Bringing Harmony to IIS: Using game mods to protect (or nuke) your web server

uh so thank you all for coming uh my name is Adrian Justice and today I'm going to be showing you how we can do some interesting stuff with our I guess production grade web servers we'll do everything from detecting the sort of activity that nation states are using against web servers today through to destroying them if we really want to we don't need too much about me if you're interested in this IAS sort of stuff I've been starting to put more of it up on Twitter so feel free to give it a follow otherwise uh let's get into it and we'll start off with probably the most obvious question for everyone in the room why in Christ's name would you

inject game mods into a web server so believe it or not I actually came up with the idea whilst trying to solve a legitimate problem uh come on uh how do you gain visibility of adversaries abusing legitimate net functionality now through my day-to-day job and in my personal research I deal with a lot of post exploitation uh exploitation activity on I servers and while some of the crappiest stuff that I did deal with looks a little like this that's really small but it's basically cmdc let's run a thing hunting for this stuff is did something spawn out of w3wp uh that's IAS if you've never seen that before if your EDR doesn't show you that

you've either haven't set it upright or it's time to get a new EDR this is the most basic of IAS exploitation not everything's this easy though for example what would you do if you came across this on your web server if you decided to uh sort of deal confiscate that uh I'm telling you you'll make it to another evl function that just evaluates a post parameter so not the most useful thing for analyzing the file you might be thinking I'll just go and look at my I log files that's a good starting point that's what you'll see uh you've got some IP addresses in there maybe it's the adversaries maybe it's that load balancer you never got

around to setting up log foring for and you got some user agents but they send a randomize for every single request so nothing overly useful there besides timestamps for all you know the adversary ran a directory listing 10 times or they exfiltrated half your domain you've just got no idea through this ideally to analyze a webshell like this or to see the the capability that this adversary has we need to get some form of visibility of the evil function that's wrapping all of that disgusting code now monitoring functions is by no means A New Concept if you've ever looked into how AV or EDR Works you've probably come across the concept of function hooking it's been mentioned in

a few of the other talks today as well uh the general idea if you've never seen it before is to hook a function you overwrite the first instruction of that function with an unconditional jump out to some code you control once you're in that code you've got access to the stack and the registers that contain the state that was sent to the function being called and you can now do whatever you want with it you can write it like write it to a log file fire off an alert in your EDR tamper with the parameters do anything importantly if you don't want to break things you need to reimplement whatever instruction you overr with your

jump and then unconditionally jump back to just after your hook point if you do everything right then the person calling your hooked function has no idea that it's hooked and you get your additional visibility great so function hooking is a thing just do that why are we screwing around with game mods well unfortunately everything we just went through only applies to unmanaged or native code think everything in the left hand column so C C++ rust goang anything that compiles down to Native assembly code that your CPU can execute when it comes to I we're dealing with things like C VB script and jscript these sit in the managed language category which is in the middle these languages compile down

to an Intermediate Language code so it's kind of like assembly but it's not for your CPU it's for an intermediate uh language sort of interpreter in uh C and the net world this is the common language runtime if you're familiar more with the Java side of things the kind of equivalent would be the Java virtual machine over there now I assume that I probably wasn't the first person to ever want to gain visibility of a manag function and I started thinking what other problems could be solved with this or who's probably already done this work to do the heavy lifting straight away I thought of uh game mods this is basically all they do like a game mod

wants to manipulate the functionality of a game to change how a certain aspect of it runs logically the only way of doing that is to have some way of hooking a function now I was interested in net uh and one of the more popular up until a week or two ago uh development Lang or development Frameworks for games was Unity they kind of pissed off a lot of people recently but whatever uh there's a lot of games out there that are written in unity and quite a few of them do have some level of unofficial aftermarket support for mods so I figured uh that was a good starting point looking at the list of popular

games with mods I recognized one on the list uh Rim World Rim world uh if you've never seen it before people have done some crazy [ __ ] in this game with mods the regular game is sort of a a groundbased colony simulator sort of thing uh people have turned it into full-on space Warfare and all sorts of other stuff doing that sort of thing requires hundreds of mods from hundreds of developers all running in the same process most of the time not crashing uh so I figured whatever could do that could probably handle me poking a few web shells doing a bit of uh research I found that most of these mods are built on a framework known as

Harmony uh Harmony was actually originally developed as a rim World modding framework it's since been I guess generic ified down to support more generic uh net games and just net based applications as a whole so it allows you to gain that function level uh visibility that I was after so perfect now before we get into actual game mods I wanted to cover off on just a little bit of terminology so we're all on the same page when I mention it later first one uh net so should probably know that one to start uh net is not a language net is a platform whatever that means uh that's Microsoft description of it there's multiple languages that will

build uh to like build code that sort you know supports net or is net uh main ones you're ever going to deal with is c for most modern web applications that are built on uh The NET Framework or the more recent just net uh that sort of covers everything from your Windows Form based application through to like something running on a i server Visual Basic not super popular these days most people just know it as the macro language that screws their network over more often than not and uh jscript.net is more or less dead except for uh shitty web shells like the one we saw at the start and the ones that we're going to see later

on net assembly uh we don't need too much about this today a net assembly has a lot in it but for today's purposes it's a dll or an XE that you get when you build a net application uh the big string over to the right of that is the way we reference net assemblies so the first part is the simple name of the assembly uh we got a version string adversaries are really bad at remembering to set the version string for some reason and so often they just set it to all zeros so if you're ever hunting for this stuff and you see that might be worth paying attention to that particular file uh culture should pretty much always be set

to neutral unless you're dealing with a resource or a System Assembly which is pretty rare and public token is used when signing assemblies but nothing really validates or enforces the signing so uh not a whole lot of people actually do it uh reflection is by no means a net exclusive concept plenty of uh languages have it general idea of uh reflection is through a bit of black magic a application can inspect its own uh own running process and deter uh determine information about like its own uh types methods things like that it's also capable of dynamically invoking them and just to be a pain in the ass on net it's able to load entire net assemblies from

bite arrays that come from mysterious buffers that are populated over internet connection uh it's not a bug it's a feature no you can't turn it off uh adversaries love this [ __ ] all right let's actually get into some uh hooking I'm going to be interchangeably using hooking patching modding all throughout this so it's all more or less the same to me uh we're going to avoid I to start with it just adds a little bit too much complexity that we really don't need deal with instead we're going to write our own basic net application we'll develop some uh mods for that and then we'll take things from there so here's our basic app uh just

has a log function if you pass a string to it prints it out forgive it a run does exactly what you'd expect so before we can write mods for this we actually need to get Harmony installed uh I'm going to be doing all of this through Visual Studio uh if you do anything else you're on your own so once we've got our uh project created right click on our references choose manage Nate packages uh search for Harmony and we're after lib Harmony 2.2.2 hit install and you've now got Harmony installed and you're ready to start modding all right so the screen may look a little dense and a little complex in some areas but it contains basically all

the information that we need to write most of the mods that we're going to be doing today so to get uh started with Harmony we import it that's cut off at the top uh but you know I'm sure you can work that one out we then need to create a new instance of Harmony uh passing in some form of unique string identifier for the game modding sort of side of things this tends to be used as a way of identifying your instance of Harmony but since we're shoving this into a web server probably not a big issue we got bigger problems if we run into another instance of Harmony on our web server after that we need to call Patch

all on our object patch all will use some of that reflection black magic to analyze our currently running uh assembly and identify any classes that are tagged with this harmony patch attribute down the bottom uh we don't need to worry too much about what attributes are in C uh just think of it as a way of tagging the class that is underneath it I've got three separate versions of Harmony patch here you only ever any one of these I'm just showing a few variance of this so the First Column of the harmony patch is the type that contains the function that we're going to hook or might write a mod for in this case we're going to be targeting the log

function above the red box and that is part of the program type which is defined right at the top so we use type of program later on when we're targeting actual functions in The NET Framework you'll see much longer uh type definitions here next up we need to define the name of the function that we're targeting so that is Log In this case we can either specify it as a string or we can use the name of function down the bottom to dynamically resolve it uh Harmony recommend or the harmony docs recommend the bottom option I have no idea why it's a massive pain in the ass if you start trying to Target private functions that you're not really

supposed to tamper with but you're also not meant to mod things like this so yeah I don't know why they went that approach uh I'm going to be using these two interchangeably but for most uh most of the time you should probably just stick with the string version at the top yes last but not least we have an array of types so C by default is a supports function overloading general idea of that is we could have five different functions all called the same thing but with different parameters so for our log function we might have a log function that takes a string one takes an INT one takes an INT add a string as

the developer you just write log and pass stuff in and it just magically works but for us we don't quite have that uh that convenience we need to explicitly determine which function we want to hook so we do that by passing in uh types an array of types that match the target function so in this case Target function takes a single string so we pass an array of types that contains a single string next up we've got our hook class the name of this class can be whatever you want I recommend going for something that sort of is descriptive of what you're actually trying to achieve within that there's several different functions we can selectively uh create depending

on what we want to achieve so prefix a prefix function will run before the target function so in this case before the log function uh and it's typically used if you want to do something with parameters so you want to log parameters being passed in you want to tamper with them or you want to straight up prevent the target function from running uh the parameters for this function need to match the target function so you'll see we've got a string called message in both of them the type and the name have to match so if you make the uh prefix function have a string called MSG it's not going to compile properly next up we have a postfix

function these run after the target function so you can no longer affect the execution of a function once you're in the postfix uh the the target function has already run we typically use these if we want to get access to or modify the return value of a function uh postfix functions have a special variable defined by Harmony called double underscore result that has the type of the return type of the function you're uh targeting so in this case the log function returns an INT so our double underscore result value needs to be an INT later on we'll see some that return a string array in that case double underscore result will be a string array with this mod set up the way it is

uh if we were to call the log function this is roughly how it would go so our prefix function would be called first then the actual log function and finally the postfix function all right let's uh let's actually write our first mod so we've got a sample application here uh it just calls log a couple of times and we're going to write a uh couple of hooks for it so first up we have just a generic log printing out welcome to my you know first C application this is how happen before any hooks have been enabled so we would expect this to log uh in all of our applications without any issues next up we create our instance of

Harmony and we call Patch all so now our hooks are active our mods are active and we're good to go we call log again this one is now subject to our hooks so uh whatever we do in our mod down the bottom uh we expect it to affect this function call so our current hook this time is a single prefix function so we're running the for the Target function we're interested in parameters in this case we've got the message parameter being passed through and we're just going to wrap it up in our own string and write it to the console importantly we explicitly call console. right line here we don't use our log function because if

we call the hooked function from within the hook we're going to have a bad time so if we give this a run we'll see that our first log function runs unaltered our second call has successfully been pre uh like hooked so we've had a function run before the actual log function and then our log function has been allowed to run this may seem like an incredibly boring mod it's actually the most useful one for the sort of stuff we're trying to do so trying to improve visibility of web shells we used a log function here what if we just made that that eval function from earlier on all of a sudden the code that's being

passed in to be evaluated can be written out to the console instead so we'll be using this type of mod quite a few times throughout this presentation next up what if we want to manipulate parameters to a function all we need to do to do that is add a riff keyw to the parameter being passed in once we've done that we can just replace the uh contents of the parameter give it a run our second log function has now been replaced so we've changed that parameter so she uh C by default is a pass by value language so if you pass a string into a function and you make all of the characters in that string

uppercase you're changing a local version of that string local to your function you're not manipulating the original parameter that was passed in if we set the ref keyword we change it to a pass by reference call so now the original uh value that's passed in uh any changes that are made to that we're changing the actual value that will be used later on in the application so by doing it this way we're manipulating the parameter that will be ultimately passed on to the actual log call next up uh what if we want to just prevent the function from running all together so we've been doing a log function now uh up until now now if a

admin came along and check their logs and all of a sudden every single log has been replaced with this static string that looks pretty SS it's better if we just don't log anything anymore to do that we just change our return type from a void to a Boolean and return false uh if we give this a run we'll see that that second log message is no longer running so we're kind of abusing a feature of Harmony here where I believe it's used if you want to just replace the functionality of a Target function so if you think from a a game development sense if you wanted to replace say the r function with a custom

one that makes everything black and white you write a prefix hook you do all the logic to spit everything out in black and white there's not much point then calling the original function and have it just be rendered in color over the top so if we return false it prevents that original function from running we can abuse this quite a bit throughout this presentation to just straight up disable functions that adversaries like to use all right we got one more sample application and then we'll actually get into some I stuff so our second appc here we've got a function that returns an array of strings uh and then just iterates over them printing them out if

we give it a run we'll see there's an interesting user in the middle that probably doesn't want to be showing up in this log so we're going to help filter them out so because we're interested in uh running stuff on the results of a function we now need a postfix hook so this will go after we've got a riff keyworded string array double uncore result parameter it's a double underscore result because that's Harmony's magic value that'll be populated with the return value of the uh the target function in this case the array of users we've got a string array because that's the return value or the return type of the target function and ref keyword because we want to actually

be able to manipulate it if we just wanted to log these parameters we wouldn't need that ref keyword all we're doing then is completely replacing the array with a new array that contains all users except for good old totes legit for give this a run we've now completely filtered that user out so we've tampered with the output of this function uh plenty of ways that this can be very useful especially if you're going to be a dick and filter yourself out of logs uh you didn't learn it from me all right I think it's been about 20 minutes I think it's time we actually get into some I stuff uh for the this section of the presentation we're

working under the assumption that uh we're on the blue team like we own the server legitimately not we own the server and we can do whatever we want uh we're going to be going with the more official way of extending I's capability uh which is known as I modules we're going to be using an i module to essentially bootstrap our mods into uh Harmony so if you've never heard of IIs modules uh we'll take a look at where they are this is the I uh user interface if you've never seen it before uh if we click the really small button that's in slight blue in the middle uh we'll be able to see the list of modules that

come with I these do everything uh in the guts of IAS from like handling authentication to session man management uh logging all that sort of stuff so we're going to make our own one of these slot it into I and that will be how we get our code running so to ride an i module is dead easy uh especially when we're not using like 99.9% of the capability of these things we're just going to use it to load Harmony so that really small code up there that's probably damn near impossible to read is uh our I module uh I'll read to you though so you're fine uh so to make an i module we need to

make a c uh class class or C library application not a console application so we want a dll not an XE we need to make our class implement the IH HTTP module interface to do that we need to imp uh have a a nit and a dispose function the unit functions gets called anytime a new version of w3wp is created so a new instance of I's request processor dispose is called whenever one of those is destroyed but we're not doing anything in dispose so it's fine in a nit function every time a version of I is created we need to create a new instance of Harmony and call Patch all that will go through and load any of the

mods that we've uh created later in the presentation all of those will be just appended to this file down the bottom as just more and more classes so I won't be showing this again later on but any of the mods that we develop from here on out just assume they go into this file the only other thing of note in this file is we've got a log function that writes uh messages out to a text file uh it's a paining the asked to attach attach Visual Studio to IIs to get debug messages out so this is just a convenient way of seeing the output of our mods now that we've got our I module complete we compile it that'll give us a

do net assembly or a d we need to copy that to the bin directory of our web server or our web route uh on a default install of I that is C inetpub wwwroot bin the bin directory doesn't Exist by default just make it it'll be fine uh now I isn't stupid it's not going to just randomly execute a DL you drop in a magic directory we need to register our module uh we do that through that screen that we saw uh previous slide that listed all of our modules we click add managed module in the top right uh give our module a name can be anything you want uh we need to specify the type of our module so the

type is our Nam space in the top left dot our class name hit okay you'll get a warning that it can't find your module that's fine it's looking where system assemblies exist not in the bin directory uh it'll work later don't worry so to test out of our module just open up a web browser browse to any old aspx page hosted on our site and we should see a message pop up in our log file saying that our mod has loaded so we're good to go we've bootstrapped Harmony we're ready to start writing some mods before we do that though we should probably work out what we actually want to achieve The NET Framework is freaking

huge like millions of potential functions that we could Target so it helps to have a general idea of what we want to achieve now for today's presentation I'm going to give us the goal of working out what uh the webshell we saw earlier does so this webshell is Anor uh it's available on GitHub open source uh mostly in English you might need a little bit of Google Translate to help with some Chinese but it's fine uh so we'll get we'll work out what the ad AR is actually doing when they call uh this shell so for starters we need to work out what functions we're interested in here we got the obvious one at the start

eval would be nice to see but uh there's a few others in here we could potentially Target get string is a possibility I'm going to go with from B 64 string instead main reason here is adversaries love to B 64 encode everything uh if we go with get string we'll get all the strings that's fine if we go for from basic 64 we'll get all the strings any net assemblies they send any encrypted blobs configs files all sorts of weird and wonderful crap that they'll send us so it's a much nicer one to go for now I don't know about you but if you've ever done any net uh programming evl is not actually a function it's kind

of a a function that exists in the jscript side of things that gets uh mapped to something else at compilation time so we'll have to do a little bit of extra work to work out what we're targeting there uh the adversary has given us the the full class path and everything for the uh from Bay 64 string though so we're good to go and start hooking that one so in order to work out what the evl function is we'd have a few options uh none of them I can do in this presentation because quite frankly they will take too long the way I originally worked this out was compile that shell and then like put it on an iOS server

access it decompile the version that I builds and take a look at the uh the decompiled source that will be done post translation of uh this jscript code to net and allows us to go and see what that function will have been turned into in this case uh it's turned into microsoft. jscript evl and it's this jscript evaluate function uh other ways you can do this is try and write code like for other functions that you're trying to work out write code that uses the target function and use a bit of a debugger to see you know what ends up in it uh read documentation Google your friend sometimes s God help you chat GPT might

do something uh so we've got a function here that we can write a mod for now if we're interested in it but you'll notice there's actually two different functions called jscript evaluate they have slightly different parameters in them we could just write two different mods here and hook both of these functions but that's extra effort uh if we look towards the end of both of them they actually both call this do evaluate function so if we just hook that instead there's only one version of that so we get away with a single mod so we've not now got our Target functions that we're going to write some mods for so let's actually write these uh

we'll start off with the do evaluate function so we've got a type of microsoft. jscript evl do uh evl and a function of do evaluate the type array is actually truncated on the slides but we don't actually need it in this case because there only is one du evaluate function within that we've got a source parameter that we're just going to log out to the console so very similar to that very first mod that we wrote uh how do we know what's the source parameter we got docs so we got documentation for the original jscript evaluate function which ultimately called this do evaluate function so logically The Source parameter that you definitely cannot read on there but it

says the code to evaluate probably the parameter that we're interested in the other option is again debugger step through this thing and see what ends up in these parameters or there's only three of them just log them all see what happens the next mod that we're going to do is our from base 64 string uh function and this one looks a little bit more complex than any of the previous mods we've done we've got both a prefix and a postfix function here so the main reason for that is I want to log both the input and the output of this function uh because if an adversary sends say a net assembly Bas 64 encoded we decode that we convert it to a string

and write it to the console pretty good odds our log message is going to say MZ null and we've lost all of that useful information whereas if we log the input as well we get MZ n and 100 kiloby of B 64 encoded data we can go and look at in other things now there's no way in harmony itself to get both the input and the output at the same time the way we can work around this is with something that Harmony calls state so double underscore state is a special uh parameter that you can supply in harmony the type can be whatever you want as long as it's the same between both your prefix and your

postfix function and anything you assign to this double underscore State parameter in your prefix function will be available to you in your postfix function uh so in this case we assign the parameter s uh remember we don't control the names of these parameters that's the name that Microsoft uses for the actual parameter in from Bay 64 string so we're assigning the input string to that double undor State value this allows us to then log both the input and the uh output to the console all right let's uh let's see our mods in action we recompile everything we recopy that DL over to the bin directory we don't need to re-register things with I or anything all of that's

uh taken care of for good now so uh all we need to do is get our adversary to attack us again so we'll uh go over to anord and we'll run our Command again uh also too small but uh that's who am I and they are running as n Authority system so adversary is having a good day here so you can see how little output showed up on the adversary screen uh let's see how much we got with our uh out logging holy [ __ ] that's a lot all right we'll go through it line by line and work out what we've actually got here so I'll put the webshell back up there so we can start to see where some

of this data may have come from and uh right away it's looking pretty promising our first call to from Bas 64 string has an input parameter of UA in the highlighted blue box on the uh screenshot we can see there is a call to from B 64 string with a parameter of UA we got another one with mq so it looks like our b64 Hook is working the output parameters are boring as hell but whatever next up we've got this giant b64 encoded string it's not immediately obvious where that comes from but if we look at the box up the top we can see bits of it dotted all throughout it so it seems like everything between the evl

brackets of the uh the whole webshell ultimately is just to construct and then decode this base64 encoded string uh if we see down the bottom that's the output of that string that is now that is the furthest point you could have gotten if you were to statically analyze this so if you were to manually decate that webshell that uh block of jscript down the bottom is the furthest you could get we can go through that jscript and work out roughly what we've got so far so we've got two numbers uh anord uses these as like a bit of a a delimiter sort of thing so if you pass a number to the evl function it outputs the same

number so if you put one of those at the start and the end then you've now got two known numbers you can look for in the response data coming back and just pull out everything in between and pretty good odds that's the output of your function you're interested in other than that we've got yet another called evl this time wrapping a post parameter called Ant so uh we've already made it way further than our original I logs got us or anything like that moving to the next section we've got our first call to JS evl and surprise surprise the contents that we just b64 decoded are passed to eval so ultimately this call is the equivalent

of the entire web sh uh executing straight after that we've got yet another call to J this time it's the equivalent of whatever is inside that ant parameter so this is information that we have not been able to see so far this is only available because we wrote this hook and we'll see that this is yet another C to evil with even more B 64 encoded data with another post parameter I'm not going to go through any more of these it it does this four or five times uh just slowly pulling out more and more stuff we'll just jump straight to the final call to evl which has something you know actually interesting in it so here we've got the final payload

that was sent to our web server and we can see right at the start we're starting off much stronger system. diagnostic do process info so we're creating a process here uh we've got quite a few request items here so more post parameters unfortunately we didn't have anything we hooked to get visibility of post parameter uh parameters but uh adversaries love to B 64 encode everything so we got them through that so we can see that uh they ran cmdc who am I so we've been able to fully reconstruct the actual command that the adversary sent to us I will acknowledge that I was [ __ ] on the subpro Space Shell at the start and now

I used one as my demo uh anord does far more stuff than this and uh would be able to pick up all of it it's just this is a nice demo to do uh what did our lovely I logs get during all of this someone run a post command nice so I'd say we've successfully improved our visibility quite a bit but uh if we go back to that last image there's something quite interesting towards the end response. write that sounds like something we could have some fun with so again response. right in jscript is not actually response. right in.net it's HTTP response. so we can rig up a basic module that just logs all calls to

http response. do not do this on a production server will have a very bad time but on our uh especially not a a Exchange Server uh but on our test server that is only asking the adversary using it we're all good here so we're just going to write out the contents of whatever the adversary is attempting to send back uh if we rerun our attack we can see that we get back the output that the adversary is getting sent and we've actually analyzed enough of anord now to know exactly what all this is we've got the numbers either side uh screenshots were taken a different time times that's why they don't line up but uh that's the

numbers we've got the output of their command who am i n Authority system some random number CD some random number so the random numbers are the same thing again they're a delim delimiter that's been put in this time they have to use Echo because they're running it in sort of the context of CMD not that evl command uh but it's ultimately to delimit the output of CD on Windows CD doesn't uh change directory if you don't pass parameters like it does in Linux it just prints out the current directory so we can see their paramet surely we can tamper with them uh I'm going super ghetto here uh I'm just doing a fullon string replace on

the output of n Authority system if you were wanting to do this in a production envir I don't know what a production environment for modding a actor webshell looks like but uh if you wanted to do that you'd probably want to try and extract those magic numbers either side so you had a bit more of a a strong way of doing this rather than a ghetto find a replace please always run who am I and nothing else but uh we can see what this actually shows up as in their UI they run Who Am I who are any of us sweet we've successfully changed the output that goes back to the adversary that started to get me

thinking though that's a good looking terminal there's colors and [ __ ] in that like surely we can do more than just some boring line of text so here we've got uh anord uh the adversary is connecting to our webshell and then nicely zooming in the screen so that we can see them I've made a new version of this mod uh so when they run who am I we get some uh multi-line text uh that's say format in complete but it's a bit small uh we can do something a little more interesting than just text though I tried a bit of cross-site scripting in here because this is just an electron app uh they have actually

filtered that out I suck at crossy scripting though so who knows maybe somebody else could do it I can do colorful squares though and if we've started to you know have some friend with our aders have fun with our adversary friend maybe you're starting to suspect who they potentially could be who the boss

is so we've had some fun with our adversary but I think it's time we break up with them and we going to be a massive dick and we're just going to ghost them so we'll write one last mod we're going back to our do evaluate function uh but this time we've changed the return type to Bull and we're returning false adversary can keep lob and payloads as much as they want uh at us now but eval is no longer allowed to execute from their end uh they've been completely ghosted they're getting absolutely no output again so uh eval shells will never work on this host again unless the adversary can somehow get their own mods on this there to

unhook our hook so that's more or less it on the defensive side of things uh JS EV shells again broken forever but that's only a small percentage of what adversaries use these days I've got three other things up here that are way too small so I'm not going to go through them in uh great detail but uh we've got subprocess based shells reflectively loaded net assemblies and Microsoft got rid of evl in C and they decided the great replacement would be dynamic compilation of source code the bottom shell will get rid of that adversaries do all of these things quite regularly uh yeah if you could uh run all of these on a production web server you would probably

stop 99% of webshell based compromises uh but they're too small so we'll skip through them if you're interested in this stuff uh chase me up afterwards and I'm happy to show you these ones all right so let's get into the offensive side of things uh on the offensive side we can do some interesting stuff like like uh intercept information that other people send to the we uh send to web servers so when we do stuff from a webshell usually anything that we run is running in the context of us as the attacker we've logged into an exchange server or something but it's still happening as far as uh as like our authenticated session through a mod we're sort of

running stuff as part of whoever calls that function so make gives us some uh interesting opportunities other than that we can uh yeah it's not to say that we can't do a lot of stuff on the offensive side it's more that by the time you can deploy one of these mods you've got far better ways that you could do just about anything uh you need a webshell to get all this stuff loaded do your subprocessing do your persistence do your file exfiltration do all of it through the webshell don't [ __ ] around with mods it's just not worth it for this so for once we have something that's nicer for The Blue Team than the red

team uh so for my uh offensive demonstration I'm going to avoid doing a i module again uh just so I can show you another way that we can get Harmony up and running so we're going to use Game mods to develop a Microsoft Exchange owwa credential logger in the form of a webshell uh now webshell code uh we'll start by writing the webshell then we'll get into the mod itself so this is our basic webshell uh we don't need to know too much about this stuff uh to write a webshell you implement HTTP Handler make a process request function process request function will run anytime a request comes to your file so like my web shell. aspx will cause that function

to run our particular one uh we just pull out a parameter called mode like a get parameter if you set it to hook we'll run our hook code which we're going to write on the next slide uh our hook code will set up a hook that every time uh a user authenticates their credentials are captured and written to the creds array up the top uh if you run the list mode we'll iterate over that creds array and print out all of the credentials that we've logged and if we run clear we'll clear them out so that nobody else can see them so we'll go to our hook code uh I will say now this is written like this

is heavily using net reflection to dynamically uh locate and call stuff the only thing [ __ ] than talking through code is talking through reflection code like this stuff is horrible uh if you've never seen it before I am sorry uh take a photo and Google some of these functions because uh I don't have time to explain a lot of how this stuff works as for why this looks more complex though uh it all comes down to this first section so normally when we've started Harmony uh the very first thing we have to do is install it through nougat and then import it we can't do that with a webshell a webshell is more or less a blob of text that we trick a

server into writing to disk and then executing uh when we then when that happens we can't control the environment that this is going to be running in so we can't say by the way we need this game mod loaded into exchange so we can access all these types we need to bring all of that stuff with us that's what the red box on the left does so the very top line that's a truncated B 64 F uh string that is a 1 Megabyte B 64 encoded copy of harmony. dll uh so we're decoding that into a b if we had our previous mod installed on this server that logs from B 64 string we would see

this remember adversaries love to use B 64 we are the adversar now we've then got a call to assembly. load uh which takes that decoded uh net assembly and loads it into memory adversaries love using assembly. load uh yeah it's great fun so now that we've got our assembly in memory we're ready to start uh moving on with our hook so to get this hook up and running we need to find two key functions the first one is the target function that we want to hook so this will be the equivalent of our our log function or our eval function that sort of thing and this this case it's the handle FBA or form post function under

the microsoft. exchange. HTTP proxy FBA module type or class I didn't name this [ __ ] Microsoft did I found this stuff by just randomly reverse engineering parts of exchange till something said password uh so in or the other function we need to get access to or get a reference to is our our post or our prefix function so the function we want to have run uh anytime somebody attempts to authenticate to our targets server so we'll find the first function first uh to do that there's no real better way than straight up Brute Force so we iterate over all the assemblies currently loaded into our process for each assembly we then say hey do you

have the type we care about if it says no Then we move on to the next assembly if it says yes we say sweet give me a copy of uh or give me a reference to the function that I'm interested in once we've got a reference to that function we're good to go on that path uh the equivalent of doing this on our more C like we can import Harmony and use everything sort of thing is uh this access tools. method passing in the thing that we're interested in this is just a convenience function that Harmony provides to us that basically does everything on the left but behind the scenes uh when you start doing this

stuff manually a lot of it's pretty disgusting everywhere we can't use the nice and no patch alls or anything anymore because we're targeting uh functions or we're targeting assemblies that exist in other processes that you know we can't really uh build against next up we need to get a reference to our prefix function uh now we're not constrained to calling it prefix anymore we can name it whatever we want so I've named it on Exchange login so this function will be executed whenever somebody authenticates to This Server thankfully because this belongs to us it's part of our type in this case our type is my loader uh we can just use type of my loader doget method on

Exchange login so we've now got a reference to both the target function and our prefix function now uh the equivalent of doing this on the regular old C uh application side is actually exactly the same when you start dealing with reflection there's not really a nice way around it now Harmony expects our prefix function to be wrapped up in a nice uh class called Harmony method so we need to get a reference to a Harmony or the harmony method type and call the Constructor of that passing in the parameters that in are interested in uh this looks something like the bottom right where it's New Harmony method prefix so we're just locating the target type uh calling the Constructor of it

and passing in a reference to our prefix function almost there we now need to finally create an instance of Harmony itself so this is exactly what we've done several times before same general idea we find a reference to the harmony type and then just call the Constructor of it passing in our identification string last but not least we call Harmony uh we call patch on our Harmony function passing in a reference to the Target function and our wrapped up prefix function so if all of that works we should be good to go uh one last blob of code and then we're ready for some videos and we're almost done uh this looks like a lot we

actually don't need well we don't need all of that bit in the middle that was directly lifted out of the target function that we're hooking it just determines whether this is actually an Authentication request or not so we we don't have to worry about that what we care about is whenever our function runs we acquire a reference to the form being passed in we copy out the username password and password text Fields I no idea what password text is I just saw it there and logged it I've never seen it populated though we Mash all those together into a string and we add it to our creds array for later retrieval so let's see this in action on

the left hand side we've got our unsuspecting user that's going to log into their email account and on on the right side we have our attacker workstation uh so the attacker runs the hook command so that will initiate the uh the the hook user comes and logs into their email account they're successful good on them attacker comes back and runs the list command and we've got the clear text credentials of the administrator that just logged into their account for give it a second though and then refresh our log we get something interesting I wasn't expecting this when I started writing these demos but it seems like there's some uh automated authentication that goes on in the background of

exchange so these are Health mailbox accounts you can't log in with those creds or anything no idea what they're for put crap all effort into looking into these but uh if you know let me know so that that was more or less the end of the presentation until I realized I made a bit of a promise in the title and haven't really uh lived up to it I said we were going to Nuke a server and we haven't done that yet so uh let's burn a i server to the ground so we're going to go back and replace our cred logging function with a nuke function uh when somebody logs into their account passing in a username that

is anything other than one of those uh Health mailbox accounts we don't want to do this when an automated authentication occurs we want it to be a real person that like sees this uh when that happens yep uh we're going to acquire a reference to physical disc zero so this is your hard drive and we're just going to write some zeros over the first uh 5 12ish bytes which contains the master boot record uh if you don't know what that is it's the thing that tells you you have petitions and if you don't have petitions you don't have a computer uh after that we shell out to Powershell to restart the machine because even though we're running a

system and we have permission to erase the MBR we don't have permission to shut the computer down uh turns out the system user doesn't have that privilege there's ways to give it to yourself but it's far easier to Shell out as administrator that does have that permission so uh one more demo demo and then we're good to go so on the left we've got our actual exchange server top right we've got our attacker workstation bottom right we've got our unsuspecting user just trying to check their emails so we run the the nuke function this is implemented in the same way as our hooks from our previous slide nuke is armed someone comes LS into their

account bye-bye server tries to shut down and tries to fire up again like all good servers should it seems there's no petition tables left so game mods can give us amazing visibility of stuff like we can see things that you would never be able to see even through full packet capture uh they're not just for party tricks like nuking servers do not nuke somebody's server and if you do do not blame me uh I do recommend giving this a go though it's a lot of fun you'll notice a lot of the mods that we demonstrated today were you know one line of code two lines of code they were very simple if you started doing this uh

in a more I guess again professional sense or trying to do something more interesting with this you could come up with some very interesting stuff so really your imagination is the only limit uh happy to take any questions

any questions for Adrien see anyone I will take stun silence po demands them I can hear someone there we go when you a dll I I hear whistling and stuff is that a question when you've got a dll you might loading the dll when you compile it in C sh it makes references when you're hooking a function those functions are local to the dll or they're local to the process must be the process because you're hooking process level functions in is that right yep that's right uh the main reason it all works is the IAS module that we wrote for the the I related stuff is uh getting loaded by I that's been loaded into the the instance of

w3wp that is actually handling your request so when someone authenticates to their uh email account uh that authentication request is being handled by that IIs worker that our mod has also been loaded into and being able to hook those functions so yeah there's no no crossprocess stuff going on here uh hey buddy um what sort of logs and stuff are generated when you load an i module when you load it into I as far as I know nothing uh I mean I mods uh or modules rather I shouldn't say mods because it's yeah you know part of the talk I modules uh just a native part of how I works so as far as I know you wouldn't see much

uh that being said they're not you know completely impossible to see we saw the list of installed modules uh halfway through the talk so forensically this is not a stealthy attack like you come along and just list the modules and all of a sudden you've got I mods. mods uh it's going to look a little sauce hello hello so I have a two-part question uh I've written in here it says hooked function from in a hook what happens do you know what my question was and B what the answer is I do know what your question was you're talking about me saying that you shouldn't call the log function from within the hook that is hooking the log function that you

shouldn't do that because you cause an infinite Loop because when you now try to call the log function Harmony toes over and says well there's a prefix hook for that and it calls your prefix function again so you're basically just infinitely calling your own prefix function trying to call the log function was that both the questions yes yes it was so if I do that is that like going to be another nuke uh yeah sure if you want a nuke yourself uh I it's it's a typical recursion thing then so you'll hit like the the stack limit of you know however many functions deep you can call uh it's dependent on the language there but I think a lot of

them it's like 512 24 like eventually you'll just get a big ass uh exception thrown that'll print out four pages worth of log prefix log prefix log prefix uh Here Comes Jess there's one up the front here just no don't shout it doesn't work it's a good workout being a runner in this uh theater you mentioned uh doing doing these things will kind of prevent 99% of uh you know web exploitation web shell or or whatnot uh do you have an idea on how much that will break legitimate applications absolutely that was part of the talk until the code was too small to talk through uh subprocess based uh shells like if you hook process start

it's probably going to be fine for 99% of web servers out there uh if you were to hook assembly. loadad most normal web servers will be fine I know things like exchange do legitimately use assembly. load in some places uh a lot of cms's and plug-in based systems use assembly load as well so that would break them but that's assuming that we go full nuclear like return false we break that function permanently the advantages of this approach is we can selectively decide when we return false so we can build a a bit of like a wh list in saying these functions are allowed to load or these assemblies are allowed to load anything outside that list we

return false for and we disable that function Dynamic C compilation I think will work on like 99% of servers unless you doing some really dumb [ __ ] uh but from what I from past experience people do a lot of really dumb [ __ ] on I so uh test them in your Dev environment before you go to prod awesome I think we'll we'll um end it there great talk another round of applause for Adrien please thank you