C++ Win32 Applications
Static Analysis
- Check If binary is signed
# Using sysinternals sigcheck check all files in folder .\sigcheck.exe -s "C:\Program Files (x86)\Cisco Systems\Cisco Example Application" > 'C:\work\telecom\Cisco Example Application\sigcheck.txt' # Using Powershell, More checks than sigcheck but provides # Less verbosity Get-ChildItem "C:\Program Files (x86)\Cisco Systems\Cisco Example Application" -Recurse | ForEach-object {Get-AuthenticodeSignature $_.FullName -erroraction 'silentlycontinue'} | Where-Object {$_.status -ne "Valid" -and $_.status -ne "UnknownError"} | fl *
- Check if proper hardening has been applied to binary
NetSPI/PESecurity: PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode. (github.com)
# Import module Import-Module .\Get-PESecurity.psm1 # Check a directory for DLLs & EXEs recrusively Get-PESecurity -directory "C:\Program Files (x86)\Cisco Systems\Cisco Example Application" -recursive | Export-Csv PESecurity.csv # Txt file output Get-PESecurity -directory "C:\Program Files (x86)\Cisco Systems\Cisco Example Application" -recursive > .\PESecurity.txt # Bulk Get POCs for files Get-PESecurity -directory "C:\Program Files (x86)\Cisco Systems\Cisco Example Application" -Recursive | Where-Object {$_.ControlFlowGuard -ne "True" } | ForEach-Object {write-output $_.FileName} > 'C:\work\telecom\Cisco Example Application\ControlFlowGuardModules.txt'
Intersting Stuff to search for during static and dynamic analysis
- Currently logged in user's token, password, or username in memory.
- Any intersting endpoints and urls (check the regexes below for some inspiration)
- Mentions of passwords, secerets, tokens etc...
- Local Servers spinned up by thick client for interprocess comunciation or external communication.
# Identify Local Servers spinned up by the thick client
grep -oa -RiP '(tcp|udp|pipe|local|port)[a-zA-Z0-9_]{0,20}[:"=][^0\Wa-zA-Z_\-][\d]{2,5}[^\d]' .
Check for Misconfigured Directory Permissions using icacls
# This should show if any folder/file has a unique permission for both the Built in users and authenticated user groups.
# A correctly configured folder/file permissions should be
# Access : NT AUTHORITY\Authenticated Users Allow ReadAndExecute, Synchronize
# BUILTIN\Users Allow ReadAndExecute, Synchronize
# BUILTIN\Users Allow -1610612736
dir '.\Windows\DummyApplication' -Recurse | Get-Acl | fl | findstr 'Users'| select -Unique
Analysis
-
Dump Memory and search for data using Windows Task Manager, right click the process and click create dump file.
If the applications spawn multiple sub processes, use the below powershell script to create an array of those subprocess ids and dump their memory.
-
Check Loaded DLLs using Process Explorer - Windows Sysinternals | Microsoft Docs
- Identify Handles to open files
- Command Line arguments/Working directory
- Monitor Win32 API calls & Windows Events using API Monitor: Spy on API Calls and COM Interfaces (Freeware 32-bit and 64-bit Versions!) | rohitab.com
- Monitor Windows Events using Process Monitor - Windows Sysinternals | Microsoft Docs
Utilize filters to hone down on intersting events such as read/write events to files that are used during/after authentication/authorization.
- Check registry for clear-text registry writes using regshot | SourceForge.net
- Use regshot to snapshot the registry before and after any operation that might have written to the registry.
- Compare both snapshots for registry changes.
In Disk/Memory Manipulation
- Modify the binary using HxD - Freeware Hex Editor and Disk Editor | mh-nexus
Fuzzing
Fuzz the application using WinAFL for memory corruption vulnerabilities. - googleprojectzero/winafl: A fork of AFL for fuzzing Windows binaries (github.com) - [Fuzzing With WinAFL] How to fuzz a simple C program with WinAFL - YouTube - BB-1011 Fuzzing WinAFL - YouTube - Fuzzing with WinAFL Writing Harness for a DLL and fuzzing it with WinAFL - YouTube
Writing harness functions might be time-consuming. However, very rewarding once you learn how to do so quickly.
Traffic Interception
- Is clear text traffic transferred?
- Can you manipulate traffic?
You can use one or many of these techniques in conjuncture to read/manipulate network traffic. My personal favorite is fiddler to intercept the traffic and forward it to Burp Suite in combination with Burp Suite custom proxy rules to narrow down the traffic to the application specific traffic as much as possible without the noise generated by the OS and other random applications on the host.
Important Proxying Notes
Windows Global System Proxy Fidler isn't a sniffer - it's a proxy. Unless you can get the offending application to use a proxy none of its traffic is going to run through Fiddler. Java applications don't use the operating system's SSL "stack", so interception utilities that shim into the Windows SSL stack aren't going to be helpful either. Presumably the remote servers aren't running an SSL stack that's easy to snoop inside (since you say they're running Tomcat, and also not likely using the OS SSL stack).
AppContainers Some metro style applications run run inside isolated processes known as "AppContainers." By default, AppContainers are forbidden from sending network traffic to the local computer (loopback). This is, of course, problematic when debugging with Fiddler, as Fiddler is a proxy server which runs on the local computer. Fiddler has a GUI tool that allows you to very easily reconfigure an AppContainer to enable loopback traffic.
AppContainer Isolation - Win32 apps | Microsoft Learn Revisiting Fiddler and Win8+ Immersive applications – Fiddler Web Debugger (archive.org)
WireShark
This can be also used for WinShark
Decrypt SSL with Wireshark - HTTPS Decryption: Step-by-Step Guide (comparitech.com)
WinShark
It's possible to use WireShark to filter network traffic by process ID using the WinShark plugin. In the simplest terms this plugin corelates ETW events with the traffic produced.
WinShark Makes filtering traffic by process ID possible. Use the
winshark.header.ProcessId == 1234
filter. Also, make sure to always run wireshark as admininstrator after installing WinShark
You can find the installation instructions in the README on their github: airbus-cert/Winshark: A wireshark plugin to instrument ETW (github.com)
Script to generate a wireshark filters for all subprocess of a process
# N.b. if application keep spawning processes this is rendered useless as your filters list is outdated.
function Get-ChildProcesses ($ParentProcessId) {
$filter = "parentprocessid = '$($ParentProcessId)'"
Get-CIMInstance -ClassName win32_process -filter $filter | Foreach-Object {
$_
if ($_.ParentProcessId -ne $_.ProcessId) {
Get-ChildProcesses $_.ProcessId
}
}
}
function Generate-WinSharkFilters($ParentProcessId){
$pids = (Get-ChildProcesses($ParentProcessId) | ForEach-Object { $_.ProcessId } )
$pids += $ParentProcessId
$StrPids = $pids -join '|'
write-host "string(winshark.header.ProcessId) matches '$StrPids'"
}
Generate-WinSharkFilters('5473')
Usage
-
To capture network traffic using Winshark , you have to simply activate network tracing through netsh:
-
And then create an ETW session associated with the Microsoft-Windows-NDIS-PacketCapture provider:
-
Then launch Wireshark with administrator privileges and select the
Winshark-PacketCapture
interface.
Fiddler
public static function IsInternalHost(oSession: Session) : Boolean
{
var hostname = oSession.hostname;
if(!String.IsNullOrWhiteSpace(hostname)){
try{
var testIp = System.Net.Dns.GetHostEntry(hostname).AddressList[0];
//oSession.RequestHeaders.Add("debugme",testIp.ToString());
if(System.Net.IPAddress.IsLoopback(testIp) || hostname.Equals("::1")) return true;
var ip = testIp.GetAddressBytes();
switch (ip[0])
{
case 10:
case 127:
return true;
case 172:
return ip[1] >= 16 && ip[1] < 32;
case 192:
return ip[1] == 168;
}
}catch(error){
}
}
return false;
}
static function OnBeforeRequest(oSession: Session) {
if ( oSession.HostnameIs("burp") ||
oSession.hostname.ToLower().EndsWith("victim.com") || oSession.hostname.ToLower().EndsWith("attacker.com") ||
oSession.hostname.ToLower().EndsWith("wow.cc") || oSession.hostname.ToLower().EndsWith("awesome.cc") ||
IsInternalHost(oSession) ||
Uri.CheckHostName(oSession.hostname) == null || Uri.CheckHostName(oSession.hostname).Equals(UriHostNameType.Unknown) ||
oSession.hostname.ToLower().Contains("target.net")
)
{
oSession["X-OverrideGateway"] = "127.0.0.1:8080";
}
MITM Proxy
TBD
Windows HTTP Proxy
- How to Set Up a Proxy in Windows 10 - dummies
- Burp Suite - Application Security Testing Software - PortSwigger
Debuggers
Decompilers
- NationalSecurityAgency/ghidra: Ghidra is a software reverse engineering (SRE) framework (github.com)
Learning Resources
- Practical thick client application penetration testing using damn vulnerable thick client app: An introduction - Infosec Resources (infosecinstitute.com)
- Introduction to Hacking Thick Clients: Part 1 - the GUI (netspi.com)
- secvulture/dvta: Damn Vulnerable Thick Client App (github.com)
- Breaking Docker Named Pipes SYSTEMatically: Docker Desktop Privilege Escalation – Part 1 (cyberark.com)