Abusing native Shims for Post Exploitation (above)
Published on Aug 9, 2015
By: Sean Pierce
Shims offer a powerful rootkit-like framework that is natively implemented in most all modern Windows Operating Systems. This talk will focus on the wide array of post-exploitation options that a novice attacker could utilize to subvert the integrity of virtually any Windows application. I will demonstrate how Shim Database Files (sdb files / shims) are simple to create, easy to install, flexible, and stealthy. I will also show that there are other far more advanced applications such as in-memory patching, malware obfuscation, evasion, and system integrity subversion. For defenders, I am releasing 6 open source tools to prevent, detect, and block malicious shims.
Power Point File
Power Point File as a PDF
Published on Jun 22, 2015
Persisted: The active use and exploitation of Microsoft's Application Compatibility Framework by JON ERICKSON
Microsoft has often used Fix It patches, which are a subset of Application Compatibility Fixes, as a way to stop newly identified active exploitation methods against their products. At Derbycon 2013 Mark Baggett discussed ways that attackers can use them for creating rootkits. Then in March of 2014 I presented an analysis of the previously undocumented in-memory patch and showed how attackers could use these to create patches and maintain persistence on a system.
This talk will provide an overview and summary of the previous work and then show how it’s currently being used in the wild. I’ll first show how third parties are using the application toolkit for valid reasons. I will then show two instances, active and ongoing in the wild, of malware using the methods we’ve described.
Published on Oct 9, 2015
BruCON 0x07 - Shims For The Win: Case study and investigative techniques for hijacked Application Compatibility Infrastructure
Willi Ballenthin & Jon Tomczak
Published on Apr 3, 2014
By: Jon Erickson
Microsoft has often used Fix It patches, which are a subset of Application Compatibility Fixes, as a way to stop newly identified active exploitation methods against their products. A common Fix It patch type used to prevent exploitation is the previously undocumented In Memory Fix It. This research first focuses on analyzing these in-memory patches. By extracting information from them researchers are able to better understand the vulnerabilities that Microsoft intended to patch. The research then focuses on reverse engineering the patches and using this information to provide the ability to create patches which can be used to maintain persistence on a system.
DerbyCon 2013: Windows 0wn3d By Default
Published on Oct 1, 2013
By: Mark Baggett
"In this talk we will discuss API Hooking, Process Execution Redirection, Hiding Registry keys and hiding directories on the hard drive. We must be talking about rootkits, right? Well yes, but not in the way you think. The Windows family of operating systems has all of these capabilities built right in! Using nothing but tools and techniques distributed and documented by Microsoft we can implement all of these rootkit functions. During this exciting talk I will present new attacks against Windows operating system that provide rootkit like functionality with built-in OS tools. In session, we’ll demonstrate how to leverage the Microsoft Application Compatibility Toolkit to help hide an attacker’s presence on your system. The Application Compatibility Toolkit allows you to create application shims that intercept and redirect calls from applications to the operating system. This native rootkit like capability is intended to make the Windows operating system compatible with very old or poorly written applications. Do DEP, ASLR, UAC, and Windows Resource Protection, File system ACLS and other modern OS security measures get it your way? No problem. Turn them off! Do you want to hide files and registry keys and from the user? The Application Compatibility toolkit allows you to create a virtual world for any application and hide resources from view. If someone inspects the registry with regedit they will see exactly what the attacker wants them to see and not what the OS sees when it launches programs. Did they patch your target so your exploit doesn’t work? Guess what, making applications backwards compatible is what this tool is intended to do. Make your favorite applications “old exploit compatible” insuring you can re-exploit the target with this awesome untapped resource. Everything you need to subvert windows applications is built right into the windows kernel. Come learn how to use the application compatibility toolkit to tap this great resource.""
Published on Sep 6, 2015
A multifaceted malware game for training Malware Analysts
Learning to quickly triage malware is undoubtedly useful and can be taught rather quickly, however an in depth malware analysis requires a non trivial amount of experience with common malware behavior and analysis tools. GuessWhat is a proof of concept game which allows hands-on training for novice malware analysts who want to expand their knowledge and experience. GuessWhat is modularly designed pseudo malware which lacks a payload but is still coded to mimic the most common malware functionality an analyst is likely to see.
Once executed GuessWhat will install to a random location, and depending on the command line arguments, will randomly choose which common malware behavior to emulate (The behavior will stay constant for each instance). Once found, the player must extract a secret string which is only decrypted if GuessWhat fails to detect a debugger and GuessWhat has no evidence it is being executed in a virtual machine.
Microsoft has often used Fix It patches, which are a subset of Application Compatibility Fixes, as a way to stop newly identified active exploitation methods against their products. A common Fix It patch type used to prevent exploitation is the previously undocumented In Memory Fix It. This research first focuses on analyzing these in-memory patches. By extracting information from them researchers are able to better understand the vulnerabilities that Microsoft intended to patch. The research then focuses on reverse engineering the patches and using this information to provide the ability to create patches which can be used to maintain persistence on a system.
Slides are here
Another video is here