Skip to content

C++ Win32 Applications

Static Analysis

  • Check If binary is signed
    # Using sysinternals sigcheck check all files in folder
    .\sigcheck.exe -s "C:\Program Files (x86)\Cisco Systems\Cisco Example Application" > 'C:\work\telecom\Cisco Example Application\sigcheck.txt'
    
    # Using Powershell, More checks than sigcheck but provides 
    # Less verbosity
    Get-ChildItem "C:\Program Files (x86)\Cisco Systems\Cisco Example Application" -Recurse | ForEach-object {Get-AuthenticodeSignature $_.FullName -erroraction 'silentlycontinue'} | Where-Object {$_.status -ne "Valid" -and $_.status -ne "UnknownError"} | fl *
    
  • Check if proper hardening has been applied to binary NetSPI/PESecurity: PowerShell module to check if a Windows binary (EXE/DLL) has been compiled with ASLR, DEP, SafeSEH, StrongNaming, and Authenticode. (github.com)
    # Import module
    Import-Module .\Get-PESecurity.psm1
    
    # Check a directory for DLLs & EXEs recrusively 
    Get-PESecurity -directory "C:\Program Files (x86)\Cisco Systems\Cisco Example Application"  -recursive | Export-Csv PESecurity.csv
    
    # Txt file output
    Get-PESecurity -directory "C:\Program Files (x86)\Cisco Systems\Cisco Example Application"  -recursive > .\PESecurity.txt
    
    # Bulk Get POCs for files
    Get-PESecurity -directory "C:\Program Files (x86)\Cisco Systems\Cisco Example Application"  -Recursive | Where-Object {$_.ControlFlowGuard -ne "True" } | ForEach-Object {write-output $_.FileName} > 'C:\work\telecom\Cisco Example Application\ControlFlowGuardModules.txt'
    

Intersting Stuff to search for during static and dynamic analysis

  • Currently logged in user's token, password, or username in memory.
  • Any intersting endpoints and urls (check the regexes below for some inspiration)
  • Mentions of passwords, secerets, tokens etc...
  • Local Servers spinned up by thick client for interprocess comunciation or external communication.
# Identify Local Servers spinned up by the thick client
grep -oa -RiP '(tcp|udp|pipe|local|port)[a-zA-Z0-9_]{0,20}[:"=][^0\Wa-zA-Z_\-][\d]{2,5}[^\d]' .

Check for Misconfigured Directory Permissions using icacls

# This should show if any folder/file has a unique permission for both the Built in users and authenticated user groups.
# A correctly configured folder/file permissions should be 
# Access : NT AUTHORITY\Authenticated Users Allow  ReadAndExecute, Synchronize
#          BUILTIN\Users Allow  ReadAndExecute, Synchronize
#          BUILTIN\Users Allow  -1610612736
dir '.\Windows\DummyApplication' -Recurse | Get-Acl | fl | findstr 'Users'|  select -Unique


Analysis

Utilize filters to hone down on intersting events such as read/write events to files that are used during/after authentication/authorization.

  • Check registry for clear-text registry writes using regshot | SourceForge.net
    1. Use regshot to snapshot the registry before and after any operation that might have written to the registry.
    2. Compare both snapshots for registry changes.

In Disk/Memory Manipulation

Fuzzing

Fuzz the application using WinAFL for memory corruption vulnerabilities. - googleprojectzero/winafl: A fork of AFL for fuzzing Windows binaries (github.com) - [Fuzzing With WinAFL] How to fuzz a simple C program with WinAFL - YouTube - BB-1011 Fuzzing WinAFL - YouTube - Fuzzing with WinAFL Writing Harness for a DLL and fuzzing it with WinAFL - YouTube

Writing harness functions might be time-consuming. However, very rewarding once you learn how to do so quickly.

Traffic Interception

  • Is clear text traffic transferred?
  • Can you manipulate traffic?

You can use one or many of these techniques in conjuncture to read/manipulate network traffic. My personal favorite is fiddler to intercept the traffic and forward it to Burp Suite in combination with Burp Suite custom proxy rules to narrow down the traffic to the application specific traffic as much as possible without the noise generated by the OS and other random applications on the host.

Important Proxying Notes

Windows Global System Proxy Fidler isn't a sniffer - it's a proxy. Unless you can get the offending application to use a proxy none of its traffic is going to run through Fiddler. Java applications don't use the operating system's SSL "stack", so interception utilities that shim into the Windows SSL stack aren't going to be helpful either. Presumably the remote servers aren't running an SSL stack that's easy to snoop inside (since you say they're running Tomcat, and also not likely using the OS SSL stack).

windows - Log an Application's Network Activity with Process Monitor and/or Fiddler or something else - Server Fault

AppContainers Some metro style applications run run inside isolated processes known as "AppContainers." By default, AppContainers are forbidden from sending network traffic to the local computer (loopback). This is, of course, problematic when debugging with Fiddler, as Fiddler is a proxy server which runs on the local computer. Fiddler has a GUI tool that allows you to very easily reconfigure an AppContainer to enable loopback traffic.

AppContainer Isolation - Win32 apps | Microsoft Learn Revisiting Fiddler and Win8+ Immersive applications – Fiddler Web Debugger (archive.org)

WireShark

This can be also used for WinShark

Decrypt SSL with Wireshark - HTTPS Decryption: Step-by-Step Guide (comparitech.com)

WinShark

It's possible to use WireShark to filter network traffic by process ID using the WinShark plugin. In the simplest terms this plugin corelates ETW events with the traffic produced.

WinShark Makes filtering traffic by process ID possible. Use the winshark.header.ProcessId == 1234 filter. Also, make sure to always run wireshark as admininstrator after installing WinShark

You can find the installation instructions in the README on their github: airbus-cert/Winshark: A wireshark plugin to instrument ETW (github.com)

Script to generate a wireshark filters for all subprocess of a process

# N.b. if application keep spawning processes this is rendered useless as your filters list is outdated.

function Get-ChildProcesses ($ParentProcessId) {
    $filter = "parentprocessid = '$($ParentProcessId)'"
    Get-CIMInstance -ClassName win32_process -filter $filter | Foreach-Object {
            $_
            if ($_.ParentProcessId -ne $_.ProcessId) {
                Get-ChildProcesses $_.ProcessId
            }
        }
}

function Generate-WinSharkFilters($ParentProcessId){
    $pids = (Get-ChildProcesses($ParentProcessId) |  ForEach-Object { $_.ProcessId } )
    $pids += $ParentProcessId
    $StrPids = $pids -join '|'
    write-host "string(winshark.header.ProcessId) matches '$StrPids'"
}

Generate-WinSharkFilters('5473')

Usage

  1. To capture network traffic using Winshark , you have to simply activate network tracing through netsh:

    netsh.exe trace start capture=yes report=no correlation=no
    

  2. And then create an ETW session associated with the Microsoft-Windows-NDIS-PacketCapture provider:

    logman start Winshark-PacketCapture -p "Microsoft-Windows-NDIS-PacketCapture" -rt -ets
    

  3. Then launch Wireshark with administrator privileges and select the Winshark-PacketCapture interface.

Fiddler

public static function IsInternalHost(oSession: Session) : Boolean
{
    var hostname = oSession.hostname;
    if(!String.IsNullOrWhiteSpace(hostname)){
        try{
            var testIp = System.Net.Dns.GetHostEntry(hostname).AddressList[0];

            //oSession.RequestHeaders.Add("debugme",testIp.ToString());
            if(System.Net.IPAddress.IsLoopback(testIp) || hostname.Equals("::1")) return true;

            var ip = testIp.GetAddressBytes();

            switch (ip[0])
            {
                case 10:
                case 127:
                    return true;
                case 172:
                    return ip[1] >= 16 && ip[1] < 32;
                case 192:
                    return ip[1] == 168;
            }
        }catch(error){

        }
    }

    return false;
}


 static function OnBeforeRequest(oSession: Session) {
        if ( oSession.HostnameIs("burp") || 
            oSession.hostname.ToLower().EndsWith("victim.com") || oSession.hostname.ToLower().EndsWith("attacker.com") || 
            oSession.hostname.ToLower().EndsWith("wow.cc") || oSession.hostname.ToLower().EndsWith("awesome.cc") ||
            IsInternalHost(oSession) ||
            Uri.CheckHostName(oSession.hostname) == null || Uri.CheckHostName(oSession.hostname).Equals(UriHostNameType.Unknown) ||
            oSession.hostname.ToLower().Contains("target.net")
            ) 
            {
            oSession["X-OverrideGateway"] = "127.0.0.1:8080";  
        } 

MITM Proxy

TBD

Windows HTTP Proxy

Debuggers

Decompilers


Learning Resources