Completed my final exams and now its time to focus on GSoC project :).
In my last blog I posted timeline which was in my proposal and in this post I will add details about Shellcode part of project which I will be completing before mid evaluation if everything goes as planned.
Shellcode for Windows
For Windows there is no direct kernel interface like int 0x80. Windows provide kernel32.dll but we cannot find functions loaded at same address for different versions of windows so it's hard to use hardcoded address to write shellcode. Skape paper on Windows Shellcode describes how we can find address of function using PEB. I am not going to write the details which are there in paper here. So in summary it is like this:
1. Find kernel32.dll base address using Process Environment Block (PEB)
2. Parse it’s export table to locate GetProcAddress
3. Use GetProcAddress to locate LoadLibrary
4. Use LoadLibrary to load other dll into current address space
5. Then again use GetProcAddress to locate required functions which are needed for
writing shellcode.
There is another way we can do this, by hardcoding the address but we will find the address of modules dynamically using python ctypes.
Something like this to get address of module.
Here is script that I wrote sometimes back to generate asm code that executes cmd.exe using functions WinExec and ExitProcess - https://gist.github.com/Pratik151/58fd921116ce314d796b
Here is rough timeline on what I am planning to do:
Week 1 and Week 2 (May 23 - June 5)
Add opcoder for windows like this one which is for linux - https://github.com/Ali-Razmjoo/OWASP-ZSC/blob/master/lib/opcoder/linux_x86.py
Add Execute Shellcode - It requires two functions WinExec and ExitProcess
Start Writing to file Shellcode- It requires fopen, fclose and ExitProcess
If I will be able to add the address of module dynamically using ctypes and if it works then I think the shellcode can be developed before time. But If that won't work then I have to use PEB method to get address of required functions.
Week 3 (June 6 - June 12)
Complete Writing to file SC if it is not completed yet.
Add Create directory shellcode. If I am able to complete it before time then I can work start next week work or If more time is left then I can start other new shellcode.
Week 4 & Week 5(Junt 13 - June 26)
Add shellcode Download and Executing a file - This requires URLDownloadToFile function which is there in Urlmon.dll. But Urlmon.dll is not loaded in process when it is started so we will be needing to load the dll into process first and then only we can use URLDownloadToFile function. So we have to load Urlmon.dll into process using LoadLibrary. We can first find address of LoadLibrary dynamically using ctypes and then with that we can load Urlmon.dll and then we can use the UrlDownloadToFile function. The dll can be loaded something like this:
USERNAME PASSWORD /ADD” and “net localgroup administrators USERNAME /ADD” or other way is to use NetUserAdd and NetLocalGroupAddMembers which is in Netapi32.dll
This schedule is till mid term and after that I will spend one more week for adding one or two shellcode which are in proposal. I will post timeline for Code Obfuscation modules part while doing the project when I have time in between.
Thanks for Reading this long post, Have a Good day :)
In my last blog I posted timeline which was in my proposal and in this post I will add details about Shellcode part of project which I will be completing before mid evaluation if everything goes as planned.
Shellcode for Windows
For Windows there is no direct kernel interface like int 0x80. Windows provide kernel32.dll but we cannot find functions loaded at same address for different versions of windows so it's hard to use hardcoded address to write shellcode. Skape paper on Windows Shellcode describes how we can find address of function using PEB. I am not going to write the details which are there in paper here. So in summary it is like this:
1. Find kernel32.dll base address using Process Environment Block (PEB)
2. Parse it’s export table to locate GetProcAddress
3. Use GetProcAddress to locate LoadLibrary
4. Use LoadLibrary to load other dll into current address space
5. Then again use GetProcAddress to locate required functions which are needed for
writing shellcode.
There is another way we can do this, by hardcoding the address but we will find the address of modules dynamically using python ctypes.
Something like this to get address of module.
import ctypes
dll = u'kernel32.dll'
module = 'WinExec'
kernel32 = ctypes.windll.kernel32
handle = kernel32.LoadLibraryW(dll)
address = kernel32.GetProcAddress(handle,module)
Here is script that I wrote sometimes back to generate asm code that executes cmd.exe using functions WinExec and ExitProcess - https://gist.github.com/Pratik151/58fd921116ce314d796b
Here is rough timeline on what I am planning to do:
Week 1 and Week 2 (May 23 - June 5)
Add opcoder for windows like this one which is for linux - https://github.com/Ali-Razmjoo/OWASP-ZSC/blob/master/lib/opcoder/linux_x86.py
Add Execute Shellcode - It requires two functions WinExec and ExitProcess
Start Writing to file Shellcode- It requires fopen, fclose and ExitProcess
If I will be able to add the address of module dynamically using ctypes and if it works then I think the shellcode can be developed before time. But If that won't work then I have to use PEB method to get address of required functions.
Week 3 (June 6 - June 12)
Complete Writing to file SC if it is not completed yet.
Add Create directory shellcode. If I am able to complete it before time then I can work start next week work or If more time is left then I can start other new shellcode.
Week 4 & Week 5(Junt 13 - June 26)
Add shellcode Download and Executing a file - This requires URLDownloadToFile function which is there in Urlmon.dll. But Urlmon.dll is not loaded in process when it is started so we will be needing to load the dll into process first and then only we can use URLDownloadToFile function. So we have to load Urlmon.dll into process using LoadLibrary. We can first find address of LoadLibrary dynamically using ctypes and then with that we can load Urlmon.dll and then we can use the UrlDownloadToFile function. The dll can be loaded something like this:
GetUrlmonLibrary:Add shellcode for creating user and adding user to admin group - we can use WinExec and execute cmd.exe and directly use the command “net user
call LoadUrlmon
db ‘Urlmon.dllN’ ;N will be replaced with Null character
LoadUrlmon:
pop ecx ;get the ‘Urlmon.dllN’ string
mov [ecx + 10], dl ;insert NULL for string termination
mov ebx, 0x7639a820 ; Base address of LoadLibraryW as we got from ctypes
push ecx
call ebx
USERNAME PASSWORD /ADD” and “net localgroup administrators USERNAME /ADD” or other way is to use NetUserAdd and NetLocalGroupAddMembers which is in Netapi32.dll
This schedule is till mid term and after that I will spend one more week for adding one or two shellcode which are in proposal. I will post timeline for Code Obfuscation modules part while doing the project when I have time in between.
Thanks for Reading this long post, Have a Good day :)
No comments:
Post a Comment