ms-dos header nt headers section headers section images pe signature file headers optional headers...

21
Chris Jackson “The App Compat Guy” Microsoft Corporation Application Remediation

Upload: griselda-martin

Post on 19-Jan-2016

271 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Chris Jackson“The App Compat Guy”Microsoft Corporation

Application Remediation

Page 2: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Windows Applications

Page 3: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Utilize tools

Start heavy debugging

Verify the bug is fixed

Duplicate the bug

Describe the bug

Assume the bug is in your

app

The Debugging Process

Divide and conquer

Think creatively

Learn and share

Page 4: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

IAT Modification: Data Structures

MS-DOS HeaderNT HeadersSection HeadersSection Images

PE Signature

File HeadersOptional HeadersData Directories

Export Table

Import Table

Resource TableException Table...

Page 5: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Original First ThunkTime Date StampForwarder ChainImported DLL NameFirst Thunk

...

IAT Modification: Import Table

0x1034

0x1047

...

GetModuleHandleALoadLibrary

...

kernel32.dll

user32.dll

advapi32.dll

...

Page 6: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

IAT Modification: Sample CodeRichter & Nasarre, 2008

ULONG ulSize;PIMAGE_IMPORT_DESCRIPTOR pImportDesc = NULL;__try { pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)ImageDirectoryEntryToData(hmodCaller, TRUE, IMAGE_DIRECTORY_ENTRY_IMPORT, &ulSize);} __except (InvalidReadExceptionFilter(GetExceptionInformation())) {}if (pImportDesc == NULL) return;for (; pImportDesc->Name; pImportDesc++) { PSTR pszModName=(PSTR)((PBYTE)hmodCaller + pImportDesc->Name); if (lstrcmpiA(pszModName, pszCalleeModName) == 0) { PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((PBYTE)hmodCaller + pImportDesc->FirstThunk); for (; pThunk->u1.Function; pThunk++) { PROC* ppfn = (PROC*)&pThunk->u1.Function; BOOL bFound = (*ppfn == pfnCurrent); if (bFound) { if (!WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL) && (ERROR_NOACCESS == GetLastError())) { DWORD dwOldProtect; if (VirtualProtect(ppfn, sizeof(pfnNew), PAGE_WRITECOPY, &dwOldProtect)) { WriteProcessMemory(GetCurrentProcess(), ppfn, &pfnNew, sizeof(pfnNew), NULL); VirtualProtect(ppfn, sizeof(pfnNew), dwOldProtect, &dwOldProtect); } } return; } } }}

Page 7: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Shim Application• Implements Windows API

hooks• Shim engine is responsible for

applying the shims

Load the

shim DLL

Retrieve the APIs

which should

be hooke

d

Review the

import table of

the applicatio

n to determine

where hooks

should be placed

Overwrite the

addresses of

the API calls

with the address in the shim

Page 8: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

How Shims are Loaded• Shims are applied per

executable

Run initialization routines

Shim engine applies

API hooks

Loader maps executable

and statically linked DLLs into memory

Page 9: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Process

Kernel32.dllCreateFileWimplementation

Shim DLLCorrectFilePathsimplementation

Shim Includes and Excludes

App.exe

IAT• CreateFile

Custom1.dll

IAT• CreateFile

Custom2.dll

IAT• CreateFile

Crypt32.dll

IAT• CreateFile

Msxml3.dll

IAT• CreateFile

Urlmon.dll

IAT• CreateFile

Page 10: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

• Called by Kernel32!CreateProcessInternalW• Compares file attributes of the exe:• Product Name• Product Version• Company Name• Size• Checksum• Etc.

• DLLs: shims GetProcAddress

Determining Shims to Load

Page 11: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Matching Information

Page 12: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

• Collection of shims to address scenarios• Emulating a specific OS• Compatibility condition

• Some shown on the compatibility tab

Compatibility Modes (Layers)

Page 13: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

• Application matching information• Known compatibility issues:• Shipped with Windows• Updated via Windows Update

• System sdb: %windir%\apppatch• Custom sdbs: %windir%\apppatch\custom

Shim Databases

Page 14: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

• Copy the SDB to the target machine• Startup script• Group policy• File copy

• Call %windir%\system32\sdbinst.exe• sdbinst [-?] [-q] [-u] [-g] [-p]

[-n[:WIN32|WIN64]] foo.sdb | {guid} | "name“• -p - Allow SDBs containing patches.• -q - Quiet mode. No message boxes will appear.• -u - Uninstall.• -g {guid} - GUID of file (uninstall only).• -n "name" - Internal name of file (uninstall only).

Deploying Custom SDBs

Page 15: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

• [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags]

"ShowDebugInfo"=dword:00000009

• Debugger, DebugView, etc.

Shim Debug Spew

Page 16: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

• Environment variables:• reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

Environment" /v SHIM_DEBUG_LEVEL /t REG_SZ /d 9 /f

• reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v SHIM_FILE_LOG /t REG_SZ /d logfile.txt /f

• %appdata%\logfile.txt

Shim Logging

Page 17: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

demo

Page 18: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Web Applications

Page 19: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

Compatibility View in IE10

IE5 Quirks IE6 Std. IE7 Std. IE8 Std. IE9 Std. Interop Quirks IE10 Std.

IE5

IE6

IE7

IE8

IE9

IE10

Page 20: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

demo

Page 21: MS-DOS Header NT Headers Section Headers Section Images PE Signature File Headers Optional Headers Data Directories Export Table Import Table Resource

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.