Reversing

Executing Shellcode with ReadDirectoryChanges’s Hidden Callback

While digging into the ReadDirectoryChanges API, I noticed it supports an asynchronous callback via LPOVERLAPPED_COMPLETION_ROUTINE. Most people use this API to monitor file system changes, but what if we could hijack that callback to execute shellcode? This led me to develop a proof-of-concept (PoC) that turns a mundane filesystem monitoring function into a stealthy shellcode execution vector.

The API is documented as follows by Microsoft.

(more…)

Encrypting Shellcode using SystemFunction032/033

After a while, I’m publishing a blog post which made me interested. With the recent tweets about the undocumented SystemFunction032 Win32 API function, I decided to quickly have a look at it. The first thing I noted after Googling this function was the source code from ReactOS. Seems like other SystemFunctions from 001 got other cryptographic functions and hash functions. The SystemFunction032 is an RC4 implementation. This API is in the export table of Advapi32.dll

The export table entry points to the DLL Cryptsp.dll which actually has the function implemented and exported.

Inside the Cryptsp.dll as you can see the SystemFunction032 and SystemFunction033 point to the same offset, which means loading either of these functions will do the same RC4 encryption.

This is the disassembly of the function which does the RC4 encryption. It takes in the data and key structs as parameters.

(more…)

Executing Shellcode via Callbacks

What is a Callback Function?

In simple terms, it’s a function that is called through a function pointer. When we pass a function pointer to the parameter where the callback function is required, once that function pointer is used to call that function it points to it’s said that a call back is made. This can be abused to pass shellcode instead of a function pointer. This has been around a long time and there are so many Win32 APIs we can use to execute shellcode. This article contains few APIs that I have tested and are working on Windows 10.

Analyzing an API

For example, let’s take the function EnumWindows from user32.dll. The first parameter lpEnumFunc is a pointer to a callback function of type WNDENUMPROC.

The function passes the parameters to an internal function called EnumWindowsWorker.

The first parameter which is the callback function pointer is called inside this function making it possible to pass position independent shellcode.


(more…)

Hacking the World with HTML

In my previous article Exploring the MS-DOS Stub I stated that after experimenting, the Windows loader only cares about the e_magic and the e_lfanew members from the _IMAGE_DOS_HEADER. Because the rest of the members of the DOS header is used by MS-DOS to execute the stub program. Check it out if you have not.

If you take a PE file and null out the MS-DOS header and the MS-DOS stub program leaving out the e_magic and the e_lfanew values, the PE will still work fine as the rest is not needed by the Windows PE loader. The e_lfanew address at offset 0x3c is important as it points to the beginning of the _IMAGE_NT_HEADERS structure which is the actual start of the PE file.

Since those values are not important we can insert an HTML comment from offset 0x2 which is the e_cblp value and begin an HTML comment and end the comment at the end of the PE and append our HTML/PHP/ASP/JSP file contents.

I wrote a simple program in C to automate this task. You can provide your PE file and the HTML/PHP/ASP/JSP file to inject and it will generate an HTML file. You can rename the file into the extension you desire.
(more…)

Exploring the MS-DOS Stub

A long time ago when I got my first computer, I accidentally opened a 32-bit demo with a nice chiptune inside MS-DOS and it worked. I was surprised by how this happens. I was curious to find out how this works behind the scenes. Back in the time I was a little kid and had no clue about programming. This curiosity leads me to discover amazing things I never imagined.
First, let us have a look at the PE header. It starts with the MS-DOS header and contains a 16-bit MS-DOS executable (stub program).


(source: https://commons.wikimedia.org/wiki/File:Portable_Executable_32_bit_Structure.png)
(more…)

WQL Injection

Generally in application security, the user input must be sanitized. When it comes to SQL injection the root cause most of the time is because the input not being sanitized properly. I was curious about Windows Management Instrumentation Query Language – WQL which is the SQL for WMI. Can we abuse WQL if the input is not sanitized?

I wrote a simple application in C++ which gets the service information from the Win32_Service class. It will display members such as Name, ProcessId, PathName, Description, etc.

This is the WQL Query.

1
SELECT * FROM win32_service where Name='User Input'

As you can see I am using the IWbemServices::ExecQuery method to execute the query and enumerte its members using the IEnumWbemClassObject::Next method. (more…)

MiniDumpWriteDump via Faultrep!CreateMinidump

I found out this old undocumented API “CreateMinidumpW” inside the faultrep.dll on Windows XP and Windows Server 2003. This API ends up calling the dbghelp!MiniDumpWriteDump to dump the process by dynamically loading the dbghelp.dll on runtime.

The function takes 3 arguments. I really have no clue what this 3rd argument’s structure is. I passed 0 as the pointer to the structure so by default we end up getting 0x21 as the MINIDUMP_TYPE.


(more…)

Running Shellcode Directly in C

Here’s a cool thing I figured out in position-independent code. I would rephrase the title as running position-independent code instead of shellcode. Check my previous article Executing Shellcode Directly where I used a minimal PE and pointed the AddressofEntryPoint to the beginning of the PIC.

So the goal is to run shellcode in C without any function pointers or any functions at all, not even a main function 🙂 For example, this is all the code. I declare the variable name as “main”. I am using the Microsoft’s Visual C compiler with no parameters.

1
2
3
4
5
6
7
8
9
char main[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x31\xdb\x64\x8b\x7b\x30\x8b\x7f"
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33"
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01"
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6\x45\x81\x3e\x43\x72\x65\x61\x75"
"\xf2\x81\x7e\x08\x6f\x63\x65\x73\x75\xe9\x8b\x7a\x24\x01\xc7\x66"
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9"
"\xb1\xff\x53\xe2\xfd\x68\x63\x61\x6c\x63\x89\xe2\x52\x52\x53\x53"
"\x53\x53\x53\x53\x52\x53\xff\xd7";

After compiling it won’t of course run. Why? Well, the initialized data will end up in the “.data” section.


(more…)

Converting an EXE to a DLL

I’ve been doing some crazy experiments on running an EXE as a DLL. Here are some parts of my research.

Case #1

Let’s take a simple example like a MessageBox.

1
2
3
4
5
6
7
8
9
10
#include <windows.h>
 
int APIENTRY wWinMain(_In_ HINSTANCE hInstance,
                     _In_opt_ HINSTANCE hPrevInstance,
                     _In_ LPWSTR    lpCmdLine,
                     _In_ int       nCmdShow)
{
MessageBox(NULL, L"@OsandaMalith", L"https://osandamalith.com", MB_ICONINFORMATION | MB_OKCANCEL);
  
}

After compiling to an EXE we have to change the characteristics under NT Header->File Header to a DLL file. I will use the value 0x2000 | 0x2| 0x100 = 0x2102.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#define IMAGE_FILE_DLL                       0x2000  // File is a DLL.
#define IMAGE_FILE_EXECUTABLE_IMAGE          0x0002  // File is executable
#define IMAGE_FILE_32BIT_MACHINE             0x0100  // 32 bit word machine.
 
typedef struct _IMAGE_NT_HEADERS {
    DWORD Signature;
    IMAGE_FILE_HEADER FileHeader;
    IMAGE_OPTIONAL_HEADER32 OptionalHeader;
} IMAGE_NT_HEADERS32, *PIMAGE_NT_HEADERS32;
 
typedef struct _IMAGE_FILE_HEADER {
    WORD    Machine;
    WORD    NumberOfSections;
    DWORD   TimeDateStamp;
    DWORD   PointerToSymbolTable;
    DWORD   NumberOfSymbols;
    WORD    SizeOfOptionalHeader;
    WORD    Characteristics;
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;

(more…)

Random Compiler Experiments on Arrays

One day a guy asked me how to print a 2d string array in C. So I coded an example for him. But just for curiosity, I examined the assembly code. In C both string[0][1] and *(*string + 1) are the same. But in reality, the compiler writes the assembly code in 2 different ways. If we use string[0][1] it will directly move the value from the stack. When we dereference a pointer *(*string + 1) it will actually dereference the address pointed inside the register. This happens only in the MinGW GCC compiler. I compiled this using the latest on Windows which is 8.2.0-3 by the time I am writing this.

The assembly code in the left is this one.
[code language=”C”]
#include <stdio.h>

int main() {
char *string[][2] = {
{"Osanda","Malith"},
{"ABC","JKL"},
{"DEF","MNO"},
};

printf("%s %s\n", string[0][0], string[0][1]);
}
[/code]

The assembly code on the right is this.
[code language=”C”]
#include <stdio.h>

int main() {
char *string[][2] = {
{"Osanda","Malith"},
{"ABC","JKL"},
{"DEF","MNO"},
};

printf("%s %s\n", **string, *(*string + 1));
}
[/code]
(more…)