Burp Suite {Pro} vs OWASP ZAP! Does more expensive mean better?
In this post, I would like to document some of the differences between the two most renowned interception proxies used by penetration testers as well as DevSecOps teams around the globe.
:::DISCLAIMER:::
I am no expert in both tools; however, I have used them enough to feel good about documenting their features in this post. Please comment if you see an error or you want to point something I missed.
Introduction
Both OWASP ZAP and Burp Suite are considered intercepting proxies (on steroids) that sits between the browser and the webserver to intercept and manipulate requests exchange.
OWASP ZAP is a free and open-source project actively maintained by volunteers while Burp Suite is a commercial Product maintained and sold by PortSwigger, They have been selected almost on every top 10 tools of the year, and in this post, I will compare version 2020.x of burp suite which saw the first release on January 2020.
We can see since they emerged to the market, they are gaining more and more momentum and users as we see in google trends for the past 5 years (2015-2020). Hopefully, by the end of this post, you will get a better understanding of their similarities and differences.
Google Trends showing Burp suite in blue and OWASP ZAP in Red
I will discuss the differences between both tools in regards to the following aspects:
Describing the User Interface
Listing capabilities and features for both tools
Personal User Experience with each one of them
Pros and Cons of each tool
1. User Interface
The user interface can be frustrating when you first see it. Still, after a while, it gets intuitive and has all the necessary info you need to know. Both tools have 6 simple items in their interface.
Burp Suite has a simple interface consisting of 6 simple windows.
Burp Suite 2020.2.1 User Interface
Menu Bar – Provides navigation menus and tools settings
Tabs Bar -Provides most of the functionality of burp in simple tabs
Status Bar – Provides information for memory and disk space used by burp (new handy feature)
Event Log – Provides a log for Burp Suite containing additional information
Issues and Vulnerabilities window – Provides a list of detected vulnerabilities and is Active on a paid version of Burp Suite Pro or Enterprise
Tasks menu – Provides simple information and control over current running, paused and finished tasks
while Zap has a simple interface consisting of also 6 simple items
Menu Bar – Provides access to many of the automated and manual tools.
Toolbar – Includes buttons that provide easy access to most commonly used features.
Tree Window – Displays the Sites tree and the Scripts tree.
Workspace Window – Displays requests, responses, and scripts and allows you to edit them.
Information Window – Displays details of the automated and manual tools.
Footer – Displays a summary of the alerts found and the status of the main automated tools.
2. Capabilities
Both burp suite and Zap have good sets of capabilities; however, at some, a tool can excel more than the other, we will get to each one further down in separate posts.
Intercepting feature with SSL/TLS support and web sockets.
Interception History.
Tree navigation for scope.
Scope definition.
Manual request editor and sender.
Plugins, Extensions, and Marketplace/Store.
Vulnerability tree or Issues display.
Fuzzer capabilities with default lists.
Scan Policy configuration.
Report generation capability.
Encoders and Decoders.
Spider function.
Auto check for Update features.
Save and Load Project files.
Exposed and usable APIs .
Passive and Active scan engine.
Session Token entropy Analysis (Burp Only if you know that ZAP support this even with Addons please leave a comment).
Knowledge Base (Burp only, as ZAP does not support that in the UI).
Diff-like capability or comparison feature (Burp only AFAIK no support out of the box for ZAP).
Support for multiple programming and scripting languages.
Authentication Modules like NTLM, form authentication, and so on.
I might have missed some features so please if you know a feature I missed, please comment below.
3. User experience
A while back, I had to use both tools for comparison, While I am used to Burp Suite more from the first look, OWASP ZAP does the same functionality but has to be enhanced with plugins. keep in mind there is an easy learning curve for both. For example, ZAP has one fuzzer window, which makes it harder to search in fuzzer results, especially when you run multiple fuzzers. At the same time, burp has different windows and configuration for each fuzz conducted. the same goes for other features. Unlike Burp, You can’t change (add, edit or remove) HTTP headers in ZAP fuzzer window. That gives Burp an edge because it allows you to sort or search in fuzzing results faster and effectively.
One big plus for Burp is the Comparer tab, it allows for easier change detection. Like detecting differences in size from time change or tokens and content, ZAP lacks this feature without extensions (comment bellow which ZAP plugin does that).
quickly compare request or response
Another hurdle in ZAP is the ability to search for text in the request or server response, unlike Burp, which makes it more accessible. You can search for text or regex.
Burp Repeater makes it easier to searchZap request Editor
One more thing that makes Burp more popular than Zap is the ability to detect token entropy and randomness for cryptography analysis. Very useful when session cookies are generated manually.
Burp Sequencer run statistics on tokens and calculates Entropy
However, One big plus for Zap is its API, which makes for easier integration or automation than Burp. You access the API from the browser or other user agents like curl or SDKs/libraries.
Burp Suite community edition API can only be used to write plugins and extensions, unlike ZAP which can be used on DevOps and/or DevSecOps pipelines.
A new Burp REST API was introduced in 2018 which makes it easier to integrate burp with other tools and workflows.
An example is using the API to spider a host and getting the results, e.g. crawling testphp.vulnweb.com from the console.
This feature makes OWASP ZAP the easiest to integrate into DevSecOps pipelines no matter how big or small is your environment.
ZAP API in action
For a while, Only OWASP had good resources to learn about ZAP and web application security, but recently PortSwigger also launched a very good free Web Security academy
4. Cons and Pros of each other
In my experience, ZAP is good when it comes to DevOps/DevSecOps for it’s easier API integration and support. At the same time, Burp is more oriented towards actual vulnerability assessment and penetration testing of web applications.
Disclaimer: I won’t be covering “every” scan type (e.g. -sY, -sM), but I’ll cover the scan types that I think will be used more often. A More Serious Disclaimer: using Nmap against a target or network without explicit permission is illegal and should therefore not be attempted.
Introduction
nmap -h SCAN TECHNIQUES output
So if you’re like me and have done man nmap or nmap -h to see what Nmap has to offer, you’ll notice it prints lines and lines of output. In this blog post, I’ll try and demystify many of the scan techniques it has to offer, including some uncommon ones that you may never have to use in your life.
TCP Connect Scan (-sT)
Syntax: nmap -sT <target-ip> [-p <ports>] Let’s kick this off with one of the more common ones. Personally, I rarely ever use -sT unless -sS doesn’t work (but if -sS doesn’t work, I doubt that -sT is going to work, either). Nevertheless, it is good to know how a TCP Connect scan works and how Nmap can leverage TCP to reveal port status. Basically, TCP Connect scans utilise TCP’s connection-oriented nature to attempt to perform a full 3-way TCP handshake with each port and verify its state.
Nmap sends a SYN packet to initiate the 3-way TCP handshake. If the port is closed (look at top 2 packets), the port replies with a RST-ACK, to terminate the connection.
If the port is open (look at next 5 packets), the server replies with a SYN-ACK, and Nmap completes the 3-way handshake with an ACK packet. Then (after the port updates the window [search “TCP sliding window”]), Nmap immediately terminates the connection with a RST-ACK packet.
Pro: quite reliably scans TCP ports Cons: less “stealthy” (connection attempts will be logged by the server), takes a longer time, sends more packets
TCP SYN (“Stealth”/“Half-Open”) Scan (-sS)
Syntax: nmap [-sS] <target-ip> [-p <ports>] The SYN scan is the default scan of Nmap, and it goes by many names, the first referring to its sneaky nature of avoiding connnection attempts from being logged by the server (nowadays, the SYN scan is not so stealthy anymore). But how does it achieve this? The second name explains it — “Half Open” refers to SYN scan’s method of performing only 2 steps of the 3-way TCP handshake. We never send the third and last packet, and instead terminate the connection, therefore allowing Nmap to verify the port’s status without fully connecting to the port.
TCP SYN Scan captured in Wireshark (23 = closed, 22 = open)
ust like the TCP Connect scan, Nmap sends a SYN packet to initate the handshake, and if the port is closed, receives a RST-ACK (packets 1, 3).
However, this time, if the port is open, after Nmap receives the SYN-ACK, it immediately sends a RST packet to terminate the connection, as it has verified that the port is open due to it responding with a SYN-ACK (packets 4,5).
Pros: quicker and sends less packets Con: with advancements in firewall and server defenses technology, it is not stealthy anymore
UDP Scan (-sU)
Syntax: nmap -sU <target-ip> [-p <ports>] UDP Scanning utilises UDP and ICMP packets to discover the status of a port. Nmap sends an empty UDP packet and either receives no reply or an ICMP Port Unreachable packet. But due to UDP’s connectionless nature, the output can be unreliable at times.
Nmap sends an empty UDP packet for both ports (packets 1,2,4) and receives no reply from port 88 twice(open) and an ICMP Port Unreachable packet (packet 3) from port 89 (closed).
But Nmap returns this output:
Nmap returns “open|filtered”
What’s up with the “open|filtered” instead of “open”? Here’s the thing: when Nmap received no reply from port 88, one scenario could be that port 88 really is open, and is therefore not responding with any reply, however, another possible scenario is that a firewall is filtering out our traffic and thus the UDP packet never reaches the target and we receive no reply. Either way, we won’t know the difference — which results in Nmap displaying “open|filtered”.
Pros: allows the scanning of UDP ports Cons: not always reliable
Null, FIN & Xmas Scans (-sN, -sF, -sX)
Syntax: nmap {-sN | -sF | -sX} <target-ip> [-p <ports>] Now we get to the scan techniques that we will come across much less often. All of Null, FIN and Xmas scans are intended to stealthily sneak through stateless firewalls and packet filters, by turning on different TCP flags Null scan: no flags set FIN scan: FIN flag set Xmas scan: FIN, PSH, URG flags set (packet lights up like a Christmas tree, hence the name)
Null, FIN and Xmas scan captured in Wireshark (22 = open, 23 = closed)
For all of the scans, the underlying procedure is the same, except for the flags. If a port is closed, it replies with a RST-ACK and if it is open, it does not reply. However, this is not the case for all machines as not every machine follows RFC 793 and can send a RST packet even though the port is open. Additionally, since these scans rely on open ports not replying back (like UDP scan), it also suffers the issue of us not knowing if a firewall has filtered our packets or not (thus our output of “open|filtered”).
Pro: can sneak through some firewalls and packet filters Cons: not all machines conform to RFC 793, not always reliable
ACK Scan (-sA)
Syntax: nmap -sA <target-ip> [-p <ports>] Now, the ACK scan is a little bit different to what we’ve looked at so far. The ACK Scan isn’t meant to discover the open/closed status of ports. Instead, it helps us visualise the rulesets of intermediary firewalls. As the name suggests, Nmap sends TCP packets with only the ACK flag set, and if it receives a RST packet (both open and closed ports will respond with a RST), the port is marked as “unfiltered”, but if it receives no reply, or an ICMP error, the port is marked as “filtered”, and the firewall has filtered the packet.
Port 22 is open, while port 23 is closed, but both reply with a RST packet when an ACK packet is sent. This shows that both ports are not filtered by any firewalls.
Pro: maps out firewall rulesets Con: cannot determine if the port is open or closed
Idle Scan (-sI)
Syntax: nmap -sI <zombie-ip> <target-ip> [-p <ports>] This is the most interesting — yet the most complex — scan of all. As you can see from the syntax, we require a “zombie” in order to perform an idle scan. In a nutshell, Nmap will attempt to leverage an idle host to indirectly launch a port scan, therefore hiding our IP address from the target. It does this using the difference in increments of the IP ID of the zombie.
To understand how Nmap achieves this in understandable detail, please look at figures 5.6, 5.7 and 5.8 in https://nmap.org/book/idlescan.html.
Pro: masks our true IP address Con: possibility of false positives (due to zombie host not being idle)
BlobRunner is a simple tool to quickly debug shellcode extracted during malware analysis.
BlobRunner allocates memory for the target file and jumps to the base (or offset) of the allocated memory. This allows an analyst to quickly debug into extracted artifacts with minimal overhead and effort.
To use BlobRunner, you can download the compiled executable from the releases page or build your own using the steps below.
Building
Building the executable is straight forward and relatively painless. Requirements
Download and install Microsoft Visual C++ Build Tools or Visual Studio
Build Steps
Open Visual Studio Command Prompt
Navigate to the directory where BlobRunner is checked out
Build the executable by running:
cl blobrunner.c
Building BlobRunner x64
Building the x64 version is virtually the same as above, but simply uses the x64 tooling.
Open x64 Visual Studio Command Prompt
Navigate to the directory where BlobRunner is checked out
Add a breakpoint before the jump into the shellcode
Step into the shellcode
BlobRunner.exe shellcode.bin
Debug into file at a specific offset.
BlobRunner.exe shellcode.bin --offset 0x0100
Debug into file and don’t pause before the jump. Warning: Ensure you have a breakpoint set before the jump.
BlobRunner.exe shellcode.bin --nopause
Debugging x64 Shellcode
Inline assembly isn’t supported by the x64 compiler, so to support debugging into x64 shellcode the loader creates a suspended thread which allows you to place a breakpoint at the thread entry, before the thread is resumed.
Remote Debugging Shell Blobs (IDAPro)
The process is virtually identical to debugging shellcode locally — with the exception that the you need to copy the shellcode file to the remote system. If the file is copied to the same path you are running win32_remote.exe from, you just need to use the file name for the parameter. Otherwise, you will need to specify the path to the shellcode file on the remote system.
Shellcode Samples
You can quickly generate shellcode samples using the Metasploit tool msfvenom.
Generating a simple Windows exec payload.
msfvenom -a x86 --platform windows -p windows/exec cmd=calc.exe -o test2.bin
Feedback / Help
Any questions, comments or requests you can find us on twitter: @seanmw or @herrcore
As the infosec community talked about potential cyber attacks leveraging vulnerabilities in antivirus products, Microsoft took notes and started to work on a solution. The company announced that its Windows Defender can run in a sandbox.
Antivirus software runs with the highest privileges on the operating system, a level of access coveted by any threat actor, so any exploitable vulnerabilities in these products add to the possibilities of taking over the system.
By making Windows Defender run in a sandbox, Microsoft makes sure that the security holes its product may have stay contained within the isolated environment; unless the attacker finds a way to escape the sandbox, which is among the toughest things to do, the system remains safe.
Remote code execution flaws
Windows Defender has seen its share of vulnerability reports. Last year, Google’s experts Natalie Silvanovich and Tavis Ormandy announced a remote code execution (RCE) bug severe enough to make Microsoft release an out-of-band update to fix the problem.
In April this year, Microsoft patched another RCE in Windows Defender, which could be abused via a specially crafted RAR file. When the antivirus got to scanning it, as part of its protection routine, the would trigger, giving the attacker control over the system in the context of the local user.
Microsoft is not aware of any attacks in-the-wild actively targeting or exploiting its antivirus solution but acknowledges the potential risk hence its effort to sandbox Windows Defender.
Turn on sandboxing for Windows Defender
The new capability has been gradually rolling out for Windows Insider users for test runs, but it can also be enabled on Windows 10 starting version 1703.
Regular users can also run Windows Defender in a sandbox if they have the operating system version mentioned above. They can do this by enabling the following system-wide setting from the Command Prompt with admin privileges:
setx /M MP_FORCE_USE_SANDBOX 1
Restarting the computer is necessary for the setting to take effect. Reverting the setting is possible by changing the value for forcing sandboxing to 0 (zero) and rebooting the system.
Sandboxing Windows Defender
Forcing an antivirus product to work from an insulated context is no easy thing to do due to the app’s need to check a large number of inputs in real time, so access to these resources is an absolute requirement. An impact on performance is a likely effect of this.
«It was a complex undertaking: we had to carefully study the implications of such an enhancement on performance and functionality. More importantly, we had to identify high-risk areas and make sure that sandboxing did not adversely affect the level of security we have been providing,» the official announcement reads.
Despite the complexity of the task, Microsoft was not the first to sandbox Windows Defender. Last year, experts from security outfit Trail of Bits, who also specialize in virtualization, created a framework that could run Windows applications in their own containers. Windows Defender was one of the projects that Trail of Bits was able to containerize successfully and open-sourced it.
AVs are as susceptible to flaws as other software
Despite their role on the operating system, security products are susceptible to flaws just like other complex software. Windows Defender is definitely not the only one vulnerable.
In 2008, security researcher Feng Xue talked at BlackHat Europe about techniques for finding and exploiting vulnerabilities in antivirus software, referencing bugs as old as 2004.
Xue pointed out that the flaws in this type of software stem from the fact that it has to deal with hundreds of files types that need to be checked with components called content parsers. A bug in one parser could represent a potential path on the protected system.
Six years later, another researcher, Joxean Koret, took the matter further and showed just how vulnerable are the defenders of the computer systems, and let the world know that exploiting them «is not different to exploiting other client-side applications.»
His analysis at the time on 14 antivirus solutions on the market revealed dozens of vulnerabilities that could be exploited remotely and locally, including denial of service, privilege escalation, and arbitrary code execution. His list included big names like Bitdefender and Kaspersky.
Antivirus developers do not leave their customers high and dry and audit their products constantly. The result is patching any of the bugs discovered during the code review and improving the quality assurance process for finer combing for potential flaws.
PE-sieve is a light-weight tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches.
Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.
example: classic unmapping (2) vs remapping (3) — with remapping full virtual content of the section is preserved, so it helps i.e. if the full section was unpacked in memory, or if virtual caves were used
We all know that, after compromising the victim’s machine we have a low-privileges shell that we want to escalate into a higher-privileged shell and this process is known as Privilege Escalation. Today in this article we will discuss what comes under privilege escalation and how an attacker can identify that low-privileges shell can be escalated to higher-privileged shell. But apart from it, there are some scripts for Linux that may come in useful when trying to escalate privileges on a target system. This is generally aimed at enumeration rather than specific vulnerabilities/exploits. This type of script could save your much time.
Table of Content
Introduction
Vectors of Privilege Escalation
LinuEnum
Linuxprivchecker
Linux Exploit Suggester 2
Bashark
BeRoot
Introduction
Basically privilege escalation is a phase that comes after the attacker has compromised the victim’s machine where he try to gather critical information related to system such as hidden password and weak configured services or applications and etc. All these information helps the attacker to make the post exploit against machine for getting higher-privileged shell.
Vectors of Privilege Escalation
OS Detail & Kernel Version
Any Vulnerable package installed or running
Files and Folders with Full Control or Modify Access
File with SUID Permissions
Mapped Drives (NFS)
Potentially Interesting Files
Environment Variable Path
Network Information (interfaces, arp, netstat)
Running Processes
Cronjobs
User’s Sudo Right
Wildcard Injection
There are several script use in Penetration testing for quickly identify potential privilege escalation vectors on Windows systems and today we are going to elaborate each script which is working smoothly.
LinuEnum
Scripted Local Linux Enumeration & Privilege Escalation Checks Shellscript that enumerates the system configuration and high-level summary of the checks/tasks performed by LinEnum.
Privileged access: Diagnose if the current user has sudo access without a password; whether the root’s home directory accessible.
System Information: Hostname, Networking details, Current IP and etc.
User Information: Current user, List all users including uid/gid information, List root accounts, Checks if password hashes are stored in /etc/passwd.
Kernel and distribution release details.
You can download it through github with help of following command:
Once you download this script, you can simply run it by tying ./LinEnum.sh on terminal. Hence it will dump all fetched data and system details.
Let’s Analysis Its result what is brings to us:
OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1
Hostname: Ubuntu
Moreover…..
Super User Accounts: root, demo, hack, raaz
Sudo Rights User: Ignite, raj
Home Directories File Permission
Environment Information
And many more such things which comes under the Post exploitation.
Linuxprivchecker
Enumerates the system configuration and runs some privilege escalation checks as well. It is a python implementation to suggest exploits particular to the system that’s been taken under. Use wget to download the script from its source URL.
Now to use this script just type python linuxprivchecke.py on terminal and this will enumerate file and directory permissions/contents. This script works same as LinEnum and hunts details related to system network and user.
1
python linuxprivchecker.py
Let’s Analysis Its result what is brings to us.
OS & Kernel Info: 4.15.0-36-generic, Ubuntu-16.04.1
Hostname: Ubuntu
Network Info: Interface, Netstat
Writable Directory and Files for Users other than Root: /home/raj/script/shell.py
Checks if Root’s home folder is accessible
File having SUID/SGID Permission
For example: /bin/raj/asroot.sh which is a bash script with SUID Permission
Linux Exploit Suggester 2
Next-generation exploit suggester based on Linux_Exploit_Suggester. This program performs a ‘uname -r‘ to grab the Linux operating system release version, and returns a list of possible exploits.
This script is extremely useful for quickly finding privilege escalation vulnerabilities both in on-site and exam environments.
Key Improvements Include:
More exploits
Accurate wildcard matching. This expands the scope of searchable exploits.
To execute the script you need to run following command:
1
2
source bashark.sh
help
The help command will let you know all available options provide by bashark for post exploitation.
With help of portscan option you can scan the internal network of the compromised machine.
To fetch all configuration file you can use getconf option. It will pull out all configuration file stored inside /etcdirectory. Similarly you can use getprem option to view all binaries files of the target‘s machine.
1
2
3
portscan<target’sIP>
getconf
getprem
BeRoot
BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. This tool does not realize any exploitation. It mains goal is not to realize a configuration assessment of the host (listing all services, all processes, all network connection, etc.) but to print only information that have been found as potential way to escalate our privilege.
To execute the script you need to run following command:
1
./beroot.py
It will try to enumerate all possible loopholes which can lead to privilege Escalation, as you can observe the highlighted yellow color text represents weak configuration that can lead to root privilege escalation whereas the red color represent the technique that can be used to exploit.
It’s Functions:
Check Files Permissions
SUID bin
NFS root Squashing
Docker
Sudo rules
Kernel Exploit
Conclusion: Above executed script are available on github, you can easily download it from github. These all automated script try to identify the weak configuration that can lead to root privilege escalation.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
r0ak is a Windows command-line utility that enables you to easily read, write, and execute kernel-mode code (with some limitations) from the command prompt, without requiring anything else other than Administrator privileges.
Motivation
The Windows kernel is a rich environment in which hundreds of drivers execute on a typical system, and where thousands of variables containing global state are present. For advanced troubleshooting, IT experts will typically use tools such as the Windows Debugger (WinDbg), SysInternals Tools, or write their own. Unfortunately, usage of these tools is getting increasingly hard, and they are themselves limited by their own access to Windows APIs and exposed features.
Some of today’s challenges include:
Windows 8 and later support Secure Boot, which prevents kernel debugging (including local debugging) and loading of test-signed driver code. This restricts troubleshooting tools to those that have a signed kernel-mode driver.
Even on systems without Secure Boot enabled, enabling local debugging or changing boot options which ease debugging capabilities will often trigger BitLocker’s recovery mode.
Windows 10 Anniversary Update and later include much stricter driver signature requirements, which now enforce Microsoft EV Attestation Signing. This restricts the freedom of software developers as generic «read-write-everything» drivers are frowned upon.
Windows 10 Spring Update now includes customer-facing options for enabling HyperVisor Code Integrity (HVCI) which further restricts allowable drivers and blacklists multiple 3rd party drivers that had «read-write-everything» capabilities due to poorly written interfaces and security risks.
Technologies like Supervisor Mode Execution Prevention (SMEP), Kernel Control Flow Guard (KCFG) and HVCI with Second Level Address Translation (SLAT) are making traditional Ring 0 execution ‘tricks’ obsoleted, so a new approach is needed.
In such an environment, it was clear that a simple tool which can be used as an emergency band-aid/hotfix and to quickly troubleshoot kernel/system-level issues which may be apparent by analyzing kernel state might be valuable for the community.
How it Works
Basic Architecture
r0ak works by redirecting the execution flow of the window manager’s trusted font validation checks when attempting to load a new font, by replacing the trusted font table’s comparator routine with an alternate function which schedules an executive work item (WORK_QUEUE_ITEM) stored in the input node. Then, the trusted font table’s right child (which serves as the root node) is overwritten with a named pipe’s write buffer (NP_DATA_ENTRY) in which a custom work item is stored. This item’s underlying worker function and its parameter are what will eventually be executed by a dedicated ExpWorkerThread at PASSIVE_LEVELonce a font load is attempted and the comparator routine executes, receiving the name pipe-backed parent node as its input. A real-time Event Tracing for Windows (ETW) trace event is used to receive an asynchronous notification that the work item has finished executing, which makes it safe to tear down the structures, free the kernel-mode buffers, and restore normal operation.
Supported Commands
When using the --execute option, this function and parameter are supplied by the user.
When using --write, a custom gadget is used to modify arbitrary 32-bit values anywhere in kernel memory.
When using --read, the write gadget is used to modify the system’s HSTI buffer pointer and size (N.B.: This is destructive behavior in terms of any other applications that will request the HSTI data. As this is optional Windows behavior, and this tool is meant for emergency debugging/experimentation, this loss of data was considered acceptable). Then, the HSTI Query API is used to copy back into the tool’s user-mode address space, and a hex dump is shown.
Because only built-in, Microsoft-signed, Windows functionality is used, and all called functions are part of the KCFG bitmap, there is no violation of any security checks, and no debugging flags are required, or usage of 3rd party poorly-written drivers.
FAQ
Is this a bug/vulnerability in Windows?
No. Since this tool — and the underlying technique — require a SYSTEM-level privileged token, which can only be obtained by a user running under the Administrator account, no security boundaries are being bypassed in order to achieve the effect. The behavior and utility of the tool is only possible due to the elevated/privileged security context of the Administrator account on Windows, and is understood to be a by-design behavior.
Was Microsoft notified about this behavior?
Of course! It’s important to always file security issues with Microsoft even when no violation of privileged boundaries seems to have occurred — their teams of researchers and developers might find novel vectors and ways to reach certain code paths which an external researcher may not have thought of.
As such, in November 2014, a security case was filed with the Microsoft Security Research Centre (MSRC) which responded: «[…] doesn’t fall into the scope of a security issue we would address via our traditional Security Bulletin vehicle. It […] pre-supposes admin privileges — a place where architecturally, we do not currently define a defensible security boundary. As such, we won’t be pursuing this to fix.»
Furthermore, in April 2015 at the Infiltrate conference, a talk titled Insection : AWEsomely Exploiting Shared Memory Objects was presented detailing this issue, including to Microsoft developers in attendance, which agreed this was currently out of scope of Windows’s architectural security boundaries. This is because there are literally dozens — if not more — of other ways an Administrator can read/write/execute Ring 0 memory. This tool merely allows an easy commodification of one such vector, for purposes of debugging and troubleshooting system issues.
Can’t this be packaged up as part of end-to-end attack/exploit kit?
Packaging this code up as a library would require carefully removing all interactive command-line parsing and standard output, at which point, without major rewrites, the ‘kit’ would:
Require the target machine to be running Windows 10 Anniversary Update x64 or later
Have already elevated privileges to SYSTEM
Require an active Internet connection with a proxy/firewall allowing access to Microsoft’s Symbol Server
Require the Windows SDK/WDK installed on the target machine
Require a sensible _NT_SYMBOL_PATH environment variable to have been configured on the target machine, and for about 15MB of symbol data to be downloaded and cached as PDB files somewhere on the disk
Attackers interested in using this particular approach — versus very many others more cross-compatible, no-SYSTEM-right-requiring techniques — likely already adapted their own code based on the Proof-of-Concept from April 2015 — more than 3 years ago.
Usage
Requirements
Due to the usage of the Windows Symbol Engine, you must have either the Windows Software Development Kit (SDK) or Windows Driver Kit (WDK) installed with the Debugging Tools for Windows. The tool will lookup your installation path automatically, and leverage the DbgHelp.dll and SymSrv.dll that are present in that directory. As these files are not re-distributable, they cannot be included with the release of the tool.
Alternatively, if you obtain these libraries on your own, you can modify the source-code to use them.
Usage of symbols requires an Internet connection, unless you have pre-cached them locally. Additionally, you should setup the _NT_SYMBOL_PATH variable pointing to an appropriate symbol server and cached location.
It is assumed that an IT Expert or other troubleshooter which apparently has a need to read/write/execute kernel memory (and has knowledge of the appropriate kernel variables to access) is already more than intimately familiar with the above setup requirements. Please do not file issues asking what the SDK is or how to set an environment variable.
Use Cases
Some driver leaked kernel pool? Why not call ntoskrnl.exe!ExFreePool and pass in the kernel address that’s leaking? What about an object reference? Go call ntoskrnl.exe!ObfDereferenceObject and have that cleaned up.
Want to dump the kernel DbgPrint log? Why not dump the internal circular buffer at ntoskrnl.exe!KdPrintCircularBuffer
Wondering how big the kernel stacks are on your machine? Try looking at ntoskrnl.exe!KeKernelStackSize
Want to dump the system call table to look for hooks? Go print out ntoskrnl.exe!KiServiceTable
These are only a few examples — all Ring 0 addresses are accepted, either by module!symbol syntax or directly passing the kernel pointer if known. The Windows Symbol Engine is used to look these up.
Limitations
The tool requires certain kernel variables and functions that are only known to exist in modern versions of Windows 10, and was only meant to work on 64-bit systems. These limitations are due to the fact that on older systems (or x86 systems), these stricter security requirements don’t exist, and as such, more traditional approaches can be used instead. This is a personal tool which I am making available, and I had no need for these older systems, where I could use a simple driver instead. That being said, this repository accepts pull requests, if anyone is interested in porting it.
Secondly, due to the use cases and my own needs, the following restrictions apply:
Reads — Limited to 4 GB of data at a time
Writes — Limited to 32-bits of data at a time
Executes — Limited to functions which only take 1 scalar parameter
Obviously, these limitations could be fixed by programmatically choosing a different approach, but they fit the needs of a command line tool and my use cases. Again, pull requests are accepted if others wish to contribute their own additions.
Note that all execution (including execution of the --read and --write commands) occurs in the context of a System Worker Thread at PASSIVE_LEVEL. Therefore, user-mode addresses should not be passed in as parameters/arguments.
Disclaimer: The elaboration and software project associated to this subject are results of a Bachelor’s thesis created at SCHUTZWERK in collaboration with Aalen University by Philipp Schmied.
While car manufacturers steadily refine and advance vehicle systems, requirements of the underlying networks increase even further. Striving for smart cars, a fast-growing amount of components are interconnected within a single car. This results in specialized and often proprietary car protocols built based on standardized technology. Most of these protocols are based on bus protocols: All network nodes within such a bus network are connected using a single shared data link. This technology provides a feasible way of real time communication between several security and comfort systems. However, often no or insufficient authentication and encryption or other security mechanisms can be found in today’s car systems. As described previously, most of the interchanged data structures on a car network bus, including associated systems, are proprietary. For this reason, there’s a need for open source, extensible, easy to use and publicly available software to analyze the security state of such networks and protocols.
CAN BUS
Starting from mid-1980, the CAN bus is being implemented into vehicles. Still to this day, many components and proprietary protocols rely on the CAN bus. While analyzing today’s car protocols, we focused on this technology – however, there exist multiple additional technologies like FlexRay and automotive Ethernet which will most likely gain an increased relevance and also need to be analyzed in the future.
CAN network packets are defined by the associated packet format, which looks as follows [1]:
Arbitration ID: Describes the meaning of the data segments
Control: Flags to manage packet transport
Data: Payload of the packet with up to eight bytes of data
CRC: Checksum
A general goal of analyzing car protocols is to reverse engineer the CAN matrix. This data structure maps CAN arbitration IDs and corresponding payloads to specific actions. An example for this is the identification of a CAN packet which controls the acceleration of a vehicle.
Depending on intended goals, the CAN bus can be accessed in two ways:
OBD-II interface: Since 2004, this diagnostic interface is mandatory for each car in the European Union. Most of the time, this port can be accessed from the driver’s seat. Inbound packets can and most likely will be filtered by the diagnostic gateway, so fuzzing from this interface can be of limited success rate.
Interacting with bus wires: It’s possible to directly splice analysis hardware into a CAN bus. This way, filtering can be circumvented and otherwise isolated bus segments can be analyzed.
INTRODUCING THE CANALYZAT0R
This Python software project is built from scratch with new ideas for analysis mechanisms. It’s released on GitHub and bundles many features of other other CAN tools in one place. Also, it’s GUI based and organized with one tab per specific analysis task:
Most of the existing open source CAN analysis software makes use of SocketCAN. This consists of a bundle of kernel modules that abstract CAN communication in such a way that CAN interfaces can be used similarly to conventional network interfaces on the Linux operating system. So does CANalyzat0r, including many additional features:
Multi interface support: Sniff while sending data on a separate SocketCAN interface
Manage your work in projects. You can also import and export them in human readable/editable JSON format and track data using a version control system.
Transparent logging
Graphical sniffing
Manage findings, dumps and known packets per project:
CANalyzat0r: Manage known packets per project
Easy copy and paste between CANalyzat0r modules. Also, it’s possible to paste text based SocketCAN files directly into the GUI to import existing packet dumps:
CANalyzat0r: Pasting packets
Threaded Sending, Fuzzing and Sniffing
Ignore packets when sniffing — Automatically filter unique packets by ID or data and ID
Compare dumps
Allows setting up complex setups using only one window
Clean organization in tabs for each analysis task
Advanced packet filtering using an interactive packet replay approach
Search for action specific packets using background noise filtering
SQLite support
PDF and HTML code documentation
CANalyzat0r is modular and extensible – using the provided documentation it’s possible to implement new features which integrate into the existing GUI and work flow.
USAGE EXAMPLES
SIMULTANEOUS SNIFFING AND FUZZING
In order to analyze functionalities of proprietary car components, fuzzing mostly acts as a starting point. Using this approach, CAN nodes can be examined to uncover potential security risks. The CANalyzat0r can be used to quickly setup an efficient fuzzing environment:
CANalyzat0r: Integrated fuzzer and sniffer
Connect the CANalyzat0r to the CAN node via SocketCAN and the desired bit rate.
In the fuzzer tab, choose the desired options: For example, it’s possible to define a fuzzing mask and a desired packet length range which will be applied to all randomly generated CAN packets:
Resulting payload
Payload mask
Length minimum
Length maximum
12 AA 34 56 BB 13
XX AA XX XX BB 13 XX XX
0
6
—
XX AA XX XX BB 13 XX XX
0
6
12 AA 34 88
XX AA XX XX BB 13 37 DD
2
4
Also, CAN Arbitration IDs can be fixed while payloads remain variable. Here’s an example:
Resulting CAN ID
ID mask
Fuzzing mode
BA4
XAX
User defined
832
XXX
User defined
563
—
11 bit IDs
While random packets are being generated and sent over the CAN bus, it’s possible to use the sniffer tab to trace answer packets. Sniffed packet dumps can be saved, replayed or filtered in further steps.
SEMI-AUTOMATED PACKET FILTERING
To exploit and check for packet replay vulnerabilities, it’s often necessary to capture packet dumps while executing a certain task on a car, for example unlocking the doors using the remote control. Once such a packet dump that causes a CAN node to execute the desired task has been captured, it’s mostly desired to minimize such a set of packets. To gain the desired effect on a car’s component, it’s not required to replay thousands of packets every time. In fact, desired actions can usually be performed using only a few particular CAN packets.
For this task, the filtering tab of the CANalyzat0r can be used:
CANalyzat0r: Filtering packets
Capture “noise” packets: While the desired action is not being executed by the CAN component, packets that pass the bus will be captured. These packets will be useful in further analysis steps.
Record an arbitrary amount of packet sets while executing the task once per packet set.
Filtering: First, all previously captured noise packets will be removed from each packet set. After that, only packets which occur in every packet set will be shown. This resulting set of packets causes the CAN node to perform the desired task while being heavily minimized.
PACKET SEARCH USING A BINARY TREE SEARCH
Large packet dumps often are the result of fuzzing attempts. To assist in filtering relevant packets, the searcher tab of the described toolkit can be used:
Load the desired packet dump by using either copy-and-paste mechanisms of the CANalyzat0r tabs, text based packet dumps or database queries.
After connecting the CANalyzat0r to the target vehicle, start the searching process.
The loaded packet set will be split into small chunks, which are replayed one after another. After one chunk has been replayed, the tool asks the user whether the desired action has been executed by the car. On success, the previously replayed packet set acts as the new base data set and the searching process restarts from the beginning.
If no chunk generates the desired output, randomization will be used. This results in shuffled packet chunks which will be used for further retries. Using this approach, actions which require multiple packets to be sent can be identified.
DATABASE MANAGEMENT
Once packet dumps for specific results have been identified, they can be saved to the SQLite based database with an associated description. This allows a centralized finding management. Using the JSON based database import and export functionality, database states can be version controlled. It’s also possible to work on multiple CANalyzat0r projects simultaneously by creating separate projects.
EASY SETUP USING DOCKER
To get started quickly, the provided docker image can be used. No dependencies have to be present on the host system and the CANalyzat0r is up and ready using only a few commands. Please refer to the docker folder within the CANalyzat0r repository for additional information.
@Hexacorn discussed in late 2017 a new code injection technique, which involves hooking existing callback functions in a Window subclass structure. Exploiting this legitimate functionality of windows for malicious purposes will not likely surprise some developers already familiar with hooking existing callback functions in a process. However, it’s still a relatively new technique for many to misuse for code injection, and we’ll likely see it used more and more in future.
For all the details on research conducted by Adam, I suggest the following posts.
Executing code inside a different process space is typically achieved via an injected DLL /system-wide hooks, sideloading, etc./, executing remote threads, APCs, intercepting and modifying the thread context of remote threads, etc. Then there is Gapz/Powerloader code injection (a.k.a. EWMI), AtomBombing, and mapping/unmapping trick with the NtClose patch.
I believe that Gapz trick was created as an attempt to bypass what has been mitigated by the User Interface Privilege Isolation (UIPI). Interestingly, there is actually more than one way to do it, and the trick that I am going to describe below is a much cleaner variant of it – it doesn’t even need any ROP.
There is a class of windows always present on the system that use window subclassing. Window subclassing is just a fancy name for hooking, because during the subclassing process an old window procedure is preserved while the new one is being assigned to the window. The new one then intercepts all the window messages, does whatever it has to do, and then calls the old one.
The ‘native’ window subclassing is done using the SetWindowSubclass API.
When a window is subclassed it gains a new property stored inside its internal structures and with a name depending on a version of comctl32.dll:
UxSubclassInfo – version 6.x
CC32SubclassInfo – version 5.x
Looking at properties of Windows Explorer child windows we can see that plenty of them use this particular subclassing property:
So do other Windows applications – pretty much any program that is leveraging standard windows controls can be of interest, including say… OllyDbg:When the SetWindowSubclass is called it is using SetProp API to set one of these two properties (UxSubclassInfo, or CC32SubclassInfo) to point to an area in memory where the old function pointer will be stored. When the new message routine is called, it will then call GetProp API for the given window and once its old procedure address is retrieved – it is executed.
Coming back for a moment to the aforementioned shattering attacks. We can’t use SetWindowLong or SetClassLong (or their newer SetWindowLongPtr and SetClassLongPtr alternatives) any longer to set the address of the window procedure for windows belonging to the other processes (via GWL_WNDPROC or GCL_WNDPROC). However, the SetProp function is not affected by this limitation. When it comes to the process at the lower of equal integrity level the Microsoft documentation says:
SetProp is subject to the restrictions of User Interface Privilege Isolation (UIPI). A process can only call this function on a window belonging to a process of lesser or equal integrity level. When UIPI blocks property changes, GetLastError will return 5.
So, if we talk about other user applications in the same session – there is plenty of them and we can modify their windows’ properties freely!
I guess you know by now where it is heading:
We can freely modify the property of a window belonging to another process.
We also know some properties point to memory region that store an old address of a procedure of the subclassed window.
The routine that address points to will be at some stage executed.
All we need is a structure that UxSubclassInfo/CC32SubclassInfo properties are using. This is actually pretty easy – you can check what SetProp is doing for these subclassed windows. You will quickly realize that the old procedure is stored at the offset 0x14 from the beginning of that memory region (the structure is a bit more complex as it may contain a number of callbacks, but the first one is at 0x14).
So, injecting a small buffer into a target process, ensuring the expected structure is properly filled-in and and pointing to the payload and then changing the respective window property will ensure the payload is executed next time the message is received by the window (this can be enforced by sending a message).
When I discovered it, I wrote a quick & dirty POC that enumerates all windows with the aforementioned properties (there is lots of them so pretty much every GUI application is affected). For each subclassing property found I changed it to a random value – as a result Windows Explorer, Total Commander, Process Hacker, Ollydbg, and a few more applications crashed immediately. That was a good sign. I then created a very small shellcode that shows a Message Box on a desktop window and tested it on Windows 10 (under normal account).
The moment when the shellcode is being called in a first random target (here, Total Commander):
Of course, it also works in Windows Explorer, this is how it looks like when executed:
If we check with Process Explorer, we can see the window belongs to explorer.exe:Testing it on a good ol’ Windows XP and injecting the shellcode into Windows Explorer shows a nice cascade of executed shellcodes for each window exposing the subclassing property (in terms of special effects XP always beats Windows 10 – the latter freezes after first messagebox shows up; and in case you are wondering why it freezes – it’s because my shellcode is simple and once executed it is basically damaging the running application):
For obvious reasons I won’t be attaching the source code.
If you are an EDR or sandboxing vendor you should consider monitoring SetProp/SetWindowSubclass APIs as well as their NT alternatives and system services.
And…
This is not the end. There are many other generic properties that can be potentially leveraged in a very same way:
The Microsoft Foundation Class Library (MFC) uses ‘AfxOldWndProc423’ property to subclass its windows
A new trick that allows to execute code in other processes without using remote threads, APC, etc. While describing it, I focused only on 32-bit architecture. One may wonder whether there is a way for it to work on 64-bit systems and even more interestingly – whether there is a possibility to inject/run code between 32- and 64- bit processes.
To test it, I checked my 32-bit code injector on a 64-bit box. It crashed my 64-bit Explorer.exe process in no time.
So, yes, we can change properties of windows belonging to 64-bit processes from a 32-bit process! And yes, you can swap the subclass properties I described previously to point to your injected buffer and eventually make the payload execute! The reason it works is that original property addresses are stored in lower 32-bit of the 64-bit offset. Replacing that lower 32-bit part of the offset to point to a newly allocated buffer (also in lower area of the memory, thanks to VirtualAllocEx) is enough to trigger the code execution.
See below the GetProp inside explorer.exe retrieving the subclassed property:
So, there you have it… 32 process injecting into 64-bit process and executing the payload w/o heaven’s gate or using other undocumented tricks.
The below is the moment the 64-bit shellcode is executed:
p.s. the structure of the subclassed callbacks is slightly different inside 64-bit processes due to 64-bit offsets, but again, I don’t want to make it any easier to bad guys than it should be ????
While SetWindowLong/SetWindowLongPtr/SetClassLong/SetClassLongPtr are all protected and can be only used on windows belonging to the same process, the very old APIs SetWindowWord and SetClassWord … are not.
As usual, I tested it enumerating windows running a 32-bit application on a 64-bit system and setting properties to unpredictable values and observing what happens.
It turns out that again, pretty much all my Window applications crashed on Window 10. These 16 bits seem to be quite powerful…
I am not a vulnerability researcher, but I bet we can still do something interesting; I will continue poking around. The easy wins I see are similar to SetProp e.g. GWL_USERDATA may point to some virtual tables/pointers; the DWL_USER – as per Microsoft – ‘sets new extra information that is private to the application, such as handles or pointers’. Assuming that we may only modify 16 bit of e.g. some offset, redirecting it to some code cave or overwriting unused part of memory within close proximity of the original offset could allow for a successful exploit.
A few months back I discovered a new code injection technique that I named PROPagate. Using a subclass of a well-known shatter attack one can modify the callback function pointers inside other processes by using Windows APIs like SetProp, and potentially others. After pointing out a few ideas I put it on a back burner for a while, but I knew I will want to explore some more possibilities in the future.
In particular, I was curious what are the chances one could force the remote process to indirectly call the ‘prohibited’ functions like SetWindowLong, SetClassLong (or their newer alternatives SetWindowLongPtr and SetClassLongPtr), but with the arguments that we control (i.e. from a remote process). These API are ‘prohibited’ because they can only be called in a context of a process that owns them, so we can’t directly call them and target windows that belong to other processes.
It turns out his may be possible!
If there is one common way of using the SetWindowLong API it is to set up pointers, and/or filling-in window-specific memory areas (allocated per window instance) with some values that are initialized immediately after the window is created. The same thing happens when the window is destroyed – during the latter these memory areas are usually freed and set to zeroes, and callbacks are discarded.
These two actions are associated with two very specific window messages:
WM_NCCREATE
WM_NCDESTROY
In fact, many ‘native’ windows kick off their existence by setting some callbacks in their message handling routines during processing of these two messages.
With that in mind, I started looking at existing processes and got some interesting findings. Here is a snippet of a routine I found inside Windows Explorer that could be potentially abused by a remote process:
Or, it’s disassembly equivalent (in response to WM_NCCREATE message):
So… since we can still freely send messages between windows it would seem that there is a lot of things that can be done here. One could send a specially crafted WM_NCCREATE message to a window that owns this routine and achieve a controlled code execution inside another process (the lParam needs to pass the checks and include pointer to memory area that includes a callback that will be executed afterwards – this callback could point to malicious code). I may be of course wrong, but need to explore it further when I find more time.
The other interesting thing I noticed is that some existing windows procedures are already written in a way that makes it harder to exploit this issue. They check if the window-specific data was set, and only if it was NOT they allow to call the SetWindowLong function. That is, they avoid executing the same initialization code twice.
Let’s be honest with ourselves, most of the “good” code injection techniques used by malware authors today are the brainchild of some expert(s) in the field of computer security. Take for example Process Hollowing, AtomBombing and the more recent Doppelganging technique.
On the likelihood of code being misused, Adam didn’t publish a PoC, but there’s still sufficient information available in the blog posts for a competent person to write their own proof of concept, and it’s only a matter of time before it’s used in the wild anyway.
Update: After publishing this, I discovered it’s currently being used by SmokeLoader but using a different approach to mine by using SetPropA/SetPropW to update the subclass procedure.
I’m not providing source code here either, but given the level of detail, it should be relatively easy to implement your own.
Steps to PROPagate.
Enumerate all window handles and the properties associated with them using EnumProps/EnumPropsEx
Use GetProp API to retrieve information about hWnd parameter passed to WinPropProc callback function. Use “UxSubclassInfo” or “CC32SubclassInfo” as the 2nd parameter. The first class is for systems since XP while the latter is for Windows 2000.
Open the process that owns the subclass and read the structures that contain callback functions. Use GetWindowThreadProcessId to obtain process id for window handle.
Write a payload into the remote process using the usual methods.
Replace the subclass procedure with pointer to payload in memory.
Write the structures back to remote process.
At this point, we can wait for user to trigger payload when they activate the process window, or trigger the payload via another API.
Subclass callback and structures
Microsoft was kind enough to document the subclass procedure, but unfortunately not the internal structures used to store information about a subclass, so you won’t find them on MSDN or even in sources for WINE or ReactOS.
Some clever searching by yours truly eventually led to the Windows 2000 source code, which was leaked online in 2004. Behold, the elusive undocumented structures found in subclass.c!
// header associated with this frame
struct _SUBCLASS_HEADER *pHeader;
} SUBCLASS_FRAME, *PSUBCLASS_FRAME;
typedefstruct _SUBCLASS_HEADER {
UINT uRefs; // subclass count
UINT uAlloc; // allocated subclass call nodes
UINT uCleanup; // index of call node to clean up
DWORD dwThreadId; // thread id of window we are hooking
SUBCLASS_FRAME *pFrameCur; // current subclass frame pointer
SUBCLASS_CALL CallArray[1]; // base of packed call node array
} SUBCLASS_HEADER, *PSUBCLASS_HEADER;
At least now there’s no need to reverse engineer how Windows stores information about subclasses. Phew!
Finding suitable targets
I wrongly assumed many processes would be vulnerable to this injection method. I can confirm ollydbg and Process Hacker to be vulnerable as Adam mentions in his post, but I did not test other applications. As it happens, only explorer.exe seemed to be a viable target on a plain Windows 7 installation. Rather than search for an arbitrary process that contained a subclass callback, I decided for the purpose of demonstrations just to stick with explorer.exe.
The code first enumerates all properties for windows created by explorer.exe. An attempt is made to request information about “UxSubclassInfo”, which if successful will return an address pointer to subclass information in the remote process.
Figure 1. shows a list of subclasses associated with process id. I’m as perplexed as you might be about the fact some of these subclass addresses appear multiple times. I didn’t investigate.
Figure 1: Address of subclass information and process id for explorer.exe
Attaching a debugger to process id 5924 or explorer.exe and dumping the first address provides the SUBCLASS_HEADER contents. Figure 2 shows the data for header, with 2 hi-lighted values representing the callback functions.
Figure 2 : Dump of SUBCLASS_HEADER for address 0x003A1BE8
Disassembly of the pointer 0x7448F439 shows in Figure 3 the code is CallOriginalWndProc located in comctl32.dll
Figure 3 : Disassembly of callback function for SUBCLASS_CALL
Okay! So now we just read at least one subclass structure from a target process, change the callback address, and wait for explorer.exe to execute the payload. On the other hand, we could write our own SUBCLASS_HEADER to remote memory and update the existing subclass window with SetProp API.
To overwrite SUBCLASS_HEADER, all that’s required is to replace the pointer pfnSubclass with address of payload, and write the structure back to memory. Triggering it may be required unless someone is already using the operating system.
One would be wise to restore the original callback pointer in subclass header after payload has executed, in order to avoid explorer.exe crashing.
Update: Smoke Loader probably initializes its own SUBCLASS_HEADER before writing to remote process. I think either way is probably fine. The method I used didn’t call SetProp API.
Detection
The original author may have additional information on how to detect this injection method, however I think the following strings and API are likely sufficient to merit closer investigation of code.
Strings
UxSubclassInfo
CC32SubclassInfo
explorer.exe
API
OpenProcess
ReadProcessMemory
WriteProcessMemory
GetPropA/GetPropW
SetPropA/SetPropW
Conclusion
This injection method is trivial to implement, and because it affects many versions of Windows, I was surprised nobody published code to show how it worked. Nevertheless, it really is just a case of hooking callback functions in a remote process, and there are many more just like subclass. More to follow!
