.Net Obfuscation

10 August 2016

http://www.ssware.com/cryptoobfuscator/obfuscator-net.htm

not ethical: ! https://www.youtube.com/watch?v=Gq6hLf3uq3k

sample of security by obscurity!

Secure Coding Guidelines

13 March 2016

Windows forensic - process running

21 June 2015

Możliwości inwestygacji:

  • Prefetch
  • Shimcache (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
    • projekty:
      • python: https://github.com/mandiant/ShimCacheParser   (https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf)
      • C#: https://github.com/woanware/shimcacheparser
  • MUICache
  • UserAssist

 

Ciekawa prezentacja: https://digital-forensics.sans.org/summit-archives/DFIR_Summit/Johnny-AppCompatCache-the-Ring-of-Malware-Brice-Daniels-and-Mary-Singh.pdf

Wstrzykiwanie JavaScript do IE z pomocą BHO

13 May 2015

Wstrzykiwanie kodu JavaScritp można zrobić z użyciem VS express edition

przykładowy kod (projekt typu "Visual C# -> Class Library"):

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using SHDocVw;
using mshtml;
using System.IO;
using Microsoft.Win32;
using System.Runtime.InteropServices; 


namespace FE_JSinjector
{
    [
        ComVisible(true),
        InterfaceType(ComInterfaceType.InterfaceIsIUnknown),
        Guid("FC4801A3-2BA9-11CF-A229-00AA003D7352")
    ]
    public interface IObjectWithSite
    {
        [PreserveSig]
        int SetSite([MarshalAs(UnmanagedType.IUnknown)]object site);
        [PreserveSig]
        int GetSite(ref Guid guid, out IntPtr ppvSite);
    }

    public class BHOInjector : IObjectWithSite
    {
        public const string BHO_REGISTRY_KEY_NAME = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";

        private WebBrowser webBrowser;
        public int SetSite(object site)
        {
            if (site != null)
            {
                webBrowser = (WebBrowser)site;
                webBrowser.DocumentComplete +=
                  new DWebBrowserEvents2_DocumentCompleteEventHandler(
                  this.OnDocumentComplete);
            }
            else
            {
                webBrowser.DocumentComplete -=
                  new DWebBrowserEvents2_DocumentCompleteEventHandler(
                  this.OnDocumentComplete);
                webBrowser = null;
            }

            return 0;

        }


        public int GetSite(ref Guid guid, out IntPtr ppvSite)
        {
            IntPtr punk = Marshal.GetIUnknownForObject(webBrowser);
            int hr = Marshal.QueryInterface(punk, ref guid, out ppvSite);
            Marshal.Release(punk);
            return hr;
        }

        public void OnDocumentComplete(object pDisp, ref object URL)
        {
            HTMLDocument document = (HTMLDocument)webBrowser.Document;

            if (URL.ToString().Contains("www.google.pl"))
            {
                IHTMLElement head = (IHTMLElement)((IHTMLElementCollection)
                                        document.all.tags("head")).item(null, 0);
                IHTMLScriptElement scriptObject =
                    (IHTMLScriptElement)document.createElement("script");
                scriptObject.type = @"text/javascript";
                scriptObject.text = "\nfunction hidediv(){document.getElementById" +
                                    "('myOwnUniqueId12345').style.visibility = 'hidden';}\n\n";
                ((HTMLHeadElement)head).appendChild((IHTMLDOMNode)scriptObject);

                string div = "<div id=\"myOwnUniqueId12345\" style=\"position:" +
                                "fixed;bottom:0px;right:0px;z-index:9999;width=300px;" +
                                "height=150px;\"> <div style=\"position:relative;" +
                                "float:right;font-size:9px;\"><a " +
                                "href=\"javascript:hidediv();\">close</a></div>" +
                    "My content goes here ...</div>";

                document.body.insertAdjacentHTML("afterBegin", div);
            }
        }
        #region BHO Internal Functions
        [ComRegisterFunction]
        public static void RegisterBHO(Type type)
        {
            RegistryKey registryKey =
            Registry.LocalMachine.OpenSubKey(BHO_REGISTRY_KEY_NAME, true);

            if (registryKey == null)
                registryKey = Registry.LocalMachine.CreateSubKey(BHO_REGISTRY_KEY_NAME);

            string guid = type.GUID.ToString("B");
            RegistryKey ourKey = registryKey.OpenSubKey(guid);

            if (ourKey == null)
                ourKey = registryKey.CreateSubKey(guid);

            ourKey.SetValue("NoExplorer", 1, RegistryValueKind.DWord);

            registryKey.Close();
            ourKey.Close();
        }

        [ComUnregisterFunction]
        public static void UnregisterBHO(Type type)
        {
            RegistryKey registryKey =
            Registry.LocalMachine.OpenSubKey(BHO_REGISTRY_KEY_NAME, true);
            string guid = type.GUID.ToString("B");

            if (registryKey != null)
                registryKey.DeleteSubKey(guid, false);
        }

        #endregion
    }
}

Rejestracja w systemie:

  1. Zaznacz przed kompilacją w VS "Make assembly COM-Visable" (Solution explorer -> Assembly Information... -> na dole popup'a)
  2. Dodaj własność Strong Name (Solution explorer -> Signing -> checkbox: Sign the assembly -> <new...> przejdź czarodzieja)
  3. Skopiuj do katalogu %ProgramFiles%\Internet Explorer\Wtyczki bibliotekę dll
  4. (wersja 32 bit) uruchom RegAsm /codebase na bibliotece z  Framework .Net  np: Windows\Microsoft.NET\Framework\v4.X.XXXX\RegAsm.exe
  5. (wersja 64 bit) uruchom RegAsm /codebase na bibliotece z  Framework .Net  np: Windows\Microsoft.NET\Frameworkx64\v4.X.XXXX\RegAsm.exe
  6. Uruchom w IE plugin

 

 

 

Kategorie CSharp, Windows