Index > Malware > 2021-01-28: Intro to x86, lsass, runtime linking

2021-01-28: Intro to x86, lsass, runtime linking

Three types of Linking:

• Static
  • The libraries used are baked into the binary
• Dynamic
  • The binary loads the libraries it needs when it starts
• Runtime
  • The binary can load libraries as it needs them, during runtime.

strings and floss can reveal text data inside a binary. If the binary is packed or obfuscated, then only two strings will appear - GetProcAddress and LoadLibraryA.

Pwdump

Pwdump no longer works on Windows 10. It used to be able to extract password hashes from windows machines, when injected into the lsass process.

On windows servers (including domain controllers), passwords are stored in ntds.dit. When a pentester steals this file, you might hear them say “I dumped the dit! Let’s get some steak”

lsass.exe

A process in windows that enforces security policy. It verifies users logging in, handles password changes, and creates access tokens.

KeyLogging

• Hooking
  • Asks the windows API to notify the malware whenever a key is pressed
• Polling
  • Checks the state of every key on the keyboard
  • does it again very shortly afterwards
  • GetForegroundWindow, GetKeyState, GetAsyncKeyState

An extract from a polling keylogger:

call ds:GetForegroundWindow

push 10h ; "10" in hex - virtual key code for shift
call ds:GetKeyState ; takes keycode to check off the stack
; Highest-order bit set means keyDown: 0x8000
; Lowest order means key "toggled" (like capslock): 0x0001

x86

Operations

test

non-destructive AND between two arguments. If the result is all zeroes, then the zero flag is set.

jz

Jumps to a memory address if and only if the zero flag is set.

cmp o1 o2

Takes o1 minus 02,

I’m not sure what flag this sets.

jl

Jump if less than.

I’m not sure what flag this checks

registers

• esi: “source index”
• eax: “return value”

EAX can be split up like this:

+-----------------------------------+
|                EAX                |
+-----------------+-----------------+
|                 |       AX        |
+-----------------+--------+--------+
|                 |   AH   |   AL   |
+--------+--------+--------+--------+
| 8 bits | 8 bits | 8 bits | 8 bits |
+--------+--------+--------+--------+

EAX itself is the lowest 32 bits of a larger register, RAX

Windows API

I should put this into it’s own quick-reference file

LoadLibraryA

Takes the filename of the dll off the stack, places the address (once loaded) into esi.

• Name of DLL pushed: push offset LibFileName
• Address of LoadLibraryA in esi
• call esi

The following example loads the samsrv and advapi32 dll’s. (This was used by pwdump)

push    offset LibFileName     ; "samsrv.dll"
call    esi ; LoadLibraryA
push    offset aAdvapi32_dll_0 ; "advapi32.dll"
call    esi ; LoadLibraryA

GetProcAddress

Takes two arguments:

• the name of the function to get (from the dll)
• “context”, ebx or ebi, hModule?
  • I think this is the address of the loaded dll that the function is in

GetForegroundWindow

GetKeyState

Takes a virtual keycode, returns if it is down in the highest bit. returns if it is “toggled” in the lowest bit.

If you press and hold a (non-toggleable) key, this will continuously return 0x8000

GetAsyncKeyState

Takes a virtual keycode. Returns if it is down in the highest bit. Returns if it has been newly pressed since the last call in the lowest bit.

This will return 0x8001

---

Index > Malware > 2021-01-28: Intro to x86, lsass, runtime linking