Good morning,
this is my first tutorial and I hope it will serve to the purpose. This is a practical one because I think that if it’s really nice to read about all that Calc and Notepad spawning around - of course these articles have a really great educational value, it’s not my intention to belittle the content neither all the writers - otherwise I think it’s not so useful in “everyday job”. Please apologize me if saying that I have offended someone, again it’s not my intention but I think that generally about Infosec there is a lack of real example even if the POC is fundamental to understand the matter. Anyway let’s get our hands dirty.
Last week a client of mine during a PT wanted to test the efficiency of his AV (Kaspersky AV 8.0 for Window Server EE SP2), just running a evil exe on his application server (Windows Server 2012 64bit). I thought oh that’s really great, so this time no SE stuff, no need to fool the secretary to inject my evil exe . Great, an easy job finally. We have already developed a C# bind shell that was very useful on a previous job, I could give it a try. This time no luck: the local windows firewall (I did not expect that) blocked the TCP port. No panic, I already knew about this great ICMP reverse shell developer by Nico Leidecke. On GitHub there is an exe already packed. I know that is not really the “hacker way”, but I lost this way long time ago so I decided to try it as it is. Checking the exe with pscan I got 3 detections on 35. For Kaspersky and Avira (my personal AV) it was clean. Anyway when I executed the exe on my Win box Avira immediately detected the process and moved the exe in quarantine. Kaspersky did the same of course. So I downloaded the C source code to apply some code obfuscation (this was actually my original idea to write a tutorial about this topic) and to recompile it using Visual Studio 2015.
I have done some basic modification to fit my need, essentially I removed the argument passed to main and I hard coded the attacker IP, then I changed some call and added some instructions to avoid compiling error on VS. Then I compiled and I executed it on my machine. Avira remains quiet. I tried on a lab machine with Kaspersky installed and it wasn’t detected. Submitting the file to pscan I got 0 detections (checked right now again):
So I guess that the Visual C++ compiler did a great job to obfuscate the executable I tried to compare the assembly code of the original exe with the one generated with VS attaching the process in Immunity Debugger but telling the truth I was not able to understand the flow, especially searching for the Intermodular calls give only repeated CALL ntdll.RtlAllocateMemorayBlockLookside. So I think that the exe has been compressed in some way. If someone can help me about that it will be very appreciated. Indeed here you can read the disassembled section of the CreateProcess for the cmd command of exe generated with Visual C++
if (!CreateProcess(NULL, cmd, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, (LPSTARTUPINFO)&si, pi)) {
00372494 mov esi,esp
00372496 mov eax,dword ptr [pi]
00372499 push eax
0037249A lea ecx,[si]
0037249D push ecx
0037249E push 0
003724A0 push 0
003724A2 push 8000000h
003724A7 push 1
003724A9 push 0
003724AB push 0
003724AD lea edx,[cmd]
003724B3 push edx
003724B4 push 0
003724B6 call dword ptr [__imp__CreateProcessW@40 (037B024h)]
003724BC cmp esi,esp
003724BE call __RTC_CheckEsp (0371136h)
003724C3 test eax,eax
003724C5 jne spawn_shell+1AEh (03724CEh)
return STATUS_PROCESS_NOT_CREATED;
…
Just for fun you can see how the stack is loaded with the call arguments in reverse, e.g. eax point to pi, 8000000h is the CREATE_NO_WINDOW value. This is a common call sequence for the cmd process so it should be easily detected by AV in my opinion, so in the end I did not know how it can work
Here you can find the source code of the project, the C slave modified (you can read in the file comment how to set the VS project properly) and the Python master (I only made the usage message clearer). As usual please don’t spread the code around since at the moment it’s FUD
Thanks for reading. All the comments, especially those negative, are welcome