前言
项目地址: https://github.com/ConsciousHacker/WFH
Windows Feature Hunter (WFH) 是一个概念验证 python 脚本,它使用动态检测工具包Frida来帮助潜在地识别 Windows 可执行文件中的常见“”或“功能”。WFH 目前能够大规模自动识别潜在的动态链接库 (DLL) 侧载和组件对象模型 (COM) 劫持机会。
DLL 旁加载利用 Windows 并排 (WinSXS) 程序集从并排 (SXS) 列表中加载恶意 DLL。COM 劫持允许者通过劫持 COM 引用和关系插入可以代替合法软件执行的恶意代码。WFH 将打印潜在并写入包含目标 Windows 可执行文件中潜在的 CSV 文件。
目录
- Windows 功能猎手 (WFH)
- 本机 Windows 签名二进制文件
- WFH DLL 侧载识别
- WFH COM劫持识别
- WFH 安装
- WFH 帮助
- WFH 用法
- WFH 用例
- Windows 功能猎人 Dridex (WFH Dridex)
- WFH 与 WFH Dridex 结果
- WFH Dridex DLL 侧载识别
- WFH Dridex 安装
- WFH Dridex 依赖项
- WFH Dridex 用法
- 来自 System32 的 WFH Dridex DLL 侧载
- HijackLibs 贡献
WFH 安装
pip install -r requirements.txt
WFH 帮助
PS C:\Tools\WFH > python .\wfh.py -h
usage: wfh.py [-h] -t T [T ...] -m {dll,com} [-v] [-timeout TIMEOUT]
Windows Feature Hunter
optional arguments:
-h, --help show this help message and exit
-t T [T ...], -targets T [T ...]
list of target windows executables
-m {dll,com}, -mode {dll,com}
vulnerabilities to potentially identify
-v, -verbose verbose output from Frida instrumentation
-timeout TIMEOUT timeout value for Frida instrumentation
EXAMPLE USAGE
NOTE: It is recommended to copy target binaries to the same directory as wfh for identifying DLL Sideloading
DLL Sideloading Identification (Single): python wfh.py -t .\mspaint.exe -m dll
DLL Sideloading Identification (Verbose): python wfh.py -t .\mspaint.exe -m dll -v
DLL Sideloading Identification (Timeout 30s): python wfh.py -t .\mspaint.exe -m dll -timeout 30
DLL Sideloading Identification (Wildcard): python wfh.py -t * -m dll
DLL Sideloading Identification (List): python wfh.py -t .\mspaint.exe .\charmap.exe -m dll
COM Hijacking Identification (Single): python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com
COM Hijacking Identification (Verbose): python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com -v
COM Hijacking Identification (Timeout 60s): python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com -timeout 60
COM Hijacking Identification (Wildcard): python wfh.py -t * -m com -v
COM Hijacking Identification (List): python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Windows\System32\notepad.exe" -m com -v
WFH 用法
WFH DLL 侧载识别
首先,您需要将要分析的二进制文件复制到与 WFH 相同的目录中
PS C:\Tools\WFH > copy C:\Windows\System32\mspaint.exe .
PS C:\Tools\WFH > copy C:\Windows\System32\charmap.exe .
PS C:\Tools\WFH > dir
Directory: C:\Tools\WFH
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/14/2021 2:12 PM .vscode
-a---- 5/6/2021 2:39 PM 1928 .gitignore
-a---- 12/7/2019 2:09 AM 198656 charmap.exe
-a---- 5/18/2021 7:39 AM 6603 loadlibrary.js
-a---- 4/7/2021 12:48 PM 988160 mspaint.exe
-a---- 5/18/2021 7:53 AM 8705 README.md
-a---- 5/17/2021 11:27 AM 5948 registry.js
-a---- 5/6/2021 2:41 PM 11 requirements.txt
-a---- 5/18/2021 8:35 AM 10623 wfh.py
现在您可以针对二进制文件运行 wfh 来识别 dll 侧载机会
PS C:\Tools\WFH > python .\wfh.py -t * -m dll
==================================================
Running Frida against charmap.exe
--------------------------------------------------
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[*] Writing raw Frida instrumentation to charmap.exe-raw.log
[*] Writing Potential DLL Sideloading to charmap.exe-sideload.log
--------------------------------------------------
==================================================
Running Frida against mspaint.exe
--------------------------------------------------
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
[-] Potential DllExport Sideloading: GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[*] Writing raw Frida instrumentation to mspaint.exe-raw.log
[*] Writing Potential DLL Sideloading to mspaint.exe-sideload.log
--------------------------------------------------
==================================================
[*] Writing dll results to dll_results.csv
PS C:\Tools\WFH > type .\dll_results.csv
Executable,WinAPI,DLL,EntryPoint / WinAPI Args
charmap.exe,LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
charmap.exe,LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
mspaint.exe,LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
mspaint.exe,GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup
mspaint.exe,LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
mspaint.exe,LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
如果您喜欢更详细的输出,可以使用“-v”查看来自 Frida 检测 Windows API 调用的每条消息。您还可以在原始日志文件中查看此输出。
PS C:\Tools\WFH > python .\wfh.py -t * -m dll -v
==================================================
Running Frida against charmap.exe
{'type': 'send', 'payload': 'LoadLibraryW,LPCWSTR: MSFTEDIT.DLL'}
{'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE'}
--------------------------------------------------
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[*] Writing raw Frida instrumentation to charmap.exe-raw.log
[*] Writing Potential DLL Sideloading to charmap.exe-sideload.log
--------------------------------------------------
==================================================
Running Frida against mspaint.exe
{'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE'}
{'type': 'send', 'payload': 'GetProcAddress,hModule : C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll, LPCSTR: GdiplusStartup'}
{'type': 'send', 'payload': 'LoadLibraryW,LPCWSTR: MSFTEDIT.DLL'}
{'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE'}
--------------------------------------------------
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
[-] Potential DllExport Sideloading: GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[*] Writing raw Frida instrumentation to mspaint.exe-raw.log
[*] Writing Potential DLL Sideloading to mspaint.exe-sideload.log
--------------------------------------------------
==================================================
[*] Writing dll results to dll_results.csv
WFH COM劫持识别
PS C:\Tools\WFH > python .\wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com
==================================================
Running Frida against C:\Program Files\Internet Explorer\iexplore.exe
--------------------------------------------------
[+] Potential COM Hijack: Path : HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\InProcServer32,lpValueName : null,Type : REG_EXPAND_SZ, Value : %SystemRoot%\system32\Windows.Storage.dll
[+] Potential COM Hijack: Path : HKEY_CLASSES_ROOT\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InProcServer32,lpValueName : null,Type : REG_SZ, Value : C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.62\BHO\ie_to_edge_bho_64.dll
[*] Writing raw Frida instrumentation to .\iexplore.exe-raw.log
[*] Writing Potential COM Hijack to .\iexplore.exe-comhijack.log
--------------------------------------------------
==================================================
[*] Writing dll results to comhijack_results.csv
WFH 用例
本机 Windows 签名二进制文件
将所有本机 Windows 签名的二进制文件复制到 wfh 目录
Get-ChildItem c:\ -File | ForEach-Object { if($_ -match '.+?exe$') {Get-AuthenticodeSignature $_.fullname} } | where {$_.IsOSBinary} | ForEach-Object {Copy-Item $_.path . }寻找 DLL 侧载机会
python wfh.py -t * -m dll
寻找 COM 劫持机会
python wfh.py -t * -m com
Windows 功能猎人 Dridex (WFH Dridex)
Windows Feature Hunter Dridex (WFH Dridex) 是受Dridex loader启发的概念验证 python 脚本。WFH Dridex 分析目标可执行文件的导入地址表 (IAT),为可执行文件的 IAT 中的每个条目编译一个 DLL,并验证是否识别了 DLL 旁加载。
最初的 WFH 版本确定了大约 96 个潜在的 DLL 侧载机会。WFH Dridex 确定了大约 966 个经过验证的 DLL 侧载机会。
WFH Dridex 安装
pip install -r requirements.txt
WFH Dridex 依赖项
MingW G++(64 位)
g++.exe安装后必须将其添加到 PATH 环境变量中,WFH Dridex 才能正常运行。
WFH Dridex 用法
WFH Dridex DLL 侧载识别
首先,您需要将要分析的二进制文件复制到与 WFH Dridex 相同的目录中
❯ cp C:\Windows\System32\mspaint.exe .
❯ cp C:\Windows\System32\charmap.exe .
❯ python .\wfh_dridex.py
[*] Creating a payload for charmap.exe with GetUName.dll
|_ Compiling with: g++.exe -s -Os -static -shared -fpermissive -oGetUName.dll dllmain.c
|_ Testing charmap.exe with GetUName.dll for DLL sideloading opportunity
|_ PID: 8936
[>] Listing working DLL sideloads
|_ charmap.exe GetUName.dll
[*] Creating a payload for mspaint.exe with MFC42u.dll
|_ Compiling with: g++.exe -s -Os -static -shared -fpermissive testaroo.def -oMFC42u.dll dllmain.c
|_ Testing mspaint.exe with MFC42u.dll for DLL sideloading opportunity
|_ PID: 9472
[*] Creating a payload for mspaint.exe with PROPSYS.dll
|_ Compiling with: g++.exe -s -Os -static -shared -fpermissive -oPROPSYS.dll dllmain.c
|_ Testing mspaint.exe with PROPSYS.dll for DLL sideloading opportunity
|_ PID: 11308
[*] Creating a payload for mspaint.exe with WINMM.dll
|_ Compiling with: g++.exe -s -Os -static -shared -fpermissive -oWINMM.dll dllmain.c
|_ Testing mspaint.exe with WINMM.dll for DLL sideloading opportunity
|_ PID: 180
[>] Listing working DLL sideloads
|_ mspaint.exe MFC42u.dll
|_ mspaint.exe PROPSYS.dll
|_ mspaint.exe WINMM.dll
现在您可以针对二进制文件运行 WFH Dridex 来识别 DLL 侧载机会
❯ gc .\results.csv
Executable,DllName
charmap.exe,GetUName.dll
mspaint.exe,MFC42u.dll
mspaint.exe,PROPSYS.dll
mspaint.exe,WINMM.dll
来自 System32 的 WFH Dridex DLL 侧载
C:\Windows\System32可以在此处查看来自 WFH Dridex 的示例 CSV 输出。
WFH 与 WFH Dridex 结果
最初的 WFH 版本确定了大约 96 个潜在的 DLL 侧载机会。WFH Dridex 确定了大约 966 个经过验证的 DLL 侧载机会。
HijackLibs 贡献
作为 WFH Dridex 版本的一部分,向Wietze 的HijackLibs项目提交了一个拉取请求,其中包括该项目的 507 个新条目。
