Scribd
Upload
81 views71 pages

Owowning With The Windows Api: Dijit (@secfurry)

This document discusses techniques for executing code on Windows systems using undocumented Windows API functions. It begins with an introduction to the author and an overview of the topics that will be covered, including parent process spoofing and shellcode injection. The overview explains why Golang was chosen and provides background on the Windows API. It then dives into the technique of parent process spoofing, describing how a process's parent relationship can normally be spoofed with some difficulty, but that there is a less detectable method that takes advantage of an undocumented Windows API function related to User Access Control. Code examples and demonstrations will be provided.

Uploaded by

sadsada12e12312
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
81 views71 pages

Owowning With The Windows Api: Dijit (@secfurry)

This document discusses techniques for executing code on Windows systems using undocumented Windows API functions. It begins with an introduction to the author and an overview of the topics that will be covered, including parent process spoofing and shellcode injection. The overview explains why Golang was chosen and provides background on the Windows API. It then dives into the technique of parent process spoofing, describing how a process's parent relationship can normally be spoofed with some difficulty, but that there is a less detectable method that takes advantage of an undocumented Windows API function related to User Access Control. Code examples and demonstrations will be provided.

Uploaded by

sadsada12e12312
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 71

OwOwning with the

Windows API
Dijit (@secfurry)

1
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
$(whoami)
• I’m Dijit!
• @secfurry
• Loves
• Purple
• Programming
• Video Games
• Hacking
• Offensive Security Engineer
• Specializes in Windows security

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 2


OvOerview

3
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
OvOerview: What’s this about?
• Windows API Techniques
• Parent Process Spoofing
• Shellcode Injection
• Using undocumented functions
• Methodologies
• Code
• Execution
• Detection / Prevention
• Final Thoughts / Lessons Learned

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 4


OvOerview: Why?

• “Hack it Forward”
• Expand the Windows API knowledge
• Document “undocumented” or obscure functions
• Introduce new methods to execute code
• Security Engineer / Red Teamer
• Evade Detection
• Hunter / Blue Teamer
• Examples of Red Team methodologies

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 5


OvOerview: What to Expect
• Golang!
• Learning!
• Windows API details
• Small snippets of Golang
• Code Examples / Source
• Shortlink: dij.sh/owo
• GitHub: github.com/secfurry/OwOwningTheWinAPI
• Demos
• Fun?

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 6


OvOerview: Why use Golang?
• Simple
• Easy to read and learn
• Nicely formatted code [1] Renee French,
• Defined style guidelines @tenntenn

• Write once, compile everywhere!


• No dependencies needed!
• Native Syscall/WinAPI
• Go standard libraries are written in Go!
• Adorable mascot!

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 7


OvOerview: What is the WinAPI?
• Huge collection of common “utility” functions
• Called by many higher-level languages
• Used for interacting with the Operating System
• Powerful
• Multiple low-level functions
• Memory management and allocation
• Privilege and permission management
• Contains “hidden” and “undocumented” functions!
• May be prefixed with “Nt”, “Kw” or “Zw”
• Low-level or Kernel functions [1]

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 8


OvOerview: Using the WinAPI with Go
• 3 Step process
• Load DLL
• Get function address from DLL
• Execute!
• Go provides the “windows” package
• Contains helper functions
• “Go-ified” struct companions
• Can use local pointers through the “unsafe” package

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 9


OvOerview: Using the WinAPI with Go

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 10


Parent Process Spoofing

11
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
Parent Process Spoofing: Background

• Standard processes have a parent – child relationship


• Tracked internally by the OS
• Requires external tools or PowerShell to view
• Child processes inherit parent access rights and privileges
• Process relationships can be used for monitoring
• “Natural” execution
• Heuristic detection
• Analytics

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 12


Parent Process Spoofing: Background (cont.)
• Spoofing process relationships is difficult
• Most methods are easily detectable
• Require modification after execution
• PEB (Process Environment Block) writing [2]

• Requires process suspension


• Can be seen with EDR tools
• Process is NOT started with spoofed values
• Better (non-PEB) method
• Not as difficult
• Less detectable (if at all)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 13


Parent Process Spoofing: How?

• Using a documented function parameter


• Not widely understood
• Contains many “gotcha” issues
• Introduced with Windows Vista
• Implemented for User Account Control (UAC)
• Respects process relationships
• Enforces privilege separation

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 14


Parent Process Spoofing: How? (cont.)
1. Launch Executable

installer.exe
Process Tree
explorer.exe

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 15


Parent Process Spoofing: How? (cont.)
1. Launch Executable

installer.exe
Process Tree
explorer.exe
2. Requires Admin
consent.exe
Rights, UAC Prompt
Started

consent.exe

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 16


Parent Process Spoofing: How? (cont.)
1. Launch Executable

installer.exe
Process Tree
explorer.exe
2. Requires Admin
consent.exe
Rights, UAC Prompt
Started
3. UAC Passed. UAC
consent.exe Launches Executable

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 17


Parent Process Spoofing: How? (cont.)
1. Launch Executable
installer.exe
installer.exe
Process Tree
4. Executable Launched explorer.exe
with Admin Rights
2. Requires Admin
consent.exe
Rights, UAC Prompt
Started installer.exe
3. UAC Passed. UAC
consent.exe Launches Executable

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 18


Parent Process Spoofing: How? (cont.)
1. Launch Executable Process Tree
installer.exe (Without Spoofing)
installer.exe
4. Executable Launched explorer.exe
with Admin Rights
2. Requires Admin
consent.exe
Rights, UAC Prompt
Started installer.exe
3. UAC Passed. UAC
consent.exe Launches Executable

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 19


Parent Process Spoofing: In-Depth

• Using a separate startup struct


• STARTUPINFOEX [3]
• Initialized using the following WinAPI functions
• InitializeProcThreadAttributeList
• UpdateProcThreadAttribute
• Updated with a Handle to the target process
• Pass this struct to “CreateProcess” typedef struct _STARTUPINFOEXA {
STARTUPINFOA StartupInfo;
LPPROC_THREAD_ATTRIBUTE_LIST lpAttributeList;
} STARTUPINFOEXA, *LPSTARTUPINFOEXA;
lpAttributesList is an ”opaque structure”

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 20


Parent Process Spoofing: Flow

1. Launch Executable

malware.exe target.exe
Process Tree
explorer.exe

malware.exe

target.exe

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 21


Parent Process Spoofing: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Process Tree
explorer.exe
2. Obtain Handle to
Target Process malware.exe

target.exe

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 22


Parent Process Spoofing: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Process Tree
explorer.exe
3. Create New 2. Obtain Handle to
STARTUPINFOEX Struct Target Process malware.exe

target.exe

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 23


Parent Process Spoofing: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Process Tree
explorer.exe
3. Create New 2. Obtain Handle to
STARTUPINFOEX Struct Target Process malware.exe
4. Call Function target.exe
InitializeProcThreadAttributeList

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 24


Parent Process Spoofing: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Process Tree
explorer.exe
3. Create New 2. Obtain Handle to
STARTUPINFOEX Struct Target Process malware.exe
4. Call Function target.exe
InitializeProcThreadAttributeList

5. Update the AttributeList with a Pointer


to the Target Process Handle using
UpdateProcThreadAttribute

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 25


Parent Process Spoofing: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Process Tree
explorer.exe
3. Create New 2. Obtain Handle to
STARTUPINFOEX Struct Target Process malware.exe
4. Call Function target.exe
InitializeProcThreadAttributeList

5. Update the AttributeList with a Pointer


to the Target Process Handle using
UpdateProcThreadAttribute

6. Use the STARTUPINFOEX struct in the


CreateProcess Function with the
EXTENDED_STARTUPINFO_PRESENT Flag
OwOwning with the Windows API | @secfurry 2020 | secfurry.com 26
Parent Process Spoofing: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Process Tree
explorer.exe
3. Create New 2. Obtain Handle to
STARTUPINFOEX Struct Target Process malware.exe
Child Of
4. Call Function target.exe
InitializeProcThreadAttributeList
cmd.exe
5. Update the AttributeList with a Pointer
cmd.exe
to the Target Process Handle using
UpdateProcThreadAttribute 7. New Process
Created!
6. Use the STARTUPINFOEX struct in the
CreateProcess Function with the
EXTENDED_STARTUPINFO_PRESENT Flag
OwOwning with the Windows API | @secfurry 2020 | secfurry.com 27
Parent Process Spoofing: Code

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 28


Parent Process Spoofing: Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 29


Parent Process Spoofing: Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 30


Parent Process Spoofing: Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 31


Parent Process Spoofing: Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 32


DEMO: Parent Process
Spoofing
Execution

33
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
Parent Elevated Process
Spoofing
Let’s go deeper (UwU)

34
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
Parent Process Spoofing: Elevated

• Processes created while spoofed gain “parent” privileges


• Integrity level
• Privilege flags
• Only works on processes you “own”
• Executed by the same user
• Cannot have a higher Integrity Level
• Cannot be anything that runs under SYSTEM
• UAC elevated processes cannot touch SYSTEM processes
• With one exception!

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 35


Parent Process Spoofing: Elevated (cont.)
• Using the “SeDebugPrivillege” flag can allow more access
• Even open SYSTEM processes!
• This flag requires Admin / Elevated rights
• New spoofed processes can run as SYSTEM!
• When ran under a SYSTEM process
• Uses 3 WinAPI functions
• OpenProcessToken
• LookupPrivilegeValue
• AdjustTokenPrivileges
• Well documented

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 36


Parent Process Spoofing: Elevated Flow
1. Launch Executable

malware.exe winlogon.exe
Process Tree
explorer.exe
1A. Open Handle to Self Using
OpenProcessToken malware.exe

winlogon.exe

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 37


Parent Process Spoofing: Elevated Flow (cont.)
1. Launch Executable

malware.exe winlogon.exe
Process Tree
explorer.exe
1A. Open Handle to Self Using
OpenProcessToken malware.exe

1B. Lookup SID for SeDebugPrivilege winlogon.exe


using LookupPrivilegeValue

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 38


Parent Process Spoofing: Elevated Flow (cont.)
1. Launch Executable

malware.exe winlogon.exe
Process Tree
explorer.exe
1A. Open Handle to Self Using
OpenProcessToken malware.exe

1B. Lookup SID for SeDebugPrivilege winlogon.exe


using LookupPrivilegeValue

1C. Assign the New Privilege using


AdjustTokenPrivileges

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 39


Parent Process Spoofing: Elevated Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
winlogon.exe
Process Tree
explorer.exe
3. Create New 2. Obtain Handle to
STARTUPINFOEX Struct Target Process malware.exe
Child Of
4. Call Function winlogon.exe
InitializeProcThreadAttributeList
cmd.exe
5. Update the AttributeList with a Pointer
cmd.exe
to the Target Process Handle using
UpdateProcThreadAttribute 7. New Process Created!

6. Use the STARTUPINFOEX struct in the User:


CreateProcess Function with the NT AUTHORITY\SYSTEM
EXTENDED_STARTUPINFO_PRESENT Flag
OwOwning with the Windows API | @secfurry 2020 | secfurry.com 40
Parent Process Spoofing: Elevated Code

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 41


Parent Process Spoofing: Elevated Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 42


Parent Process Spoofing: Elevated Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 43


Parent Process Spoofing: Elevated Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 44


DEMO: Parent Process
Spoofing
Elevated Access Execution

45
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
Parent Process Spoofing: Detection
[2] @SmolSammichOwO
• Not much…
• Not considered “malicious”
• By design
• Generates false positives
• Potential detection through parsing ETW events [4]

• Security tools report the spoofed relationship


Running “cmd.exe” under “Skype.exe”

What Splunk/Sysmon Sees:


Image : "C:\\Windows\\System32\\cmd.exe",
ParentImage: "C:\\Program Files\\WindowsApps\\Microsoft.SkypeApp_15.61.100.0_x86__kzf8qxf38zg5c\\Skype\\Skype.exe"

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 46


Parent Process Spoofing: Prevention?

• Process flag to prevent spawning children


• PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY [5]
• Used with UpdateProcThreadAttribute
• Enables/Disables child process creation
• Enable – PROCESS_CREATION_CHILD_PROCESS_RESTRICTED (0x01)
• Disable – PROCESS_CREATION_CHILD_PROCESS_OVERRIDE (0x02)
• Only works when combined with sandboxed processes
• AppContainers

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 47


Code Injection

48
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
Code Injection: What and Why?
• Creating a separate thread in a process
• Can be local or remote
• Allows for attributing execution
• “File-less” or memory only
• Harder to detect “malicious” code
• Methods are easily detectable (mostly)
• Can be used to “hot-patch” executables
• Overwrite real-time virtual memory

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 49


Code Injection: How?

• Allocate – NtAllocateVirtualMemory
• Segment a section of memory for writing
• Change permissions to allow execution
• Write – NtWriteVirtualMemory
• Copy data into the allocated space
• Execute – NtCreateThreadEx
• Run it!

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 50


Code Injection: Flow

1. Launch Executable

malware.exe target.exe
Target.exe Memory Map

Random Data for Execution

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 51


Code Injection: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Target.exe Memory Map

2. Obtain Handle to
Target Process

Random Data for Execution

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 52


Code Injection: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Target.exe Memory Map

3. Allocate a section of 2. Obtain Handle to


memory for writing with Target Process
NtAllocateVirtualMemory

Random Data for Execution

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 53


Code Injection: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Target.exe Memory Map

3. Allocate a section of 2. Obtain Handle to


memory for writing with Target Process
NtAllocateVirtualMemory
Random Data for Execution
4. Write the payload to the
new allocated space using
NtWriteVirtualMemory

Allocated Memory :D
(empty)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 54


Code Injection: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Target.exe Memory Map

3. Allocate a section of 2. Obtain Handle to


memory for writing with Target Process
NtAllocateVirtualMemory
Random Data for Execution
4. Write the payload to the
new allocated space using
NtWriteVirtualMemory

5. Trigger execution of the Allocated Memory :D


payload using (full of fun stuff)
NtCreateThreadEx

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 55


Code Injection: Flow (cont.)
1. Launch Executable

malware.exe
OpenProcess
target.exe
Target.exe Memory Map

3. Allocate a section of 2. Obtain Handle to


memory for writing with Target Process
NtAllocateVirtualMemory
Random Data for Execution
4. Write the payload to the
new allocated space using
NtWriteVirtualMemory
Executed
Payload
5. Trigger execution of the Allocated Memory :D
payload using (full of fun stuff)
NtCreateThreadEx

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 56


Code Injection: Code

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 57


Code Injection: Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 58


Code Injection: Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 59


Code Injection: Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 60


Code Injection: Code (cont.)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 61


DEMO: Code Injection
Execution

62
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
DEMO: Code Injection
Elevated Execution

63
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
Code Injection: Detection

• Detection rate decreases with less common functions


• WinAPI function usage
• CreateRemoteThread is common
• NtCreateThreadEx is less common
• Detected with
• Antivirus
• Endpoint Detection and Response (EDRs)
• Popular EDRs for detection
• Carbon Black
• HX

[3] @poofsuits
OwOwning with the Windows API | @secfurry 2020 | secfurry.com 64
Final Thoughts

65
OwOwning with the Windows API | @secfurry 2020 | secfurry.com
Final Thoughts: Parent Process Spoofing
• Excellent way to attribute execution
• Prevention is hard
• Push for using more application containment?
• Detection is slim
• Not many setups include it (or look for it)
• Drawbacks
• Must have filesystem write access
• Executables must be on-disk

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 66


Final Thoughts: Parent Process Spoofing (cont.)
• Implementation is difficult
• Many “gotcha” sections
• Internal Windows weirdness
• InitializeProcThreadAttributeList returns an error on success
• MS “tHiS iS eXpEcTeD bEhAvIoR”
• “CREATE_NEW_CONSOLE” when supplying the console!
• Great way to learn the Windows API
• Interesting Golang weirdness
• Struct memory allocation

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 67


Final Thoughts: Code Injection
• Offensive
• Great for deployment
• Mask execution
• Defense
• More detectable
• Signatures can detect shellcode
• Built in prevention methods
• Core Isolation
• Memory Integrity
• Drawbacks
• Race for detection
• Shellcode must be obfuscated

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 68


References and Links
• 1: docs.microsoft.com/en-us/windows-hardware/drivers/kernel/what-does-the-zw-prefix-mean-
• 2: blog.xpnsec.com/how-to-argue-like-cobalt-strike/
• 3: docs.microsoft.com/en-us/windows/win32/api/winbase/ns-winbase-startupinfoexa
• 4: blog.f-secure.com/detecting-parent-pid-spoofing/
• 5: docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-
updateprocthreadattribute#remarks
• Another writeup: blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-
windows-process-tree/
• Full references list will be in the GitHub repo
• Code Examples
• Shortlink: dij.sh/owo
• GitHub: github.com/secfurry/OwOwningTheWinAPI

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 69


Artist Credits
• 1: Renee French and @tenntenn
• Renee French (reneefrench.blogspot.com)
• @tenntenn (twitter.com/tenntenn)
• 2: @SmolSammichOwO (twitter.com/SmolSammichOwO)
• 3: @Poofsuits (twitter.com/poofsuits)
• 4: @PrinceMaiArt (twitter.com/princemaiart)

OwOwning with the Windows API | @secfurry 2020 | secfurry.com 70


@secfurry
secfurry.com

Questions?

[4] @PrinceMaiArt 71
OwOwning with the Windows API | @secfurry 2020 | secfurry.com

You might also like