Tag Archives: IDA Pro

Password stealing using a password filter

Nice stuff from @mubix: the technic consists in injecting a DLL to lsass.exe, using the password filter feature of Windows.

The password filter architecture is useful to check that a password is compliant with the system security policy. It will typically check that when a user changes his password, it follows the required complexity.

Microsoft opened the API so that users can extend the functionality with their own filters.

Mubix diverted this API by developing a password logger: the DLL just logs the password both on the disk and a remote server,  and does nothing else.

A perfect way to maintain a persistent access… I tested it:

Evilpassfilter exploitation process

Evilpassfilter exploitation process

  1. Evilpassfilter.dll is loaded into lsass.exe
  2. A user updates his password
  3. The password goes through the Evilpassfilter password filter, which notifies the attacker through HTTP and also logs it locally.

Here is what I did to get it work (Windows 7 x64):

  • Make sure the local password security policy is enabled on the target
  • Create a new Win32 project in Visual Studio (2012)
  • Eventually delete unnecessary files, to start with an empty project (stadfx.h and cie)
  • Import the source code
  • Create a Evilpassfilter.def file, which defines the exports:
    LIBRARY Evilpassfilter
  • In the project properties, make sure to select the appropriate architecture, matching with the one of your target.

    Selecting the compilation target architecture (win32/x64)

    Selecting the compilation target architecture (win32/x64)

  • In the input settings of the link editor, add wininet.lib as additional dependancy.
  • Also add Evilpassfilter.def as module definition file.

    Evilpassfilter Visual Studio settings

    Evilpassfilter Visual Studio settings

  • In the source code, fix line 72: return; –> return 1;
  • Now you should be able to compile the library. You may want to make sure that the DLL is valid and integrated the exports (open it with IDA or a PE tool):

    Evilpassfilter.dll exports seen in IDA

    Evilpassfilter.dll exports seen in IDA

  • Copy the resulting DLL to the system32 folder.
  • Open regedit HKLM\System\CurrentControlSet\Control\Lsa
    and add Evilpassfilter to the Notification Packages

Reboot and… now you should know what to do next :-)

Debugging the MBR with IDA Pro and Bochs

Analyzing the MBR is sometimes required during a forensic process, if you suspect a malicious activity that is not detected on-line. With static analysis, you may see if an obvious corruption happened, but you will need to debug to learn more.

Prerequisite :

  • IDA Pro (6.0) with the IDA Python plug-in (1.4.3)

Steps :

  1. Prepare your forensic disk image.
    In general, it is that simple :

    $ dd if=<source> of=disk.img bs=65536 conv=noerror

    Or :

    $ ddrescue -n <source> <dest> file.log

    Check the disk geometry using :

    $ fdisk -luc disk.img

    These values will be useful for step 5.
    However, if you have an exotic disk, it may be much trickier. For example, I got some geometry errors with a flash disk when using Bochs at step 11. Special thanks to Gene Cumm from the bochs-developpers mailing list who gave me the tip to specify the geometry to dd :

    $ dd if=input of=output bs=2064384 count=507
  2. Refer to CHS if you wonder how to get these values.

  3. Extract the MBR from the disk or from the image you just took.
    $ dd if=<source> of=mbr.dump bs=512 count=5
  4. Download and install the Bochs x86-64 emulator, which comes with a debugger that will work nicely with IDA.
  5. Download this archive from Hexblog (IDA Pro’s blog). We will use two files from there : bochrc, wich is the configuration file for Bochs, and mbr.py which a python file helpful from preparing the debugging environment.
  6. Copy bochrc in your working directory and edit the following line to match your disk image geometry :
    ata0-master: type=disk, path="sdb.img", mode=flat, cylinders=507, heads=64, spt=63

    Before going on, you may test that Bochs can use the image with these settings :

    C:\>"c:\Program Files\Bochs-2.4.5\bochsdbg.exe" -f bochsrc -q
  7. In the same directory, copy mbr.py and edit the following settings :
    # Some constants
    SECTOR_SIZE = 512
    BOOT_START  = 0x7C00
    BOOT_SIZE   = 0x7C00 + SECTOR_SIZE * 4
    MBRNAME    = "mbr.img"
    IMGNAME     = "sdb.img"
  8. Now open a console and type :
    C:\> mbr update
  9. With IDA Pro, open the boshrc file. IDA should recognize the format and set the proper settings.
  10. From the menu, open File/Script File and select mbr.py. It will close IDA after execution.
  11. Open again your *.idb file, set a breakpoint at 0x7C00.
  12. Start the debugger.

You should now be able to go ahead and debug the MBR step by step.

References :