Wednesday, August 31, 2011

Antivirus Hiding

There are a lot of choices when we want to pen test an application.
  • We can create a specific program to do this.
  • We can use an existing one.
  • We can modify (or... fork) an existing.
 Maybe, the ideal is to create your own program for attack, but again, this, has some drawbacks:
  • You don't have to reinvent the wheel.
Deadlines and cost make such approach impossible.

Sunday, August 21, 2011

Reverse shell through DLL Injection using undocumented API function

This article refers to people who already know how to program in c or c++ and have a basic knowledge of windows API calls. In addition some knowledge  of exploitation techniques is needed such as what is a reverse shell, how we can use netcat etc... If this is the first time for you to read such things then do not bother to read the article.
DLL Injection is a popular technique used by attackers to inject an executable in order to perform controlled code execution. Serveral methods for preventing this has been developed by OS creators, but w/o 100% success.
In this article I will present two methods of a successful attack to a windows 7 Ultimate OS that returns a reverse shell to the attacker. The first method uses the documented windows API function CreateRemoteThread and the second method uses the undocumented funNtCreateThreadEx. The reason that I prefer the 2nd method is because of the fact that the 1st method trigger an alarm of the windows security essentials antivirus while the 2nd does not!
In addition, a "home made" undetectable reverse shell (developed in c++) will be used in conjuction with a method of transferring or packing an executable inside another executable.

The final attack will be performed using two methods. The traditional (manual) method that I use only Netcat and the... "official" method that I use the well known Armitage of the Metasploit arsenal. Pictures of the attack will be available to you as well as a short video.