; Exported entry 561. AmbushExW

 

; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

 

 

; HMODULE __stdcall AmbushExW(LPCWSTR lpLibFileName,HANDLE hFile,DWORD dwFlags)

public AmbushExW

AmbushExW proc near ; CODE XREF: sub_77E699B4+46p

; LoadLibraryW+8p ...

 

lpLibFileName = dword ptr 4

hFile = dword ptr 8

dwFlags = dword ptr 0Ch

ambush

scriptjunkie

; FUNCTION CHUNK AT .text:77E6C709 SIZE 0000000B BYTES

; FUNCTION CHUNK AT .text:77E70E09 SIZE 00000031 BYTES

; FUNCTION CHUNK AT .text:77E7293D SIZE 00000032 BYTES

; FUNCTION CHUNK AT .text:77E990BD SIZE 0000000C BYTES

 

push 34h

push offset dword_77E95B90

call sub_77E774E1

xor edi, edi

mov [ebp-1Ch], edi

mov [ebp-20h], edi

mov [ebp-24h], edi

mov [ebp-28h], edi

mov ebx, [ebp+10h]

test bl, 1

jnz loc_77E990BD

; START OF FUNCTION CHUNK FOR AmbushExW

 

loc_77E990BD: ; CODE XREF: AmbushExW+20j

mov dword ptr [ebp-28h], 2

whoami

msf

malware

@scriptjunkie1

scriptjunkie.us

jmp loc_77E804C1

; END OF FUNCTION CHUNK FOR AmbushExW

 

loc_77E804C1: ; CODE XREF: AmbushExW+18C29j

test bl, 10h

jnz loc_77EA2C93

 

loc_77E804CA: ; CODE XREF: QueueUserAPC+651Ej

push dword ptr [ebp+8]

lea eax, [ebp-30h]

push eax

call ds:RtlInitUnicodeString

perceptions

mov [ebp-34h], ebx

and dword ptr [ebp-34h], 2

jnz short loc_77E804ED

; Exported entry 956. RtlInitUnicodeString

 

; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

 

 

public RtlInitUnicodeString

RtlInitUnicodeString proc near ; CODE XREF: sub_7DEB16E8+53Ap

; sub_7DEB6F45+2Dp ...

the myth

arg_0 = dword ptr 8

arg_4 = dword ptr 0Ch

 

push edi

mov edi, [esp+arg_4]

mov edx, [esp+arg_0]

mov dword ptr [edx], 0

mov [edx+4], edi

or edi, edi

jz short loc_7DE9E260

or ecx, 0FFFFFFFFh

xor eax, eax

repne scasw

not ecx

shl ecx, 1

cmp ecx, 0FFFEh

jbe short loc_7DE9E257

mov ecx, 0FFFEh

"attackers only need to win once"

loc_7DE9E257: ; CODE XREF: RtlInitUnicodeString+28j

mov [edx+2], cx

dec ecx

dec ecx

mov [edx], cx

 

loc_7DE9E260: ; CODE XREF: RtlInitUnicodeString+14j

pop edi

retn 8

RtlInitUnicodeString endp

mov eax, dword_77ED634C

the wall

cmp eax, edi

jnz loc_77E7293D

 

 

loc_77E7293D: ; CODE XREF: AmbushExW+4Cj

add eax, 24h

attacks

mov cx, [ebp-30h]

cmp cx, [eax]

jnz loc_77E804ED

push 1

push eax

defense

lea eax, [ebp-30h]

push eax

call ds:RtlEqualUnicodeString

test al, al

jz loc_77E804ED

; Exported entry 825. RtlEqualUnicodeString

 

; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

 

; Attributes: bp-based frame

this will fail

public RtlEqualUnicodeString

RtlEqualUnicodeString proc near ; CODE XREF: sub_7DE9F9D0+44p

; sub_7DE9F9D0+C471p ...

 

arg_0 = dword ptr 8

arg_4 = dword ptr 0Ch

arg_8 = byte ptr 10h

 

; FUNCTION CHUNK AT .text:7DE9E853 SIZE 00000041 BYTES

; FUNCTION CHUNK AT .text:7DE9F6B6 SIZE 00000032 BYTES

; FUNCTION CHUNK AT .text:7DEE1DB9 SIZE 00000022 BYTES

; FUNCTION CHUNK AT .text:7DEFB2D0 SIZE 00000066 BYTES

 

mov edi, edi

push ebp

mov ebp, esp

mov ecx, [ebp+arg_0]

mov edx, [ebp+arg_4]

movzx eax, word ptr [ecx]

push ebx

push esi

movzx esi, word ptr [edx]

push edi

cmp eax, esi

jz short loc_7DE9E853

 

loc_7DE9E82B: ; CODE XREF: RtlEqualUnicodeString+EC7j

; RtlEqualUnicodeString+435B7j

xor al, al

 

loc_7DE9E82D: ; CODE XREF: RtlEqualUnicodeString+7Fj

pop edi

pop esi

pop ebx

pop ebp

retn 0Ch

RtlEqualUnicodeString endp

; ---------------------------------------------------------------------------

; START OF FUNCTION CHUNK FOR RtlEqualUnicodeString

 

loc_7DE9E853: ; CODE XREF: RtlEqualUnicodeString+16j

cmp [ebp+arg_8], 0

mov ecx, [ecx+4]

mov edx, [edx+4]

lea edi, [eax+ecx]

mov [ebp+arg_0], edi

jz loc_7DEE1DB9

cmp ecx, edi

jnb short loc_7DE9E890

mov eax, dword_7DF7005C

mov dword ptr [ebp+arg_8], edx

sub dword ptr [ebp+arg_8], ecx

Points of defense

loc_7DE9E878: ; CODE XREF: RtlEqualUnicodeString+7Bj

mov esi, dword ptr [ebp+arg_8]

movzx edx, word ptr [ecx]

movzx esi, word ptr [esi+ecx]

cmp edx, esi

jnz loc_7DE9F6B6

 

loc_7DE9E88A: ; CODE XREF: RtlEqualUnicodeString+ED0j

inc ecx

External

inc ecx

cmp ecx, edi

jb short loc_7DE9E878

 

loc_7DE9E890: ; CODE XREF: RtlEqualUnicodeString+58j

; RtlEqualUnicodeString+435A8j ...

Network

mov al, 1

jmp short loc_7DE9E82D

; END OF FUNCTION CHUNK FOR RtlEqualUnicodeString

; ---------------------------------------------------------------------------

; ---------------------------------------------------------------------------

; START OF FUNCTION CHUNK FOR RtlEqualUnicodeString

 

loc_7DEE1DB9: ; CODE XREF: RtlEqualUnicodeString+50j

cmp ecx, edi

jnb loc_7DE9E890

sub edx, ecx

 

loc_7DEE1DC3: ; CODE XREF: RtlEqualUnicodeString+435C1j

mov ax, [ecx]

Host

cmp ax, [edx+ecx]

jnz loc_7DE9E82B

inc ecx

inc ecx

AV

cmp ecx, edi

jb short loc_7DEE1DC3

jmp loc_7DE9E890

; END OF FUNCTION CHUNK FOR RtlEqualUnicodeString

; ---------------------------------------------------------------------------

mov eax, dword_77ED634C

mov eax, [eax+18h]

jmp loc_77E8058C

; END OF FUNCTION CHUNK FOR AmbushExW

loc_77E804ED: ; CODE XREF: AmbushExW-DB54j

; AmbushExW-DB3Fj ...

cmp [ebp-30h], di

jz short loc_77E80508

movzx eax, word ptr [ebp-30h]

dec eax

sar eax, 1

Behavior

mov ecx, [ebp-2Ch]

cmp word ptr [ecx+eax*2], 20h

jz loc_77EA2C9C

 

loc_77E80508: ; CODE XREF: AmbushExW+56j

; QueueUserAPC+658Dj

call GetEnvironmentStringsW

push eax

and bl, 8

neg bl

The Problem

sbb ebx, ebx

and ebx, [ebp-2Ch]

push ebx

call sub_77E7AEEF

mov [ebp-20h], eax

cmp eax, edi

jz loc_77EA2D0B

push eax

lea eax, [ebp-3Ch]

push eax

call ds:RtlInitUnicodeString

mov [ebp-4], edi

cmp [ebp-34h], edi

jnz loc_77E70E09

 

loc_77E80540: ; CODE XREF: AmbushExW-F67Cj

lea eax, [ebp-24h]

push eax

lea eax, [ebp-30h]

push eax

lea eax, [ebp-28h]

push eax

push dword ptr [ebp-38h]

call LdrLoadDll

 

loc_77E80554: ; CODE XREF: AmbushExW-F666j

mov esi, eax

mov [ebp-40h], esi

or dword ptr [ebp-4], 0FFFFFFFFh

 

loc_77E8055D: ; CODE XREF: QueueUserAPC+6597j

; QueueUserAPC+65B6j

cmp [ebp-1Ch], edi

jnz loc_77EA2D34

;                      undetected characteristics

loc_77E80566: ; CODE XREF: QueueUserAPC+65D1j

cmp [ebp-20h], edi

jz short loc_77E80581

mov eax, large fs:18h

push dword ptr [ebp-20h]

push edi

mov eax, [eax+30h]

push dword ptr [eax+18h]

call ds:RtlFreeHeap

 

loc_77E80581: ; CODE XREF: AmbushExW+CEj

cmp esi, edi

jl loc_77E6C709

 

loc_77E80589: ; CODE XREF: AmbushExW-13D8Cj

mov eax, [ebp-24h]

 

loc_77E8058C: ; CODE XREF: AmbushExW-DB31j

call sub_77E775E0

retn 0Ch

AmbushExW endp

; ---------------------------------------------------------------------------

dd 90909090h

db 90h

; Exported entry 872. RtlFreeHeap

 

; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦

 

; Attributes: bp-based frame

 

public RtlFreeHeap

RtlFreeHeap proc near ; CODE XREF: RtlDeleteBoundaryDescriptor+16p

; sub_7DEA3E6C+A55p ...

A new approach

var_4 = dword ptr -4

arg_0 = dword ptr 8

arg_4 = dword ptr 0Ch

arg_8 = dword ptr 10h

 

; FUNCTION CHUNK AT .text:7DEA2BE1 SIZE 00000016 BYTES

; FUNCTION CHUNK AT .text:7DEEDDF2 SIZE 000000CE BYTES

 

Evading point checks

is hard

mov edi, edi

push ebp

mov ebp, esp

push ecx

push ebx

mov ebx, [ebp+arg_8]

push edi

xor edi, edi

mov [ebp+var_4], edi

cmp ebx, edi

jz loc_7DEA3A0C

push esi

Creating point checks

is hard

mov esi, [ebp+arg_0]

test dword ptr [esi+44h], 1000000h

jnz loc_7DEA2BE1

test byte ptr [esi+48h], 1

Not anymore

jnz loc_7DEA3A13

Concept

Dynamic hooking

test bl, 7

jnz loc_7DEEDE09

lea eax, [ebx-8]

Challenges

calling conventions

code generation

dynamic loads

assembly complexities

Windows 8

cmp byte ptr [eax+7], 5

jz loc_7DEEDDF2

 

loc_7DE9DFEE: ; CODE XREF: RtlFreeHeap+4FE56j

test byte ptr [eax+7], 3Fh

The Bad News

operational challenges

kernel hooking

function bypass

Hoarder

jz loc_7DEEDE00

 

loc_7DE9DFF8: ; CODE XREF: sub_7DEA353C+4E0j

; RtlFreeHeap+4FE72j

mov [ebp+var_4], eax

cmp eax, edi

Why this [still] matters

jz loc_7DEEDE73

cmp byte ptr [ebx-1], 5

When it can't be bypassed

jz loc_7DEEDE1C

 

loc_7DE9E00D: ; CODE XREF: RtlFreeHeap+4FE83j

; RtlFreeHeap+4FEC8j

mov eax, [ebp+var_4]

Bypass difficulty

test byte ptr [eax+7], 80h

jz loc_7DEA2BE1

mov edx, ebx

mov ecx, esi

A word on strategies

No bugs

BTU

Successful Defense

call sub_7DE9E392

test al, al

jz loc_7DEA2BE1

cmp byte ptr ds:7FFE0380h, 0

commercial HIPS's

jnz loc_7DEEDE9C

 

loc_7DE9E038: ; CODE XREF: RtlFreeHeap+4FF07j

; RtlFreeHeap+4FF16j

mov al, 1

 

loc_7DE9E03A: ; CODE XREF: RtlFreeHeap+4C4Dj

; RtlFreeHeap+4FEF2j

pop esi

 

loc_7DE9E03B: ; CODE XREF: sub_7DEA353C+4D2j

pop edi

pop ebx

leave

retn 0Ch

DEMO TIME

Ambush

Metasploit rtcp recv

Eleanore block down/exec

Check it out ambuships.com

RtlFreeHeap endp

 

; ---------------------------------------------------------------------------

align 4