安全播报

防御吧作为15年知名老牌域名服务商,CNNIC和CANN双认证域名注册商,已经
持续为500多万个域名提供服务,包括智能DNS/自由转移/隐私保护等服务!
如何使用WFH搜索Windows可执行程序中的常见漏洞或功能
2021-08-12 14:38:14 【

关于WFH

WFH,全名为Windows Feature Hunter,即Windows功能搜索工具,该工具基于Python开发,使用Frida实现其功能,可以帮助广大研究人员搜索和识别Windows可执行程序中的常见安全漏洞以及功能。当前版本的WFH能够自动识别动态链接库DLL中潜在的侧加载问题以及组件对象模型COM中劫持攻击的实现可能。

DLL侧加载利用勒Windows中WinSXS程序集来从SXS列表中加载恶意DLL文件。COM劫持将允许攻击者置入恶意代码,而这些代码将能够通过劫持COM引用和关系代替合法软件的执行。

WFH可以输出潜在的安全漏洞,并将目标Windows可执行文件中的潜在漏洞相关信息写入至CSV文件中。

工具安装

首先, 广大研究人员需要使用下列命令将该项目源码克隆至本地:

  1. git clone https://github.com/ConsciousHacker/WFH

然后运行下列命令安装和配置相关依赖组件:

  1. pip install -r requirements.txt

工具帮助信息

  1. PS C:\Tools\WFH > python .\wfh.py -h

  2. usage: wfh.py [-h] -t T [T ...] -m {dll,com} [-v] [-timeout TIMEOUT]

  3.  

  4. Windows Feature Hunter

  5.  

  6. optional arguments:

  7.  -h, --help            show this help message and exit

  8.  -t T [T ...], -targets T [T ...]

  9.                        list of target windows executables

  10.  -m {dll,com}, -mode {dll,com}

  11.                        vulnerabilities to potentially identify

  12.  -v, -verbose          verbose output from Frida instrumentation

  13.  -timeout TIMEOUT      timeout value for Frida instrumentation

  14.  

  15. EXAMPLE USAGE

  16.    NOTE: It is recommended to copy target binaries to the same directory as wfh for identifying DLL Sideloading

  17.  

  18.    DLL Sideloading Identification (Single):        python wfh.py -t .\mspaint.exe -m dll

  19.    DLL Sideloading Identification (Verbose):       python wfh.py -t .\mspaint.exe -m dll -v

  20.    DLL Sideloading Identification (Timeout 30s):   python wfh.py -t .\mspaint.exe -m dll -timeout 30

  21.    DLL Sideloading Identification (Wildcard):      python wfh.py -t * -m dll

  22.    DLL Sideloading Identification (List):          python wfh.py -t .\mspaint.exe .\charmap.exe -m dll

  23.  

  24.    COM Hijacking Identification (Single):          python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com

  25.    COM Hijacking Identification (Verbose):         python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com -v

  26.    COM Hijacking Identification (Timeout 60s):     python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com -timeout 60

  27.    COM Hijacking Identification (Wildcard):        python wfh.py -t * -m com -v

  28. COM Hijacking Identification (List):            python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Windows\System32\notepad.exe" -m com -v

工具使用

(1) DLL侧加载识别

首先,我们需要将需要分析的代码拷贝至WFH工具所在的目录下,然后按照下列命令执行扫描分析:

  1. PS C:\Tools\WFH > copy C:\Windows\System32\mspaint.exe .

  2. PS C:\Tools\WFH > copy C:\Windows\System32\charmap.exe .

  3. PS C:\Tools\WFH > dir

  4.  

  5.  

  6.    Directory: C:\Tools\WFH

  7.  

  8.  

  9. Mode                 LastWriteTime         Length Name

  10. ----                 -------------         ------ ----

  11. d-----         5/14/2021   2:12 PM                .vscode

  12. -a----          5/6/2021   2:39 PM           1928 .gitignore

  13. -a----         12/7/2019   2:09 AM         198656 charmap.exe

  14. -a----         5/18/2021   7:39 AM           6603 loadlibrary.js

  15. -a----          4/7/2021  12:48 PM         988160 mspaint.exe

  16. -a----         5/18/2021   7:53 AM           8705 README.md

  17. -a----         5/17/2021  11:27 AM           5948 registry.js

  18. -a----          5/6/2021   2:41 PM             11 requirements.txt

  19. -a----         5/18/2021   8:35 AM          10623 wfh.py

接下来,我们就可以使用WFH来对目标代码进行分析,并尝试识别其中的DLL侧加载机会:

  1. PS C:\Tools\WFH > python .\wfh.py -t * -m dll

  2. ==================================================

  3. Running Frida against charmap.exe

  4. --------------------------------------------------

  5.        [+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL

  6.        [+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE

  7.  

  8. [*] Writing raw Frida instrumentation to charmap.exe-raw.log

  9. [*] Writing Potential DLL Sideloading to charmap.exe-sideload.log

  10. --------------------------------------------------

  11. ==================================================

  12. Running Frida against mspaint.exe

  13. --------------------------------------------------

  14.        [+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE

  15.        [-] Potential DllExport Sideloading: GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup

  16.        [+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL

  17.        [+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE

  18.  

  19. [*] Writing raw Frida instrumentation to mspaint.exe-raw.log

  20. [*] Writing Potential DLL Sideloading to mspaint.exe-sideload.log

  21. --------------------------------------------------

  22. ==================================================

  23. [*] Writing dll results to dll_results.csv

  24.  

  25. PS C:\Tools\WFH > type .\dll_results.csv

  26. Executable,WinAPI,DLL,EntryPoint / WinAPI Args

  27. charmap.exe,LoadLibraryW,LPCWSTR: MSFTEDIT.DLL

  28. charmap.exe,LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE

  29. mspaint.exe,LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE

  30. mspaint.exe,GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup

  31. mspaint.exe,LoadLibraryW,LPCWSTR: MSFTEDIT.DLL

  32. mspaint.exe,LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE

如果你想让WFH输出更多详细内容,可以使用“-v”参数开启Verbose模式。此时将能够查看Windows API调用的详细情况:

  1. PS C:\Tools\WFH > python .\wfh.py -t * -m dll -v

  2. ==================================================

  3. Running Frida against charmap.exe

  4. {'type': 'send', 'payload': 'LoadLibraryW,LPCWSTR: MSFTEDIT.DLL'}

  5. {'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE'}

  6. --------------------------------------------------

  7.        [+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL

  8.        [+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE

  9.  

  10. [*] Writing raw Frida instrumentation to charmap.exe-raw.log

  11. [*] Writing Potential DLL Sideloading to charmap.exe-sideload.log

  12. --------------------------------------------------

  13. ==================================================

  14. Running Frida against mspaint.exe

  15. {'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE'}

  16. {'type': 'send', 'payload': 'GetProcAddress,hModule : C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll, LPCSTR: GdiplusStartup'}

  17. {'type': 'send', 'payload': 'LoadLibraryW,LPCWSTR: MSFTEDIT.DLL'}

  18. {'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE'}

  19. --------------------------------------------------

  20.        [+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE

  21.        [-] Potential DllExport Sideloading: GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup

  22.        [+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL

  23.        [+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE

  24.  

  25. [*] Writing raw Frida instrumentation to mspaint.exe-raw.log

  26. [*] Writing Potential DLL Sideloading to mspaint.exe-sideload.log

  27. --------------------------------------------------

  28. ==================================================

  29. [*] Writing dll results to dll_results.csv

(2) COM劫持识别

  1. PS C:\Tools\WFH > python .\wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com

  2. ==================================================

  3. Running Frida against C:\Program Files\Internet Explorer\iexplore.exe

  4. --------------------------------------------------

  5.        [+] Potential COM Hijack: Path : HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\InProcServer*32,lpValueName : null,Type : REG_EXPAND_SZ, Value : %SystemRoot%\system32\Windows.Storage.dll

  6.        [+] Potential COM Hijack: Path : HKEY_CLASSES_ROOT\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InProcServer*32,lpValueName : null,Type : REG_SZ, Value : C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.62\BHO\ie_to_edge_bho_64.dll

  7.  

  8. [*] Writing raw Frida instrumentation to .\iexplore.exe-raw.log

  9. [*] Writing Potential COM Hijack to .\iexplore.exe-comhijack.log

  10. --------------------------------------------------

  11. ==================================================

  12. [*] Writing dll results to comhijack_results.csv

工具使用样例

(1) 原生Windows签名代码

将所有的原生Windows签名代码拷贝至WFH脚本所在目录:

  1. Get-ChildItem c:\ -File | ForEach-Object { if($_ -match '.+?exe$') {Get-AuthenticodeSignature $_.fullname} } | where {$_.IsOSBinary} | ForEach-Object {Copy-Item $_.path . }

(2) 搜索DLL侧加载机会

  1. python wfh.py -t * -m dll

(3) 搜索COM劫持机会

  1. python wfh.py -t * -m com


】【打印关闭】 【返回顶部
分享到QQ空间
分享到: 
上一篇【漏洞预警】Fortinet 8月多个安.. 下一篇云安全:数据库权限的分配与回收

立足首都,辐射全球,防御吧专注云防御及云计算服务15年!

联系我们

服务热线:13051179500 18910191973
企业QQ:1245940436
技术支持:010-56159998
E-Mail:xihedata.com
Copyright ? 2003-2016 fangyuba. 防御吧(完美解决防御与加速) 版权所有 增值许可:京B2-20140042号
售前咨询
公司总机:18910191973
24小时电话:010-56159998
投诉电话:18910191973
值班售后/技术支持
售后服务/财务
备案专员
紧急电话:18610088800