Shulou(Shulou.com)05/31 Report--

How to use Regasm.exe and Regsvcs.exe to bypass AppLocker, many novices are not very clear about this, in order to help you solve this problem, the following small series will explain in detail for everyone, there are people who need this can learn, I hope you can gain something.

AppLocker

AppLocker, also known as "application control policy," is a security feature under Windows that helps administrators provide a degree of system protection for host systems. Administrators can determine which programs, installers, and scripts can be run on computers by defining rules that include, but are not limited to, user names, publisher names, product names, file paths, file hashes, and file versions.

reproduction environment

Attacker: Kali, IP 192.168.195.154

Victim: Windows 7 32-bit, IP 192.168.195.145, administrator user root, normal user test

Tools: Metasploit, Ollydbg

Files: calc_signed.dll, calc_unsigned. dll, msf_signed.dll, msf_unsigned. dll

reproduction process

First, enter the local service on the victim machine and start the Application Identity service, which is a prerequisite for AppLocker functionality to take effect.

Use msfvenom on the attacker to generate a payload in C#format, which will connect to the specified port of the attacker after running.

The website "https://github.com/3gstudent/Bypass-McAfee-Application-Control--Code-Execution/blob/master/regsvcs.cs" can download cs files used to generate malicious dlls, and the csc.exe program in the C:\Windows\Microsoft.NET\Framework\v4.0.30319 folder can generate cs files as dll files. In this article, we will use the calc.cs file and msf.cs file as cs files that generate malicious dlls. The calc.cs file is the regsvcs.cs file downloaded from the website, and the msf.cs file simply replaces the shellcode part of the calc.cs file with the previously generated payload.

csc.exe will use the calc.cs and msf.cs files to generate four different dll files, calc_signed.dll, calc_unsigned. dll, msf_signed.dll, msf_unsigned. dll. calc_signed.dll is a signed dll file, calc_unsigned.dll is an unsigned dll file, and the function is to pop up a calculator. msf_signed.dll is a signed dll file, msf_unsigned.dll is an unsigned dll file, and their function is to open a session back to the msf attacker. The instructions for generating these four dlls are shown below.

Regasm.exe and Regsvcs.exe can be used to bypass AppLocker, but regsvcs.exe must sign the dll to execute successfully when loading or unloading the specified dll, otherwise the error shown in the figure below will appear.

The programs needed to sign are in the C:\Program Files\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools folder, and key pair files can be generated using the commands shown in the figure below.

Before bypassing, we will set the rules for passing files under AppLocker, which can be set in Control Panel-Administrative Tools-Local Security Policies-Application Control Policies-AppLocker. In this example, we set the username root to allow or deny execution of the calc.exe program. As shown in the figure below, the calculator can be successfully ejected when execution is allowed.

Calculator fails to eject successfully when refusing execution. Therefore, arbitrary use of the generated dll to launch a new program will not bypass AppLocker rules. Therefore, we will use a dll that does not launch new programs for subsequent testing. Block rules cannot be set in Applocker because no new programs are started.

As shown in the following figure, when the msf_signed.dll file is attempted to load, it is the Regsvcs.exe process that performs network communication loopback behavior.

When running the command shown above, open msfconsole on the attacker side to open a listen on port 4444, and then you can see the successful shell acquisition. As you can see from the figure below, the retrieved shell can be used to control the victim machine.

Because Regasm.exe requires administrator privileges to register with Regsvcs.exe, we will use another directive when testing under normal user test.

Regasm.Exe and Regsvcs.Exe can uninstall dll with normal permissions, so we use the instructions in the figure below to try to open the calculator and connect back to the msf attack machine. Tested. Regasm.exe successfully completes AppLocker bypass.

As you can see on the attacker, the current user permission is normal user test.

Therefore, even if the victim is under normal permissions, we can still perform malicious operations on the victim on the attacker, such as downloading files, taking screenshots, obtaining system information, executing specified programs, etc.

We can also move in the shell to a location where ordinary users have permission (such as desktop) to create folders and upload malicious files.

Finally, we do a brief reverse analysis of the malicious msf_signed.dll registered to understand how it links back to the attacker when registered. Open RegAsm.exe with OD and add msf_signed.dll as a startup parameter, set the interrupt to load the new dll, and then load until msf_signed.dll is loaded.

After entering the new thread, the dll attempts to connect ip 192.168.195.154 using the connect() function.

After a successful connection, the dll attempts to receive data using the recv() function.

When preparing to receive data, the dll will use VirtualAlloc() function to allocate memory space and store the data to be received. As can be seen from the following figure, the received data is a PE file.

Then the dll will enter the memory space where the PE file is located. This file is the core code for the control operation after msf completes the connection. The attacker can send the attack instruction to the victim machine through this code and obtain the corresponding information from the victim machine.

protective measures

1. Turn on AppLocker function, set rules reasonably, and prevent malicious executable files from running;

2, do not easily register dll of unknown origin;

3. Do not easily run software of unknown origin;

4. Update virus database in time to check and kill malicious viruses in hosts;

5. It is recommended to use the "Iron Dome Advanced Persistent Threat System"(referred to as "Iron Dome") to detect potential attacks. "Iron Dome" is a system of Dongxun Technology Co., Ltd. that combines traffic detection and sandbox analysis functions to detect potential threat behaviors in hosts.

Did reading the above help you? If you still want to have further understanding of related knowledge or read more related articles, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.