- Get a Windows virtual machine setup within a hypervisor. a. Make sure to take a snapshot of your base installation.
- Download and install Visual Studio 2022 - https://visualstudio.microsoft.com/vs/
a. Select
Desktop development with C++workload when installing - Download and install:
- DebugView++ - https://github.com/CobaltFusion/DebugViewPP
- PE Bear - https://github.com/hasherezade/pe-bear
- ProcMon - https://learn.microsoft.com/en-us/sysinternals/downloads/procmon
- Ghidra - https://www.ghidra-sre.org/
- Everything - https://www.voidtools.com/
Additionally (optional), for a fuller reversing experience, setup symbols:
setx _NT_SYMBOL_PATH c:\Symbols;srv*c:\Symbols*https://msdl.microsoft.com/download/symbols
mkdir \symbols
-
Open
PMD.slnwithin Visual Studio. -
Select the
setupproject, and ensure you can:a. Compile the project
b. View the debug print statement within DebugView++.
-
Update the
templateproject compiler and linker flags to manipulate the IAT entries and other PE properties.a. Get comfortable with dynamic API resolution and MSDN docs.
b. Are there any other properties that stand out? If you run Strings.exe against the binary, do any strings stand out?
c. Can you remove/update them?
Use any tooling of your choice to complete the exercise (e.g. dumpbin/PE Bear). A wrapper around pefile has been provided under scripts\props.py (make sure to install the reqs).
-
Download some malware samples from VXUG
a. What are the main differences between benign and malicious executables?
b. What are the main differences between our binary and benign executables?
- https://learn.microsoft.com/en-us/cpp/build/reference/dumpbin-reference?view=msvc-170
- https://learn.microsoft.com/en-us/windows/win32/debug/pe-format
- https://learn.microsoft.com/en-us/previous-versions/ms809762(v=msdn.10)
- https://cloud.google.com/blog/topics/threat-intelligence/tracking-malware-import-hashing/
- https://github.com/rad9800/misc/blob/main/generic/fix-entropy.cpp
- https://github.com/rad9800/misc/blob/main/generic/stack-strings.cpp
The current API hashing algorithm used is fnv1a.
- Open the
solutionproject and call MessageBoxA using the API hashing framework. - Use a different hashing algorithm and ensure you can still call MessageBoxA.
- https://github.com/vxunderground/VX-API/tree/main/VX-API
- https://learn.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-messageboxa
-
Download Cisco Webex (https://www.webex.com/downloads.html)
-
Find CiscoCollabHost and see what DLLs get loaded
- Use Procmon/PE Bear/Ghidra or whatever!
-
Open CiscoCollabHost in Ghidra and identify different ways to get code execution from sideloading
-
Edit the
dll_templateto sideload your target binary. Verify you can see the debug string in DebugView++. -
Update the
LastWriteTimeandCreationTimeofdll_template.dllto match the target DLL.
-
Compile and run the utility project.
a. Additionally, consider running it on your host system.
-
Copy the identified DLL to the
x64/{Debug,Release}directory and update the loader code. -
Update
execute_scto execute your shellcode with a different function with the API hashing framework.
- Create a new DLL project and put together: a. DLL Sideloading b. Shellcode Execution from Sideload
- Verify your PE properties are as expected.
- Compile your payload in Release and package in a format suitable for delivery.
-
Sign up for a cloud storage provider (e.g. AWS/CloudFlare)
-
Package your payload and upload it
a. Additionally, investigate ways to limit/audit download access
-
Take a snapshot of your VM
-
Revert to the base VM and play your full "delivery" scenario
- e.g. navigating a user to the URL and getting them to download. Ensure it works.
- Create a Git repository with the contents of this project
- Validate that you can run the Action and the artifacts work
- Update
.github\workflows\build.ymlto do additional pre/post processing as you want that saves time. Here are some ideas:- Run
props.pyand validate/include the output - Automate payload packaging in Python
- Automate the updating of
LastWriteTimeandCreationTimeto match a target
- Run