yourself developers not a whole so I'm going to briefly say that this functioning create file W refers to uh the Unicode version of this function uh when you see functions with this Del usually that first there's a version for uh people who use a basically if the program was written 10 or more years ago it's probably using a were written in the last 10 years it's probably using the W version function unode so your specifying function we want to H is create file W unode version we're going to create a delegate on uh

Line 39 called D create file and the delegate basically says when create file W's call instead of direct that fun direct to this function the function we're specifying is create file hook so now we injected our hook who said when someone calls love you said create hooked and specific functionality is a little bit lower online B6 U basically what they did was they went to site called c.net which tells you how to call um made a code from manag code and they copied and pasted the signature of that function in there the next section from 98 to 110 it's almost identical um change changes on line 103 they use the exter keyword to say this function

is defined outside of my program is to find somewh in BL and then in the final section this is 12 through about 120 um they actually copied and pasted the the signature again this time leaving out the ex keyw because we're going to put new functionality in there the new functionality we want is this we're going to call back to the exe and we are going to provide some information to it every time our function is called so every time the injected the injected process calls a create file function we're going to provide with name and print it out do we have a video of this we just do the video of modif okay so we'll show you

modifications at

this okay so let me talk about this before we get to them um for the purposes of this demonstration we took the example um that exists in and we modified it to uh hide a file um in order to hide a file process connection registry key basically what you're going to do is the same thing that the E people have already done except that you'll need to specify a different function whatever function it is that you want to hijack um I think for the purposes of our demonstration we chose to hide a file using the find next file W function which of course is the unit um hi to process connection registering key would be similar you

just have to hijack a specific function uh that's being used by your target

process to be sure that you're hiding or hijacking the appropriate function what you can do is open up uh debugger like when debug turn on logging as you're going through the the execution of the the program it will show you a list of all the functions that are being called This is the easiest way to do it um in the course of putting together this demonstration I picked it up with that uh function names so be sure you know which function you're hydrating before you get into it let's go into the demo actually uh let's let's open up the code real quick we go

demo so these are our modifications to the D and uh see basically the D at this point is unchanged I want to say at line 16 line 16 I basically copied and pasted a structure that was defined at p.net win32 find data and the reason I did this is because the function that I wanted to put find next file W actually use um an argument with this data type 32 find data so I just had to go out to.net copy and paste and then online 36 and 37 I find some local hooks I'm going to um H string string compare just to check see if the file name that I was interested in was part of list I F uh

find next file book uh because that's the function

680 71 I basically copied the sections from three file hook down below and repeated them for string compare and then I did it again for find next file uh my string compare was inel 32. the mdn find spot was also interel 32 at BL um on 68 76 respectively I created delegates for these uh functions and I called them names hooks find file Hooks and then I Define the U the function line below I should point out line 79 and the other two lines that are similar to that are basically just setting Access Control list that says any thre in this process may callfunction

I the Crea file information there basically cop and pasted information p.net lower to create definition to functionality for the function that I was interested in it's a little

biter there so this function I want to call my next file use um pointer to find file and when 32 find data file data um [Music]

and my functionality is a little bit

lower I think this is the important information here line 225 basically what I'm doing um 224 actually I call find next file myself I take the results and I say if the results include a file name called secret. text act like nothing happen I did a line 228 is instead of returning the file secret. text to the original caller I just called f next file once more and then pass that those results to them so that they never see secr T strength is is

similar so let's see I think we've got to we didn't want to attemp the uh demo dos so uh we reported this okay oh yeah pleas from the get here we've got our script in the ISC we started it's running you can see it's now the pow shell process so we're creating two files one named public. text one named secret. text um the secret. text is match our string so it's hidden from Powershell because Powershell can't see it because it uses uh CL next file w cnx still uses find next file a so it's able to find both of the files they're still

there once power sh get back though and it still can't see it it's hooked now if I come over here and remove our hook you should be able to now see the files and I think the video actually jumped in a second late was there a big PSP box up there when it first came on yeah so that's a fun interesting point this is a uh fully protected box uh it's running the vast antivirus free uh the latest edition uh signature is 100% off the date and I just did this video in the last 24 hours so it's scanning the dlll getting loaded it's scanning them on dis and doesn't seem to be noticing or carrying that we're

hooking the file um the only reason I picked on a Bast is global market share they have the largest market share of any antivirus

product okay so then say fine and dny but how do we survive rles um you got your traditional persistence methods that everybody's been using since the dawn of time right you're either going to hide in a registry entry right find a something like a run key or a lad key and put your code there um a lot of red teams like to use Services right register a custom service but you still leave some evidence there you can schedule a job you know there's a number of avenues but they've all been used and abused by various types of malware and hackers forever and are pretty much burn um so with Powershell they brought in some new fun and more exciting ways to

do it uh who here has actually played around with like power sploit no one or two so power sploit um Metals uh nishang all these have some form of a wmi persistence module which uh registers a wmi event for persistence and that's better than the traditional methods but it still leaves something on dis so the thought is why don't we just use a more creative implementation to turn a old school method to be a little more new new school there's nothing wrong with using the rge key for persistence it's not going to get caught but it's still going to run you just need to keep people from being able to see what you have in there so if you

were to uh which one is it that hooks the red stre if you were to uh hook regi n XA or and reg NY xw your program would still run but if someone opened up a command line and did a regge query your payload won't show up if they pop up in redet it it shouldn't show up there either so you can still use these old methods and just hide the fact that you're using them for your persistence same thing uh in theory would work with scheduling a job and hiding the job and pretty much any other method you're only limited by your imagination so what can somebody do with this uh there's again a number of

already amazing scripts that are out there that we can combine and leverage to our advantage a couple of them uh invoke reflective PE injection what this will let us do is take these same DLS and rather than having to put them on dis like we have we can store them in a bite array in the script and reflectively load them into the uh process of our choing by reflectively loading them we get the added advantage that they don't register as a loaded module um another great script uh from the Bale power tools team I guess now it's the Bale Empire team um is invoke Mass template so what this will do is it'll hack up a quick temporary web server and

then use wmi to tell a remote box board boxes to call back and grab the script that's being run in the web server and run it anyone who has had thunder struck turn on it max volume on their computer in the last month since Empire came out knows exactly how powerful this can be and the last one's a little less known but it's still a goodie who here love netcat when it was still young yeah well somebody else did too and they completely rewrote the whole thing from top to bottom in poers shell and called it power cat so why does nobody use netcat anymore it's signature everything sees it as malware do you know how hard it is to Signature a

Powershell script is malware uh the invoke Mass miniat script which does what it sounds like it pulls a domain word of plain text sprads at once from one box uh it got signatured by Windows Defender but it turns out if you just delete the comments out and rename the function it still works perfectly well so now combining those scripts and some easy hook methods you could theoretically create a remotely Deployable Powershell based user mode rootkit that doesn't require anything to be written to the file system going to do a fair bit of coding but you can do it theoretically you would use invoke Mass template as your delivery method you are going to have to have

some domain credentials in order to make this deliver otherwise you're not going to have the ability uh to force the remote box to call back and grab your scripts but if you load a script that would first write the B arrays that contain your easy hook dlls and write them as well as power cat and a startup script to some random registry keys uh the uh poix virus that came out in the last year or two that uh was a Powershell virus that was residing solely in the rem or I'm sorry solely in the registry and not at all in the file system we're going to use the similar technique you just write to the registry

and you then would write a value to the Run key to start up your startup script on boot you would then have to manually start the script uh for the first time or bounce the box I would not recommend the ladder starting the script manual but when the script it up it would use an invoke reflective uh PE injection to load the easy hook bite arrays into the memory of the process that you wanted uh and then use those dlls to hide the register Keys containing your root kit components uh you could then start power cat via power shell to bind a cord on the system and then hook what you needed to to hide the listening cord from

network connections it's all theoretically possible we haven't taken it quite that far yet um but quite frankly the fact that it didn't be theoretically possible is slightly scared and again this shouldn't get flagged by an a product um we just did the demo with aast I did test it against AA and AGG as well neither of them are flagging the easybook dlls even written a disc and run a manual scan on them they don't flag them as being malicious even though they came out in 2008 so yeah any virus signatures okay so theoretically how can you protect your network well you do some Network traffic monitoring it never hurts to do that um Powershell logging if you're doing

defense and you're not logging Powershell in your network you probably should start it's built into Microsoft you just have to turn it on and Define some objects and your logging will be turned on um suspect you might have something bad you can monitor the uh registered modules in your processes easyhook DLS could be there um but mostly you're you're pretty much stuck with memory dumps which let's be honest whoever does memory dump unless you've already got caught okay so all the code that we used today is up on GitHub uh that has the file hide code that you can run to hide particular files from a process on that note um I kind of lost over this but uh

the examples that I showed you were C and the code that you can get from our G repo is actually a power shell script it's got c in there and dynamic that compiles the C on fly with the compiler buil into theet framework if you haven't checked out the other powers shell tool kits and Frameworks that are out there I would strongly suggest you do it's a there's a lot of great stuff out there it's also not up here but power sploit is another one that I would definitely get into to and if you are looking to defend your network uh if you are a blue team R just sitting in here you thought it might be

interesting there is a Powershell Arsenal by Matt Graver is a uh completely Powershell based reverse engineering Set uh that's just our general contact information and does anyone have about how to increase your ability tover the network and increase the chances of success of ation test using the techniques demonstr today excuse question perspec cat ma or using memory VES memory policy andal processes the short answer is no because it's all supposedly legitimate code that exists API framework it all looks legitimate looks like an administrator doing this thing and I should mention that the reason that Microsoft put together their Microsoft Project in the beginning because they had legitimate reasons for wanting to divert the functionality of

cess any

else there's any other questions guys don't run off uh if you could think of a trivia question or two for we got a lot we got two speakers so we got a lot of giveaways here so uh if you don't have you guys think question I got one or two so what what was the name of the Microsoft um set of apis or coding standard that was developed to legitimize um API right here moft right and we give you

for a copy of medlo unleash um what uh local austa Gru student um wrote the majority of power hats there that would be my son L majority of [Music] power very good all right you guys come up with some questions here sure this one's a little more of like a history question uh what famous event in malware had its anniversary I believe it was three days ago first instance something that occurred is that the yeah even older oh literally the first early early M yes the names based

off a off in relay 70 yeah that just had its anniversary a couple days ago or [Applause] we'll do

uome what else question right can anyone tell me we didn't mention it inef but I wonder since we're all here in power can anyone tell me what was the original name of

got rubber ducky for you here red team man you got another one uh who was the original writer of Powershell who wrote monad and what position did he just receive at Microsoft you it's the highest position you can get at Microsoft CE you no no not not that not that kind of position the highest technical position you can get at Microsoft okay in that case I'll settle for just the name of the person who invented power

shell that's close enough to snow we'll take it over J SN yes and he just made technical fellow so all right congratulations everyone all right and I got one more thing we had um some of the vard drawings uh so the networks Li the sand Sandra Simpson US Army and renew Mor of Macy's he won s lies you have to pick those up before 3:00 pick this up before 3:00 so you're here go pick up those licenses got 10 minutes all right thank you congratulations thank you thank you to all you wonderful audience if you have any other questions um our email is somewhere on these slides please don't hesitate to get in contact with us and check out the GitHub

preo we'll continue to update uh with more examples for you thank you very much the [Applause]