# Ge#ng&Windows&to&Play&with&Itself ###### A"Hacker’s"Guide"to"Windows"API"Abuse" " Brady"Bloxham" Founder/Principal"Security"Consultant" @silentbreaksec" hCp://www.silentbreaksecurity.com" hCp://www.blacksquirrel.io"" ----- ## Background #### • Shorten"the"gap"between" penetraHon"test"and"actual"aCack" • Few"covert"persistence"tools" • Reduce"reliance"on"Metasploit" ----- ## Got&a&lot&to&cover #### • DLL"InjecHon" • Persistence" • Throwback" • Lots"of"demos"along"the"way" ----- ## DLL&Injec?on #### • TradiHonal"methods" ###### • CreateRemoteThread()" • NtCreateThreadEx()" • RtlCreateUserThread()" • NtQueueApcThread"()" • Can"blue"screen"certain"OSes" • Code"Cave" • Suspend"process" • Inject"code" • Change"EIP"to"locaHon"of"injected"code" • Resume"process" • Difficult"on"x64" ----- ## AddMonitor() #### • +" ###### • Injects"into"spoolsv.exe" • Doesn’t"require"matching"" architecture" • Easy"to"use" #### • \" ###### • Dll"must"be"on"disk" • Requires"administrator"privs" ----- ## Dll&Injec?on&Demo ----- ## Persistence #### • Lots"of"persistence"in"Windows" ###### • Service"" • Run"keys" • Schtasks" • …" #### • And"lots"sHll"to"find…" • Lots"of"techniques" ###### • Process"monitor" • Hook"LoadLibrary()" ----- ----- ## Persistence ##### • 1[st]"Technique" ###### • Requires"VMware"Tools"be"installed" • Just"drop"a"dll"to"disk" • c:\windows\system32\wbem\ntdsapi.dll" • Note:"Dll"must"export"same"funcHons"as"" real"ntdsapi.dll" ##### • 2[nd]"Technique" ###### • VMware"patched"in"ESXi"5.5" • Requires"VMware"Tools"be"installed"" • Just"drop"a"dll"to"disk" • c:\windows\system32\wbem\tpgenlic.dll" • c:\windows\system32\wbem\thinmon.dll" ### Windows( ----- ## Persistence #### • 3[rd]"Technique" ###### • HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\" • Create"a"new"key"" • Create"a"new"value"named"Driver"with"the"dll"name" • Create"as"many"as"you"like" ----- ## Persistence&Demo ----- ## Windows&API&HTTP&Cheatsheet #### • WinHTTP" ###### • Intended"for"services" • Does"not"pull"user"proxy"seings" • Supports"impersonaHon" #### • WinINet" ###### • More"robust"in"proxy"environment"" • Variety"of"flags"that"enable/disable"funcHonality"automaHcally" • Prompts"user"for"password"if"authenHcaHon"is"required" • Uses"IE"seings" ----- ## What&is&Throwback? #### • C++"HTTP/S"beaconing"backdoor" • PHP"control"panel"w/"MySQL"backend" • Built"for"stealth" • Persistence"built\in" ###### • Dll"" • Exe" ----- ###### Infected(User ( Attacker ###### Proxy(/(Firewall ###### ThrowbackLP ----- ## Throwback&Features ###### • Robust"proxy"detecHon" • Distributed"LPs"" • Uses"MSGRPC"to"generate"MSF"payloads" • RC4"encrypted"comms"" • Implements"reflecHve"dll"injecHon" • String"encrypHon" ----- ## Throwback ----- ## Throwback&Demo ----- ## Going&Forward… #### • Community"based"project!!!" • Create"modules" ###### • Keylogger,"Mimikatz,"Hashdump,"etc." • Various"transport"methods" #### • AddiHonal"persistence"techniques" • ModificaHon"of"comms" ----- ## The&End&Shameless&Plug ##### • Interested"in"wriHng"custom"malware/backdoors?" ###### • Dark"Side"Ops:"Custom"PenetraHon"TesHng" • Blackhat"Europe"and"East"Coast"Trainings" ##### • Pen"test"networks"from"your"browser" ###### • hCps://www.blacksquirrel.io" " ##### • Silent"Break"Security" ###### • Blackbox/Red"Team"Pen"TesHng" • brady@silentbreaksecurity.com" • @silentbreaksec" • hCps://github.com/silentbreaksec" -----