DLL Injection (and more!) via Application Shimming (Persistence & Defence Evasion)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hi there i'm andy and in this video we'll be exploring how to attack detect and defend against application shimming the abuse of powerful features intended to help support backwards compatibility for software microsoft does a good job at maintaining compatibility across different versions of windows enabling software written decades ago to still run on modern machines this isn't always easy though as windows api calls sometimes need to change to support new features or fix security flaws not to mention some developers use dirty hacks to get their code to work which might not function the same way across subsequent versions of windows these potential incompatibilities are addressed in windows through application compatibility fixes which involve intercepting certain api calls to emulate older os behavior or simply lying to an app about certain aspects of the system in its simplest form this involves setting the compatibility mode for an app which applies a whole suite of individual fixes to more closely replicate the behavior of a previous version of windows where a more bespoke configuration is required complex combinations of fixes can be defined on a per app basis windows comes pre-packaged with a huge database of fixes for thousands of apps which can be viewed using the freely available application compatibility administrator tool the same tool can also be used to develop custom fixes for privately developed apps and store them in a custom sdb file which can then be shared and installed on a system via the sdb inst tool there's a lot of power hidden under the hood of the application compatibility layer with a number of the individual application fixes left open to abuse by an attacker consider the example of an attacker who wishes to establish a means of persistence on their target's device some preparation is first required to build a malicious sdb using the application compatibility administrator here our attacker believes their victim often uses putty so has selected that as the target app next the inject dll fix is applied setting the parameters to the path of an attacker crafted dll to inject the tool then confirms the exact properties which will be used to determine whether to apply this fix or not it would default to a very specific set of criteria automatically extracted from the exe selected earlier but our attacker wants this hack to work even if the victim upgrades their version of putty so unticks all apart from the executable name this fix can then be saved as an sdb file over on their victims machine the attacker must place their dll in the path specified earlier and then run the sdb install to install the application fix onto the system now anytime putty is launched on the target system the shim is applied and the evil dll is injected into the process in this case the attacker's dll simply launches a reverse shell back to a machine under their control leaving the victim none the wiser that anything is wrong the possibilities are endless for dll injection for example consider putty rider by adrian fortuna which is specifically designed to hook into the relevant parts of putty and allow an attacker to spy on the session this same technique can also act as a method of environmental keying a topic which i discussed in a previous video which allows malware to alter its operation depending on the machine it's being run on sean pierce included a great example of this in his defcon talk whereby a malicious apps code is exclusive ored with a secret key meaning it doesn't function when run on most systems however when an application shim is applied on a specific target's machine a specially crafted dll is injected which applies the secret key to decode and run the payload and it's not just the inject dll fix that can be abused many others can enable all sorts of mischief by attackers correct file path can trick an application into using a different location for storing its config data for example causing a web browser to store its cookie database in a location that an attacker can easily access terminate exe immediately terminates the process handy to prevent security tools from running and disabled defender does exactly what it says on the tin and excludes this process from the watchful eye of defender antivirus check out the links in the video description for further details on each of these and a paper which explores many other nefarious application shimming shenanigans in a lot more detail [Music] detecting the presence of an application shim can be fairly trivial as the sdb insta tool creates an entry in the add remove programs list allowing it to be removed although an attacker is of course likely to use a name which tries to blend in with the target system better than the example here an attacker may alternatively avoid the use of sdb install together and manually replicated steps to install their application shim simply copying the sdb file to the relevant windows subfolder and then adding a few registry entries this leaves no trace in the add remove programs list although it is still easy for defenders to detect by checking the contents of the relevant folder and registry keys this can be simplified through the use of the shim guard light script written by sean pearce the output is a little cryptic but it clearly identifies the custom stb files active on this system full details about what this shim does can be determined by taking a copy of the sdb file and opening it up in the application compatibility administrator tool alternatively install the tool locally on the affected machine and expand out the installed databases item here we can see that the target is putty and that a dll is being injected it's also possible to uninstall a shim via this tool even if it doesn't have an entry in the add remove programs list a degree of proactive monitoring could be established by configuring registry and or file auditing on the relevant locations shim guard lite actually performs this monitoring too although the alerts it generates are just printed to a console so it's only really useful as a proof of concept at this stage a more manageable solution is windows is built-in registry auditing i've covered this in a previous video so go check it out there if you want to know more it's worth noting however that a skilled attacker might identify file and registry monitoring and disable them before installing their shim [Music] as with any abuse of genuine system features eliminating this threat altogether is very challenging the observant amongst you will have noticed that installing application shims requires administrative privileges on the local machine so as always avoid granting such privileges wherever possible and like all hard to prevent attacks double down on detection and response controls so that any potential compromises are promptly identified investigated and remediated the file and registry monitoring mentioned in the previous section could be extended to take immediate action to remove any newly created shims this was clearly part of the plan for the development of shim guard light but unfortunately it looks like the feature was never implemented but that about wraps up this video if you found it useful please do give it a like and consider subscribing if you want more of this sort of content drop a note in the comments if there's anything you think i've missed around attacking detecting and defending against application shimming or if you have a good idea of what topic i should cover next i'll see you next time
Info
Channel: Attack Detect Defend
Views: 4,763
Rating: undefined out of 5
Keywords:
Id: RQuwJUIiSEA
Channel Id: undefined
Length: 8min 37sec (517 seconds)
Published: Tue Apr 13 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.