SlideShare une entreprise Scribd logo

Binary Planting Techniques and Persistence

Source Conference
Source Conference

SOURCE Barcelona 2011 - Mitja Kolsex

TechnologieActualités & Politique
1  sur  36
Télécharger pour lire hors ligne
ACROS PUBLIC © ACROS Advanced (Persistent) Binary Planting SOURCE Barcelona 2011 Mitja Kolsek ACROS d.o.o. mitja.kolsek@acrossecurity.com www.acrossecurity.com
ACROS PUBLIC Page 2 SOURCE Barcelona 2011 BINARY PLANTING QUICK SUMMARY (DLL hijacking, DLL preloading, Unsafe library loading...)
ACROS PUBLIC Page 3 SOURCE Barcelona 2011 DLL, EXE you bad guy
ACROS PUBLIC Page 4 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
ACROS PUBLIC Page 5 SOURCE Barcelona 2011 EXE Search Order CreateProcess(“SomeApp.exe”) 1. The directory from which the application loaded 2. Current Working Directory (CWD) 3. C:WindowsSystem32 4. C:WindowsSystem 5. C:Windows 6. PATH
ACROS PUBLIC Page 6 SOURCE Barcelona 2011 EXE Search Order ShellExecute(“SomeApp.exe”) 1. Current Working Directory (CWD) 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. PATH
ACROS PUBLIC Page 7 SOURCE Barcelona 2011 Our Past Research • Extended scope: Launching EXEs • Improved attack vector: WebDAV • We looked at 200+ leading Windows apps • Found 500+ binary planting bugs (120+ EXE, 400+ DLL) • Guidelines for developers http://www.binaryplanting.com/guidelinesDevelopers.htm • Guidelines for administrators http://www.binaryplanting.com/guidelinesAdministrators.htm • Free Online Binary Planting Exposure Test http://www.binaryplanting.com/test.htm • Advanced binary planting (COM-Servers) • Executing code through IE8 on Windows XP – two clicks only • Executing code through IE9 on Windows 7 – right click, add to archive
ACROS PUBLIC Page 8 SOURCE Barcelona 2011
ACROS PUBLIC Page 9 SOURCE Barcelona 2011 PERSISTENCE #1 - PERSISTENCE IN SOFTWARE #2 – PERSISTENCE ON COMPUTER
ACROS PUBLIC Page 10 SOURCE Barcelona 2011 #1 - PERSISTENCE IN SOFTWARE (Everywhere You Look)
ACROS PUBLIC Page 11 SOURCE Barcelona 2011 Microsoft (Sysinternals) Process Monitor 1. Filter: Path Contains <our-path> 2. Launch Application 3. Exclude irrelevant entries 4. Look for DLL and EXE accesses 5. Plant DLL/EXE 6. Re-launch Application 7. If successful, see call stack
ACROS PUBLIC Page 12 SOURCE Barcelona 2011 Example: Real Player I used to load rio500.dll from CWD. Wait... I still do. Publicly reported in February 2010 by Taeho Kwon and Zhendong Su http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
ACROS PUBLIC Page 13 SOURCE Barcelona 2011
ACROS PUBLIC Page 14 SOURCE Barcelona 2011 False Positives
ACROS PUBLIC Page 15 SOURCE Barcelona 2011
ACROS PUBLIC Page 16 SOURCE Barcelona 2011 Hidden & Remote
ACROS PUBLIC Page 17 SOURCE Barcelona 2011
ACROS PUBLIC Page 18 SOURCE Barcelona 2011 Cleaning The Table
ACROS PUBLIC Page 19 SOURCE Barcelona 2011
ACROS PUBLIC Page 20 SOURCE Barcelona 2011 Real Player on Windows XP (mpeg)
ACROS PUBLIC Page 21 SOURCE Barcelona 2011 Real Player on Windows XP (avi)
ACROS PUBLIC Page 22 SOURCE Barcelona 2011 Example: Opera I fixed a DLL hijacking bug but what the heck is this “EXE planting”? Windows XP: dwmapi.dll (fixed in 10.62)
ACROS PUBLIC Page 23 SOURCE Barcelona 2011
ACROS PUBLIC Page 24 SOURCE Barcelona 2011 Binary Planting Issues Found Real Player • WinXP: RealPlay.exe loading planted rapi.dll upon startup • Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup • RealPlay.exe loading planted rio500.dll upon exit • RealPlay.exe loading planted rio300.dll upon exit • RealShare.exe loading planted pnrs3260.dll upon startup Opera • WinXP: Opera.exe loading planted rundll32.exe upon opening a downloaded ZIP
ACROS PUBLIC Page 25 SOURCE Barcelona 2011 #2 - PERSISTENCE ON COMPUTER (Turning Downloads Folder Into a Minefield)
ACROS PUBLIC Page 26 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
ACROS PUBLIC Page 27 SOURCE Barcelona 2011
ACROS PUBLIC Page 28 SOURCE Barcelona 2011 Planting a “Persistent Mine” (cryptbase.dll)
ACROS PUBLIC Page 29 SOURCE Barcelona 2011
ACROS PUBLIC Page 30 SOURCE Barcelona 2011 Planting a “Persistent Mine” (msiexec.exe)
ACROS PUBLIC Page 31 SOURCE Barcelona 2011
ACROS PUBLIC Page 32 SOURCE Barcelona 2011 Downloads folder “mine field” problem Why is it cool? Persistent – “download today, exploit months later” Installers usually get elevated privileges Whose fault is it? Installers loading DLLs from their neighborhood is expected behavior Browsers keep downloads on disk until manually deleted Chrome download dialog is clickjackable Chrome trusts EXE files from already visited sites InstallShield calls “msiexec.exe” without full path How could it be fixed? All downloaded executables should have modified names: Cryptbase(0).dll, msiexec(0).exe
ACROS PUBLIC Page 33 SOURCE Barcelona 2011 Binary Planting: Guidelines For Researchers Stay current Make sure you’re working with the latest version of the product Make sure your O/S is up to date Try different O/S versions Different DLLs, different drivers, codecs etc. Try different data files Different formats (file extensions), different content Try it from remote ShellExecute will issue a security warning when launching from a share Locate the culprit Check the call stack to find which module is responsible for the bug, then check the module’s details to find the author
ACROS PUBLIC Page 34 SOURCE Barcelona 2011 Binary Planting: Guidelines For Developers Use only absolute paths LoadLibrary(“relative.dll”) - FAIL CreateProcess(“notepad.exe”) – FAIL ShellExecute(“cmd.exe”) - FAIL CWD use Set CWD to a safe location, quickly Call SetDllDirectory(“”) Observe file system operations on all supported O/S versions Different DLLs, different drivers, codecs etc. Maximize code coverage Different formats (file extensions), different content
ACROS PUBLIC Page 35 SOURCE Barcelona 2011 Resources Tools Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645 Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028 Files “Malicious” DLL www.binaryplanting.com/demo/windows_address_book/wab32res.dll www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll “Malicious” EXE: C:WindowsSystem32calc.exe (what else?) Knowledge www.binaryplanting.com blog.acrossecurity.com
ACROS PUBLIC Page 36 SOURCE Barcelona 2011 Pregunt(e|a)s Mitja Kolsek ACROS d.o.o. www.acrossecurity.com mitja.kolsek@acrossecurity.com Twitter: @acrossecurity

Recommandé

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 

Recommandé

Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...
Andrew Hay - Chris Nickerson - Building Bridges - Forcing Hackers and Busine...Source Conference
 
Don Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesDon Bailey - A Million Little Tracking Devices
Don Bailey - A Million Little Tracking DevicesSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
Wendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramWendy Nather - Building a Rube Goldberg Application Security Program
Wendy Nather - Building a Rube Goldberg Application Security ProgramSource Conference
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Source Conference
 
Android sandbox
Android sandboxAndroid sandbox
Android sandboxAnusha Chavan
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019Alexandre Borges
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsWardell Motley, NSA IAM\IEM
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsDamir Dobric
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisChetan Ganatra
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)DynamicInfraDays
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10ErnestoFernndezProve
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysisn|u - The Open Security Community
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple FeaturesMuhammad Najmi Ahmad Zabidi
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and EcosystemPatrick Chanezon
 
Android..!!
Android..!!Android..!!
Android..!!Parthik Poshiya
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Oleksandr Tryshchenko
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016Robert Lemke
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016Patrick Chanezon
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetSource Conference
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 

Contenu connexe

Similaire à Binary Planting Techniques and Persistence

DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsFelipe Prado
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019Alexandre Borges
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsWardell Motley, NSA IAM\IEM
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008Stephan Chenette
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsDamir Dobric
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019Alexandre Borges
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisChetan Ganatra
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)DynamicInfraDays
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmedRashid Khatmey
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and EcosystemPatrick Chanezon
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malwareYury Chemerkin
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Oleksandr Tryshchenko
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016Robert Lemke
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016Patrick Chanezon
 

Similaire à Binary Planting Techniques and Persistence (20)

DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threatsDEFCON 27 - ALEXANDRE BORGES - dot net malware threats
DEFCON 27 - ALEXANDRE BORGES - dot net malware threats
 
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019.NET MALWARE THREATS -- BHACK CONFERENCE 2019
.NET MALWARE THREATS -- BHACK CONFERENCE 2019
 
Exploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface ApplicationsExploiting and analyzing Microsoft Surface Applications
Exploiting and analyzing Microsoft Surface Applications
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008The Ultimate Deobfuscator - ToorCON San Diego 2008
The Ultimate Deobfuscator - ToorCON San Diego 2008
 
Key Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core ApplicationsKey Steps in Developing .NET Core Applications
Key Steps in Developing .NET Core Applications
 
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
.NET MALWARE THREAT: INTERNALS AND REVERSING DEF CON USA 2019
 
HoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware AnalysisHoneyNet SOTM 32 - Windows Malware Analysis
HoneyNet SOTM 32 - Windows Malware Analysis
 
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
ContainerDays Boston 2016: "Docker For the Developer" (Borja Burgos)
 
Testing UAC on Windows 10
Testing UAC on Windows 10Testing UAC on Windows 10
Testing UAC on Windows 10
 
Andriod Pentesting and Malware Analysis
Andriod Pentesting and Malware AnalysisAndriod Pentesting and Malware Analysis
Andriod Pentesting and Malware Analysis
 
Malware Detection With Multiple Features
Malware Detection With Multiple FeaturesMalware Detection With Multiple Features
Malware Detection With Multiple Features
 
3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed3. backup file artifacts - mazin ahmed
3. backup file artifacts - mazin ahmed
 
Docker Platform and Ecosystem
Docker Platform and EcosystemDocker Platform and Ecosystem
Docker Platform and Ecosystem
 
Android..!!
Android..!!Android..!!
Android..!!
 
Crisis. advanced malware
Crisis. advanced malwareCrisis. advanced malware
Crisis. advanced malware
 
Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3Mobile Applications with Angular 4 and Ionic 3
Mobile Applications with Angular 4 and Ionic 3
 
Docker in Production - IPC 2016
Docker in Production - IPC 2016Docker in Production - IPC 2016
Docker in Production - IPC 2016
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
Docker SF Meetup January 2016
Docker SF Meetup January 2016Docker SF Meetup January 2016
Docker SF Meetup January 2016
 

Plus de Source Conference

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsSource Conference
 

Plus de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
Extracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus DerivativesExtracting Forensic Information From Zeus Derivatives
Extracting Forensic Information From Zeus Derivatives
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 
Reputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet BlacklistsReputation Digital Vaccine: Reinventing Internet Blacklists
Reputation Digital Vaccine: Reinventing Internet Blacklists
 

Dernier

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 

Dernier (20)

08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 

Binary Planting Techniques and Persistence

  • 1. ACROS PUBLIC © ACROS Advanced (Persistent) Binary Planting SOURCE Barcelona 2011 Mitja Kolsek ACROS d.o.o. mitja.kolsek@acrossecurity.com www.acrossecurity.com
  • 2. ACROS PUBLIC Page 2 SOURCE Barcelona 2011 BINARY PLANTING QUICK SUMMARY (DLL hijacking, DLL preloading, Unsafe library loading...)
  • 3. ACROS PUBLIC Page 3 SOURCE Barcelona 2011 DLL, EXE you bad guy
  • 4. ACROS PUBLIC Page 4 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
  • 5. ACROS PUBLIC Page 5 SOURCE Barcelona 2011 EXE Search Order CreateProcess(“SomeApp.exe”) 1. The directory from which the application loaded 2. Current Working Directory (CWD) 3. C:WindowsSystem32 4. C:WindowsSystem 5. C:Windows 6. PATH
  • 6. ACROS PUBLIC Page 6 SOURCE Barcelona 2011 EXE Search Order ShellExecute(“SomeApp.exe”) 1. Current Working Directory (CWD) 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. PATH
  • 7. ACROS PUBLIC Page 7 SOURCE Barcelona 2011 Our Past Research • Extended scope: Launching EXEs • Improved attack vector: WebDAV • We looked at 200+ leading Windows apps • Found 500+ binary planting bugs (120+ EXE, 400+ DLL) • Guidelines for developers http://www.binaryplanting.com/guidelinesDevelopers.htm • Guidelines for administrators http://www.binaryplanting.com/guidelinesAdministrators.htm • Free Online Binary Planting Exposure Test http://www.binaryplanting.com/test.htm • Advanced binary planting (COM-Servers) • Executing code through IE8 on Windows XP – two clicks only • Executing code through IE9 on Windows 7 – right click, add to archive
  • 8. ACROS PUBLIC Page 8 SOURCE Barcelona 2011
  • 9. ACROS PUBLIC Page 9 SOURCE Barcelona 2011 PERSISTENCE #1 - PERSISTENCE IN SOFTWARE #2 – PERSISTENCE ON COMPUTER
  • 10. ACROS PUBLIC Page 10 SOURCE Barcelona 2011 #1 - PERSISTENCE IN SOFTWARE (Everywhere You Look)
  • 11. ACROS PUBLIC Page 11 SOURCE Barcelona 2011 Microsoft (Sysinternals) Process Monitor 1. Filter: Path Contains <our-path> 2. Launch Application 3. Exclude irrelevant entries 4. Look for DLL and EXE accesses 5. Plant DLL/EXE 6. Re-launch Application 7. If successful, see call stack
  • 12. ACROS PUBLIC Page 12 SOURCE Barcelona 2011 Example: Real Player I used to load rio500.dll from CWD. Wait... I still do. Publicly reported in February 2010 by Taeho Kwon and Zhendong Su http://www.cs.ucdavis.edu/research/tech-reports/2010/CSE-2010-2.pdf
  • 13. ACROS PUBLIC Page 13 SOURCE Barcelona 2011
  • 14. ACROS PUBLIC Page 14 SOURCE Barcelona 2011 False Positives
  • 15. ACROS PUBLIC Page 15 SOURCE Barcelona 2011
  • 16. ACROS PUBLIC Page 16 SOURCE Barcelona 2011 Hidden & Remote
  • 17. ACROS PUBLIC Page 17 SOURCE Barcelona 2011
  • 18. ACROS PUBLIC Page 18 SOURCE Barcelona 2011 Cleaning The Table
  • 19. ACROS PUBLIC Page 19 SOURCE Barcelona 2011
  • 20. ACROS PUBLIC Page 20 SOURCE Barcelona 2011 Real Player on Windows XP (mpeg)
  • 21. ACROS PUBLIC Page 21 SOURCE Barcelona 2011 Real Player on Windows XP (avi)
  • 22. ACROS PUBLIC Page 22 SOURCE Barcelona 2011 Example: Opera I fixed a DLL hijacking bug but what the heck is this “EXE planting”? Windows XP: dwmapi.dll (fixed in 10.62)
  • 23. ACROS PUBLIC Page 23 SOURCE Barcelona 2011
  • 24. ACROS PUBLIC Page 24 SOURCE Barcelona 2011 Binary Planting Issues Found Real Player • WinXP: RealPlay.exe loading planted rapi.dll upon startup • Win7: RealPlay.exe loading planted SHDOCLC.DLL upon startup • RealPlay.exe loading planted rio500.dll upon exit • RealPlay.exe loading planted rio300.dll upon exit • RealShare.exe loading planted pnrs3260.dll upon startup Opera • WinXP: Opera.exe loading planted rundll32.exe upon opening a downloaded ZIP
  • 25. ACROS PUBLIC Page 25 SOURCE Barcelona 2011 #2 - PERSISTENCE ON COMPUTER (Turning Downloads Folder Into a Minefield)
  • 26. ACROS PUBLIC Page 26 SOURCE Barcelona 2011 DLL Search Order LoadLibrary(“SomeLib.dll”) 1. The directory from which the application loaded 2. C:WindowsSystem32 3. C:WindowsSystem 4. C:Windows 5. Current Working Directory (CWD) 6. PATH
  • 27. ACROS PUBLIC Page 27 SOURCE Barcelona 2011
  • 28. ACROS PUBLIC Page 28 SOURCE Barcelona 2011 Planting a “Persistent Mine” (cryptbase.dll)
  • 29. ACROS PUBLIC Page 29 SOURCE Barcelona 2011
  • 30. ACROS PUBLIC Page 30 SOURCE Barcelona 2011 Planting a “Persistent Mine” (msiexec.exe)
  • 31. ACROS PUBLIC Page 31 SOURCE Barcelona 2011
  • 32. ACROS PUBLIC Page 32 SOURCE Barcelona 2011 Downloads folder “mine field” problem Why is it cool? Persistent – “download today, exploit months later” Installers usually get elevated privileges Whose fault is it? Installers loading DLLs from their neighborhood is expected behavior Browsers keep downloads on disk until manually deleted Chrome download dialog is clickjackable Chrome trusts EXE files from already visited sites InstallShield calls “msiexec.exe” without full path How could it be fixed? All downloaded executables should have modified names: Cryptbase(0).dll, msiexec(0).exe
  • 33. ACROS PUBLIC Page 33 SOURCE Barcelona 2011 Binary Planting: Guidelines For Researchers Stay current Make sure you’re working with the latest version of the product Make sure your O/S is up to date Try different O/S versions Different DLLs, different drivers, codecs etc. Try different data files Different formats (file extensions), different content Try it from remote ShellExecute will issue a security warning when launching from a share Locate the culprit Check the call stack to find which module is responsible for the bug, then check the module’s details to find the author
  • 34. ACROS PUBLIC Page 34 SOURCE Barcelona 2011 Binary Planting: Guidelines For Developers Use only absolute paths LoadLibrary(“relative.dll”) - FAIL CreateProcess(“notepad.exe”) – FAIL ShellExecute(“cmd.exe”) - FAIL CWD use Set CWD to a safe location, quickly Call SetDllDirectory(“”) Observe file system operations on all supported O/S versions Different DLLs, different drivers, codecs etc. Maximize code coverage Different formats (file extensions), different content
  • 35. ACROS PUBLIC Page 35 SOURCE Barcelona 2011 Resources Tools Process Monitor: http://technet.microsoft.com/en us/sysinternals/bb896645 Symbols: http://msdn.microsoft.com/en-us/windows/hardware/gg463028 Files “Malicious” DLL www.binaryplanting.com/demo/windows_address_book/wab32res.dll www.binaryplanting.com/demo/windows_address_book_64/wab32res.dll “Malicious” EXE: C:WindowsSystem32calc.exe (what else?) Knowledge www.binaryplanting.com blog.acrossecurity.com
  • 36. ACROS PUBLIC Page 36 SOURCE Barcelona 2011 Pregunt(e|a)s Mitja Kolsek ACROS d.o.o. www.acrossecurity.com mitja.kolsek@acrossecurity.com Twitter: @acrossecurity