Archive

Archive for the ‘Uncategorized’ Category

Executables and Shared Libraries

December 4, 2018 Leave a comment

So i’ve known about Windows DLL’s and shared objects in Linux/Unix but hadn’t realized that the concept exists in MacOS also. I haven’t owned any Apple products, so clearly i have poor insight into the OS

Terminology:

  • Windows -> DLL’s (Dynamic Link Libraries)
  • Linux -> .so files (Shared Objects)
  • MacOS -> Dylib’s (Dynamic libraries) and Frameworks

They seem to serve the same purpose in general, but I suppose each has their own particular intricacies tied to the way the OS uses executables.

On DLL Hijacking:

Unexpected loading DLL’s from expected/ unexpected locations

  • Using web locations
  • Hijacking DLL loading order
  • Hijacking paths

If you control the binary, you can control the DLL’s.

You can still control the DLL’s, even if you don’t control the binary, if the binary does not enforce / check the paths or the signatures of the DLL’s.

Current solutions:

  • DLL signing
  • Binary/Executable Signing

References:
https://superuser.com/questions/228309/macos-dll-equivalent
https://stackoverflow.com/questions/1212477/creating-a-dll-on-a-mac-dylib-or-framework
https://attack.mitre.org/techniques/T1038/
https://attack.mitre.org/techniques/T1157/

Advertisements
Categories: Uncategorized

Windows Common Processes

August 1, 2018 Leave a comment

Conhost.exe – Console Window Host process (Remember: Not ‘connection’)
Taskhost.exe – Task Host (Host for DLL based services)
svchost.exe – Services Host Process
ceip.exe – Customer Experience Improvement Program
RuntimeBroker.exe – Runtime Service Broker
Werfault.exe – Windows Error Reporting
wmic.exe – Windows Management Instrumentation Command-line-utility

Sources:
https://www.howtogeek.com/howto/4996/what-is-conhost.exe-and-why-is-it-running/
https://www.howtogeek.com/howto/windows-vista/what-is-svchostexe-and-why-is-it-running/
https://www.howtogeek.com/268240/what-is-runtime-broker-and-why-is-it-running-on-my-pc/
https://www.groovypost.com/howto/groovytip/what-is-taskhost-exe-and-should-it-be-running/
https://support.microsoft.com/en-gb/help/290216/a-description-of-the-windows-management-instrumentation-wmi-command-li

Categories: Uncategorized

Windows CMD / Powershell / DOS command -fu

March 21, 2018 Leave a comment

Operating System related Information

  • View OS / System information:

CMD:

systeminfo
wmic qfe
  • Is there anything interesting in the Environment Variables:

CMD:

set

Powershell:

Get-ChildItem Env: | ft Key,Value
  • Are there any connected drives (Network or Local):

CMD:

net use
wmic logicaldisk get caption,description,providername

Powershell:

Lots of other DOS/Powershell wmic.exe related commands:

Get Manufacturer
wmic baseboard get product,manufacturer

Get Bios and Version
wmic bios get name

Get software, services, process information
wmic product list brief
wmic service list brief
wmic process list brief
wmic startup list brief

Put services in a HTML document
wmic service get /format:hform > c:\folder\services.html

Uninstall:
wmic product get name
wmic product where name=”Product name exactly as appears in above command” call uninstall

Kill a process:
wmic process where name=”iexplore.exe” call terminate

Change a process’s priority:
wmic process where name=”notepad.exe” call setpriority 64

Run commands on a remote node:
wmic /node:steve-pc service list brief

References:
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
https://betanews.com/2011/01/14/wmic-the-best-command-line-tool-you-ve-never-used/

Categories: Uncategorized

Windows Command line – CMD – fu : Notes

February 15, 2017 Leave a comment

So i haven’t used the Windows Command (DOS) Prompt for many things until I realized that Android / Android Studio / Android SDK and the emulator (with the HAXM driver) work pretty well on Windows.

Long story short, there seems to be a lot of powerful things in this “predecessor” to Powershell.

Viewing and Saving Command History:

One of the things i wanted to do was to view my command line history. This can be easily done by pressing F7 and lo and behold a smaller dialog within the cmd window will appear with the command history.

Now, the F7 trick doesn’t really allow you to save the history, nor to copy-paste it, so i needed another solution. The command below provides this solution.

doskey /history > history.txt 

Essentially, this copies (redirects) the cmd history of only the current session into a text file named history.txt or whatever you’d like to name your text file .

Sources:

[1]. http://www.computerhope.com/tips/tip189.htm

[2]. http://serverfault.com/questions/95404/is-there-a-global-persistent-cmd-history

[3]. http://www.howtogeek.com/119386/5-windows-command-prompt-tricks-you-probably-dont-know/

Android Process Memory Dumps with memfetch – Android 4.4.2 (on Ubuntu 16.04)

December 25, 2016 Leave a comment

I used 2 different C code scripts to achieve the same goal of achieving the process memory dump. The specific code scripts are referred to as Memfetch (by Michal Zalewski – found on his blog) and Memdump (by Tal Aloni – found on StackExchange)

Update [2017-01-16]: I’m not sure whether this will work for Android on both x86 and ARM architectures. I tested it on an ARM architecture (physical device), and it worked. I’m yet to test it on an x86 architecture. Will update after testing.

Memfetch:

Find the code from the author’s webpage here – http://lcamtuf.coredump.cx/soft/memfetch.tgz

Unzip/Extract the code from the TarGZ archive

 tar -xvf memfetch.tgz 

Get into the directory:

cd memfetch

Use the ls command to list the files. The files should be listed as below:

COPYING   Makefile   memfetch.c   mffind.pl   README

Now install the gcc compiler for Android on ARM (not sure if this is what it’s described as):

 sudo apt-get install gcc-arm-linux-android-eabi 

(some instructions say use the gcc-arm-linux-gnueabi but this didn’t work for me )

Edit the Makefile

Normally at this point you should be able to run the make command and compiling should work, however in Ubuntu the Canonical developers seem to have moved some key .h source files around causing problems. The first file that might cause problems if you run the make command will probably be  this is because Ubuntu has moved them from the original location of /usr/include/asm to be in the kernel source files /usr/src/linux-headers-[your-specific-kernel]/include/asm-generic

Make sure you’ve installed build-essential for this path to be existent

 sudo apt-get install build-essential 

You can get to the correct path with:

cd /usr/src/linux-headers-$(uname -r)/include/asm-generic

Once you locate the asm-generic folder check that the page.h file is present.

Now the best way to solve this problem is to create a symbolic link (symlink) in /usr/include/ called asm that links to /usr/src/linux-headers-[your-specific-kernel]/include/asm-generic/ . This is done with the following command:

sudo ln -s  /usr/src/linux-headers-$(uname -r)/include/asm-generic  /usr/include/asm 

Even with this, there will still be some problems because there are some .h files in asm-generic that will be looking for asm-generic in /usr/include/ where the folder doesn’t actually have those header files. So an extra include (-I) directive will need to be added in the Makefile

The beginning of your make file should look like this:

FILE = memfetch
CFLAGS = -Wall -O9 -static
CC = arm-linux-androideabi-gcc

NB: its a capital ‘O’ not a zero, and it’s a 9 (nine), not a ‘g’. The “O” “9” directive is some optimization thing (i don’t know if it’s necessary or not)

Run make at this point. If it works, then great, you should get a memfetch executable file in your memfetch directory if not, follow on.

If you run make and you still get errors of missing .h files, what i did was to just copy the files from /usr/src/linux-headers-$(uname -r)/include/asm-generic  to /usr/include/

e.g:

 sudo cp /usr/src/linux-headers-$(uname -r)/include/asm-generic/memory_model.h  /usr/include/asm-generic/memory_model.h

The following files were missing …

  • getorder.h
  • /linux/compiler.h
  • /linux/log2.h
  • /linux/bitops.h
  • /linux/irqflags.h
  • /linux/typecheck.h

At this point i got more files in /bitops that were missing, so i decided to copy the entire directory :

cd  /usr/include/asm-generic
sudo mkdir bitops
sudo cp /usr/src/linux-headers-$(uname -r)/include/asm-generic/bitops/* /usr/include/asm-generic/bitops/

At this point i finally ran the make command in the the memfetch directory and an executable was created. There were a couple of warnings, but no errors and the executable worked when I pushed into onto the Android device.

Pushing to the Android Device and Executing “Memfetch”:

NB: We are assuming that the device is properly rooted, and the setting for giving adb shell root permissions has been set in your “Super User” management app.

Go to the adbexecutable location, which might be /home/Android/Sdk/platform-tools it could also be elsewhere … depending on where you installed it

cd /home/Android/Sdk/platform-tools

The best location to push the executable is /data/local/tmp. Let’s create a directory in this location and use the adb push command to push the executable here

./adb shell
su root
cd /data/local/tmp
mkdir mem_dump_tools
exit
exit

We exited first all the way out so that we can run the ./adb push command

./adb push ~/Desktop/memfetch/memfetch /data/local/tmp/mem_dump_tools/

Verify that the memfetch executable has been pushed to the right location:

./adb shell
su root
cd /data/local/tmp/mem_dump_tools
ls -al

The memfetch executable should be in place however it cannot be executed because it does not have execute permissions. We can give it execute permissions with the following command (assuming we are still the root user)

chmod 755 memfetch

(As a side note: chmod u+x memfetch should also work.)

Verify that the Execute permissions have been applied

ls -al

You should see rwx against the name of the memfetch executable. (The x being the important thing)

Now if we run a particular app and search this process’ ID we can dump the process memory. Pick an app e.g. Google Chrome and fire it. Browse to some page

On the adb shell:

ps | grep chrome

You should get 1-3 processes with Chrome (one with sandboxed and another with privileged attached to the process name). Pick the process ID of the process that is plain com.android.chrome

Now we can run memfetch

./memfetch

e.g: ./memfetch 2314 if the process id is “2314”

You should now get some output to screen showing that the memory-mapped regions are being copied. The result is that for each address range (block) from the /proc//mem folder there is a sub folder called map that contains the mappings. These mappings result in an individual “region dump” per file (with a .bin extension) and each region dump filename is appended into a single file with a /lst extension containing all the filenames of all the regions dumped. So the end result is a lot of .bin files and a single .lst file.

NB: If at this point when you try to run memfetch  and all you get is a listing of the available options/directives, and nothing else, then you need to comment out some section of the code in memfetch.c and recompile. I don’t know why this is the case, but someone on StackExchange [2] figured this out and it also worked for me.

The lines to comment out are:


while ((opt=getopt(argc,(void*)argv, "+samwS:h"))!=EOF)
    switch(opt)
       case 's': waitsig=1; break;
       case 'a': skipmap=1; break;
       case 'w': textout=1; break;
       case 'm': avoid_mmap=1; break;
       case 'S': if (sscanf(optarg,"%x",&onlyseg)!=1)
            fatal("Incorrect -S syntax (hex address expected).\n");
            break;
       default: usage(argv[0]); }

With that, everything should work.

This blog post has become too long, so i’ll do memdump in the next one …

Sources:

[1]. http://lcamtuf.coredump.cx/memfetch.tgz

[2]. http://stackoverflow.com/questions/18372120/memfetch-with-android-samsung-galaxy-nexus

Android FileSystem – Notes

December 19, 2016 Leave a comment

App Locations:

  • /system/apps – Pre-installed bloatware apps
  • /system/priv-apps – Privileged apps (mounted read-only to prevent changes)
  • /data/app – Normal apps in internal memory
  • /mnt/sdcard/.android_secure – Apps stored on external memory go into an encrypted container
    • /mnt/asec – These apps need to be decrypted to run, so during runtime they are found as a decrypted copy on a tmpfs here
    • This .android_secure container cannot be opened directly from the Android device, however if you plug the SD Card into another computer through a card reader, the .apk files now have the extension .asec connected to the same files on /mnt/asec
  • Nxt

App Data:

  • /data/data/<package_name> – Default location for application data on internal storage.
  • /mnt/sdcard/Android/data/<package_name> – Default location for application data on external storage (if the developer sticks to the rules outlined on the Android Developer Documentation here)

Binary Executable Test Locations:

  • /data/local/tmp – Location where you can put executables (NDK compiled / Linux ARM built)

Accessing the SDCard on the Emulator:

First make sure you’ve indicated that you want an SD Card for your Android Virtual Device in the AVD Manager while creating

  • You can find the path of your sd card with cat /proc/mounts and df -h
  • It should be at /mnt/media_rw/<8-Character-Serial-Number>
    • e.g. /mnt/media_rw/1CEF-2AB1

Sources:

[1]. http://android.stackexchange.com/questions/3002/where-in-the-file-system-are-applications-installed

DNS Tunneling Dataset (Notes)

September 9, 2016 Leave a comment

A: Tunneled Traffic over DNS:

Total Samples size:

  •  HTTP:
    • Static: 50 Samples
      • Websites that seem to maintain the same appearance (images, text) over a few hours and more
    • Dynamic: 50 Samples
      • Websites who’s visual contents (images. text, ads) seem to change within the hour, or even randomly
  • FTP:
    • FTP Downloads: 50 Samples
    • FTP Uploads: 50 Samples
  • HTTPS:
    • Static: 50 Samples
      • Websites that seem to maintain the same appearance (images, text) over a few hours and more
    • Dynamic: 50 Samples
      • Websites who’s visual contents (images. text, ads) seem to change within the hour, or even randomly
  • POP3:
    • Email Downloads: 50 Samples

B: Plain Traffic (Not tunneled over DNS):

(… not yet documented)

 

 

Categories: Uncategorized