DLL Injection Methods - Test Apps (Discussion)

Discussion in 'other software & services' started by WildByDesign, Feb 5, 2018.

  1. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    So how exactly did you do that?
     
  2. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,342
    Location:
    Italy
    The Set command will always overwrite the existing set of rules while the Add command adds to it without overwriting existing rules.

    In my case I have to set 5 ASR rules.
    One Set command + 4 Add command.

    Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
    Add-MpPreference -AttackSurfaceReductionRules_Ids <rule ID> -AttackSurfaceReductionRules_Actions Enabled
    ...................

    You can also use the Set command with multiple ruleID.

    Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID>, <rule ID 2>, <rule ID 3> -AttackSurfaceReductionRules_Actions Enabled
     
  3. shmu26

    shmu26 Registered Member

    Joined:
    Jul 9, 2015
    Posts:
    1,549
    Got it, thanks!
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Did you check it out, how did ESET react? But now all of a sudden I passed the test, I believe it does try to read lsass.exe process memory, and conhost.exe is somehow also involved. However, I tested it via Sandboxie, so that's why it can probably not interact with lsass.exe. Not sure why it failed the test one first try.
     
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    If my assumption that StackHacker is creating a test PPL process is correct, of course Eset HIPS won't detect it. The only way it would is if I created a specific HIPS rule for the test process as I have for lsass.exe. Again, another example of NextGen "smoke and mirrors" FUD.
     
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Eset HIPS does not prevent read memory access; only modification, debugging, and event interception. I also suspect that Barley is dumping Lsass.exe memory and not directly reading it.
     
  7. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I don't believe this test is that advanced, like I said it fails when running sandboxed. And Eset's HIPS seems a bit weird to me, HIPS should auto alert about certain stuff without you having to make rules. Will it also stay quite when some app tries to perform code injection into the browser for example?
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    It does for selective activity. There are pre-coded rules built into it. Problem is no one for sure really know what they are. The rules are loaded into a .bin file and only decipherable by Eset techs.
     
  9. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    I came across an interesting DLL injector yesterday but haven't had time to compile it yet since I don't have my build environment setup in 1809 yet.

    Anyway, it's somewhat of a surprise injector which is part of a demo set from a presentation done recently (or possibly upcoming) from James Forshaw (Google's Project Zero and Chrome sandbox wizard). Although I haven't compiled it yet nor tested it, the description is super interesting to me:
    Link: https://github.com/tyranid/WindowsRuntimeSecurityDemos


    Therefore, somehow, this DLL injector from James is bypassing the mitigation options for Edge and other Store app elevated signature levels. This is quite interesting and I am hoping to setup my build environment tonight if I have time.
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Knowndlls contain system .dlls common to every program.

    The knowndlls are loaded at boot time from a protected registry area containing system .dll references to a corresponding table in the global root area. Thereafter when a program loads, it loads the dlls listed in knowdlls into the program.

    I suspect the bypass is for Windows 10 Code Integrity Guard which is used by Edge and other Microsoft based Store apps. CIG only allows Microsoft code signed dlls to load into a program. I "bet my booties" that Windows does not deploy the CIG mitigation on .dlls referenced in the knowndlls table under the assumption that they are all "safe" system dlls.

    Previous Google exploits in this area are:

    https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
    https://googleprojectzero.blogspot.com/2018/08/windows-exploitation-tricks-exploiting.html

    There have also been other past bypasses pertaining to knowndlls.
     
    Last edited: Nov 19, 2018
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I believe most HIPS monitor the KnownDlls registry key, nothing new. And why on earth don't they compile these apps?
     
  12. WildByDesign

    WildByDesign Registered Member

    Joined:
    Sep 24, 2013
    Posts:
    2,587
    Location:
    Toronto, Canada
    @itman Thank you for all of those details and especially the previous exploit links. It was quite interesting and I eventually got a chance to compile his DLL injector. It was a bit "bare bones", but then again the whole thing is simply for a talk that he was giving. So I suppose it's nothing that he would continue to develop or support or anything. However, after some messing around, it did do exactly as intended. It was successful when injecting into most Store signed apps but it was too finicky to bother spending much time with.

    @Rasheed187 Correct, yeah likely all HIPS would be monitoring the KnownDlls registry key. To be honest, I'm not sure why this or other apps are quite often not compiled. But to be honest, it surprises me how much interesting stuff I find on Github (without compiled releases) that are true gems. This one did not end up being much of a gem in the end though.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    As far as monitoring the KnownDlls registry key, that is not the issue. Nor will it stop these types of attacks. That registry key has been locked down by the OS since later Win 7 days.
     
  14. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Why won't it stop these attacks, the DLL needs to be registered first, no?

    Yes, that's why I'm not impressed with GitHub, most of those apps are worthless.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    :(
    Here's an example: https://attack.mitre.org/techniques/T1038/

    Now Microsoft since Win Server 2012 has by default enabled Safe DLL search mode. However in their "infinite dis-wisdom" has published an article on how to disable it:eek:
    https://docs.microsoft.com/en-us/windows/desktop/Dlls/dynamic-link-library-search-orderhttps://docs.microsoft.com/en-us/windows/desktop/Dlls/dynamic-link-library-search-order

    So unless your HIPS is monitoring for creation of the noted registry key and use of the noted API, you're "up the dll bypass river, without an oar."

    This leaves AppLocker as the only method to monitor/control dll use.
     
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I say resurrect Online Armor. I've seen nothing else that covers as much as OA except Comodo but i've always had lots of problems with Comodo. I've never had problems with OA.

    If I ever win the lottery I will hire coders to bring OA back from the dead if Emsisoft will depart with it for a reasonable price lol In others words there is no hope since I doubt I will ever win the lottery :(

    Anyway I think Online Armor will catch all these .dll injection attacks very easy.
     
  17. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Probably not that simple. It's all the backend stuff at their end that would be tough
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.