Pwninstaller 1.0 Will Shroeder Security BSides Boston 2014

and Wells himself but he does have one request and as I do not who the Nazis well explain like a later slide come sir so yep this uh Bluhm saw at one point out my name is bullsh Raider I go by the twitter handle alarm joy I'm a security researcher and pen tester read tamer for a company called Baris group LLC out of the Virginia I work in the adaptive threat division company I am a co-founder where the main developers of a project called the bail framework how many of you have actually heard the bail framework okay a few so that's a lot better than almost year ago when absolutely nobody heard it so we're kind

of bringing as our goal is to bridge the gap in trenton and pen testing tool kit so it started with the tool called veil evasion which we present on a truck on this past year and that tool is a open source kind of modular framework to generate baby of 18 executables so i kind of started about a year a half ago and the stuff didn't really know anything so all the efforts up until this point mare about a year and a half of like seeing what's out there doing a little bit of original research trying to build some tool sets and stuff like that so i co-wrote veiled asian i wrote a kind of delivery tool called vale

catapults and recently I've heard tool called bail power beam which is a powershell based kind of network or domain such always shown it situational awareness pool i present a b-side austin if you wants to go on New York Cortana attack scripting language and I got accepted to DEFCON just pretty stoked about going to be released new tool called veil pillage which is kind of post exploitation say modular type of format that ties in with the rest of framework real quick kind of mobile cover today going up to too many slides but they kind of go at least I think reasonably into the technical weeds hopefully you have a really good understanding of exactly what finest

dollar it is how it works and to modify it what kind of start with why we use it what Pines taller it is a little bit background then i'll go through kind of the initial thing that led to this entire project there's a particular bug in veil evasion we couldn't quite figure out for a little bit so I'll trace through exactly how we solved it and how that resulted in a separate I'll go really in depth on how pinus dollar works i'll talk a little bit about this project that's released co installer which in 20 seconds is an option skated pinus all order and then i'll take some questions so you guys don't blew me off

this game real quick caveat is a proof of concept based on idea we guess that I'll detail the problem that prompted this walk through the solution I'll show you the POC these are the kind of toxin normal I like to go to or I've tried at least kind of explaining how i went about the problem instead of just saying here's a tool let me just run it I'm sure there's a better way to do this but it seemed like an interesting concept I want to get it out there really you know i love talking about this stuff so in the end after you know DME on twitter you know email me whatever these slides had actually I tweeted him out under the

hashtag in size Boston or had whatever that besides Boston hashtag and under my twitter account hardoi so in case you want to follow on or look at them after pine-sol 101 if you're not aware of what it is it's a straight from the website it's a program that converts or packages Python programs into standalone executable the main site is pinesol org and it's been around since I think early 2000s has been 10 years or so is pretty well established throwing you know through have a forget what version they're on but you know it's an active project it's it's a really cool effort that you great work and essentially it packages up python scripts into OS X Linux or

Windows self-extracting executables this lets developers distribute projects without relying on existing Python installation kind of like i said i'll go over exactly how it does is so Tim testers start to realize that a few years ago we could use this to package up malicious scripts for shellcode injectors or stagers and all the kind of fun stuff and this is very advantageous and it still gets by a lot of antivirus he is a lot of legitimate project use PI installer there's actually lists up there Dropbox uses a modified version of it too i think the distributive binary for i'm going like a fairly good number of projects will actually use the volatility i believe is listed things

like that then Dave Kennedy released a tool called PI injector 2012 which is based off of Cheryl a mess up the pronunciation the devastation dolls the original posts there are some places there at the bottom and Dick Kenny's posts under trusted site goes right there and basically this was a way of using Python and see types to inject she'll go into memory and set from date can you set tool actually uses a kind of little bit of an obfuscated aversion and a pie injector and so it's kind of like fishing payload delivery type of terrapass now to this caught on for the past two or three years has been a pretty popular vector with pen testers

these up until a few years ago we really didn't have to worry Don virus like the stock metasploit stagers from the framework would vary Austin just get by anything and stuff terrible so finally as a bee is starting to catch up people move towards but this method so fine seller validation validation sets a time staller to wine on kali linux so python palos can be compiled up natively to windows exe this generation is completely transparent to the user you don't have to take files and drop them onto a separate windows install and do a kind of stuff it allows to the dynamic generation of Windows payloads on a single monolithic attack platform and even though a lot of this

stuff of a laser wasn't revolutionary weren't claiming credit for these techniques but we feel like we really kind of package it up into a really nice easy to use framework there's also modularity where you could write your own say like Python type stagers or something drop in the module and take advantage of the compilation take advantage of all that kind of stuff so one of the methods in veil evasion for similar python payloads uses void pointer casting for a shotgun objection this is kind of whenever you see like tutorials and stuff and how to write shellcode this is like the most basic way basically just hot to be execution for it but and some of these payloads

this can fail these memory location is not explicit explicitly marked as executable so alternatively the other way the people ten do in Jennifer Lopez using like virtual Alec our tail move memory like gotta create thread and all that kind of stuff do it manually allocate a chunk of memory xq pool we do like this you kind of have to rely on the address space of our you know like the stack and heap space for the executable to already be marked as part of the X so most systems going to use a opt in dev enforcement policies so if these executables opt-in to death or data execution protection your data executable credenza then you can access

violation you try to run this stuff so I said it executable pops n void pointer casting will fail so we we ran to this weird really kind of weird Dale bug a little bit to where Python void pointer payloads would work as Python files like if you just took the file and put on the windows box and ran it would work fine it'd be great but if you packed it up and nope I installer.exe it would fail with an access violation although it went tell us that at first we had to go through with the debugging and everything after he tracked it down and figured out that even though the Python exe use the Pinus dollar is Devon

a boulder does opt into debt the resulting pie installer payloads don't actually opt into this protection we're like what this doesn't really make any sense that it's using the existing pipeline dixie like kind of what's going on here there's a post down there there failed Asian slashing temp I installer the comic goes over this more detail which I think this I change to fail framework on def my installer so that kind of what that's kind of what started investigating the really kind of inner workings of pi installer so we can track down this plug so next few slides I'm really kind of going to the weeds exactly how fine so it works so it uses

a SE data contract to see archive data structure to package up the Python dll any necessary libraries and your target script whatever you're using actually run whether it's the dropbox program whether it's show good injector pi injector whether it's a native Metis points danger or whatever it is this NSE archive operates basically like a compressed zip container then the archive is attached to the end of a little launcher executable on how to diagram in a second and there's there's a there several versions of this whole launcher executable we use ones tight included with my installer called run wxe that's out run dot exe run w is the windows version like windows GUI version we use this so them can hit a flag that

actually saves like hi bud window so all the execution for whatever doing is completely transparent the user otherwise like a console pops up and those electrons so all knowledge there's only one little launcher.exe that we ever actually use more packing up stuff for bail evasion this is a quick diagram I've had a recreated from their website this divisional source but you see up there like little launched a pxe this is the entire see archive then like everything here is the pipe i vol this is where your actual script isn't all that kind of stuff so this is what's actually extracting to disk temporarily then that's registered a couple of functions or exposing all kind of stuff

and then this is launched again on on execution the launcher ex cube will decompresses it to a temporary location lowes the Python 15 gal who's using load library exa maps out the entry points to the Python dll for all the necessary methods sets up all the environment starts to python process imports all the necessary modules whatever is included like we actually have on like a es modules included an encryption and all that kind of whatever stuff or whatever you a networking type things and then the extracted script is Ron using this exposed dll function hi Ron simple screen so in english i'm an old python environments extracted the components are set up the scripts run and it's just

it's really nice and that you can run python scripts without having Python installed on targeting machine probably sounds like I'm repeating myself so on all the top 10 policy is determined by that little launcher and not by the Python interpreter like we thought it was so the next step we're like okay let's recompile the Python it launcher with one that doesn't hopped into you know these protectant luckily pi installers open source again there's that link right talked about we had to go to detail how you can recompile it on your own window system and actually get this little launcher and does not den but alright I'm sorry oh and it's all in the veil bug so the precompiled versions of these

two little things are in this pie installer / support / loader whatever it is the source files are actually included under pine scholars source and grab muffin github I think the version we're using it was actually like one because we started using about a year ago we kept it like to not something I think there are even 300 the run w is long we want to regenerate for Windows executables so that the binaries that you use is really wonky build system called laughs um and add they have like these w scripts there and like it took a while to figure out you know how the heck that's actually worked but you can add this particular flag right there

link flags an ex compatibility turns off debt give you the line and everything then that blog post we tell you detail like this how you actually do it this will instruct the visual studio linker to turn off the opt-in debt compatibility so awesome there's a slight little launcher it's great it lets us run more injection methods on more like you know more environments and different machines but our project is supposed to be focus on debating any bars and if you have a static uniquely compile one like little executable it's a great way of being like hey you can write a signature even just a static signature just for this you know only be available agent pay lips or like that

that's why we didn't actually include a recap I'll version with the tool we just told people how to kind of do it himself because you just be really kind of going softball to you know any vendor that's like oh let me just ND fire you know the first 200 k this and you actually see it's available so kind of go open to this a lot more and figured out that you can actually recompile the pie installer launcher on cali self and today just have any playing running high installer and packaging everything up we can actually revamp I love it it's not simple but on there's a way to do it using min GW get all the

linkers and the GCC and everything like that several lines and to like extracted out of the stupid laughing or whatever but on this makes a trivial to you know make some small changes recompile it you can at least a fee you know like a straight out of Shaolin or something like that in case a this is submitted to buyers total or whatever else you know at least it's pretty easy to change it so I started thinking okay now I figure out how to recompile this why don't we make it just like a little bit harder to flag on and start to introduce a little bit of obfuscation so the first thing there's a pretty small number of files

actually that you need to recompile this utils launch main an extract of like see live do little see archive extract kind of thing but it's only you know under two thousand lines straight out of the gate from the github stuff so like okay isolated that found what was needed like let's see you can actually do to do some unique generation an initial goal was to make SST which I'll explain a couple slides as useless as possible against families of our generating launcher so my initial thought process was ok what about any unnecessary codes anything for like the OSX AIX lenox whatever compatibility that can all go randomized shuffle anything we can you know include a bunch of random libraries all I kind

of stuff like put padding in you know mix everything up sorry but you know it's still pretty basic this didn't exactly take that one of you is just no very first step but like okay whatever had that was stupid billy mays means we go a little further and have fun with anything that does like really basic dynamic analysis so you actually kind of this is this is the approach that we use in our seem interpreter payloads on in the frameworks that we have in a really good side bar instead of just shellcode injector we have straight higher level truckers dangers so instead of just taking you know ms fnm gender & shellcode injecting it in you can actually take these api

calls in a higher-level language right a native metasploit station um if you're interesting that all which that maybe there's like two of you that are either email me or watch our presentation at shmoocon which is aviation with the veil framework when we go into that in detail but so with the sea stuff you know we figured out several months ago we released this stuff that you know sees the hardest thing that should you off the station on pythons fairly easy because you know it's all wrapped up and it's essentially kind of like I'm sellers almost like a legitimate Packer kind of thing is as putting a zip stuff or a zip archive but we see you have to

be yet the trial order because you know it's about you're not writing state assembly was about as Barry Bonds you can get so we Institute in this type of authentication we had a lot of fake dummy methods that like nested and its first all throughout the code there's a whole lot of processing it doesn't end up doing anything logically to the program but it'll spike to see to you for a while and if you try to look at like a nautical tree the program like it messes everything up so really super basic type of AD stuff that you know just immediately tries don't you know run few frames think it does this seems to be pretty effective do I don't think

these interpreters dangers are still caught even though they're open source and they've been in their framework that's now semi well known for six plus and months but so we took some of the Southeast Asian I was like okay I'll just implement the same kind of idea for the spinous dollar stuff so it's I think if you look to the code is always like my legs and all a string processing and which I've invested once it isn't all I kind of nasty stuff and then finally I'd apply until our icon is pretty recognizable someone on Twitter actually asked us to think it you know people like us about changing all the time instead of just looking at the little

flags and realizing it's not hard to change but now with this bonus dollar thing it was like a folder it has a whole bunch of icons that are all freely licensed and all that stuff so randomly choose from this you can replace them if you want so the end result the PO installer is every time this generator runs off you skated code for every single source file is needed is generated up you know just variable you know like just randomizing the name stuff doesn't really do anything that goes i think the symbols are still but you know I kind of this logical authentication is adding into everything dynamically as well a randomized icon is chosen men GW is used

to compile everything up to a new little loader and that's copied into the correct location on Kelly or your pine staller it is located so it's pretty transparent um this is actually stand alone for home installer on it's also being integrated the veil vision that I can hopefully do a short demo or something yours a little bit so SSD if you're not aware with what SS keep is it's a kind of basic fuzzy hashing tool which the academic way is saying context trigger piecewise has a actual ease so on their page they say you can match inputs that have mala jeez those biology turn which is a fancy way of saying what's the degree of shared ancestry for

this particular kind of like pool of information or join us for genetics so this tool which was born from my spam processing detection type stuff you can run it from a larger set of files and it does these like kind of like piecewise hashes and it can basically tell a degree of similarity in the code base at least for the executable the raw compile white so that's all right like I'm not a reverser but i have a few reverse or friends and they kind of suggested those just for a first kind of passive this stuff a lot of times all those samples through SSD especially if the triage a large number of XP tools and i turn

different numbers but one of my friends had said that if two files hit with a ninety percent similarity then they tend to usually conclude that like a similar malware family or at least they were related maybe they had the same initial generator or something like that so that's kind of all really new for like kind of easy basic static analysis stuff so that's what I ran with so I ran this code a thousand times generating 1,000 different little loaders not the full time seller thing just a little executable on the front so a little combinatorial math that's 1,000 choose to which is 409 9500 possible combinations of you know one loader to another floater so kind of all those

pairings seventy-four percent scored 30 or better forty-six percent scored 50 or better and said in percent scored send me or better and none of them scored 90 or better so at least from kind of what I understood my limited knowledge that this these loader pairings seems none of them seem to score is a similar malware family this is a graph of all the comparisons you see a big spike around 50 or so a little bit around 75 think um so yeah those you know this is just kind of like the first pass and all this occupation but it seemed to be relatively effective but generating a statically different little executable so in plain English each PI install our

loader is reasonably unique from a basic malware or static analysis perspective combinate reversers would be able to figure out what's going on on this at a time I'm not trying to you don't write some whatever the apt malware but uh you know hopefully our point with this is just showing that static signatures or AV detection is pretty useless and that's the whole thing with our project we've been pushing forward saying 80 vendors have you know kind of conceptually failed the thing with symantec ghost came out recently saying yes yes we failed we admit our product is terrible which is funny bc semantic is actually one about we go up against but static signatures you did that's why we wanted to show

this to land now at the opponent's taller thing that every time you generate a new veil payload its complete our it's pretty reasonably different in can't just write aesthetics and reported they get submitted to buyers total like each sha-1 hash is going to be different every time so that's our main kind of goal it's not too you know solve you know a hundred percent some crazy whatever Dianna correct or something like that we're just trying to piecemeal get there and the first thing we're trying to demonstrate instead symmetries are terrible um I'm sure there's other better off the station methods for any old school malware writers you happen to being the audience or watching at some

point or something like that you think there's a better way to do it please do a poll take my coat you don't have to credit me as you know GPL you did everyone with it but kind of want to get this idea out there play okay if some of these ad vendors and started to flag on the little pine sol motor which if you can have why don't we make it just water raise the bar just a little bit so home install one point oh there's a blog post to my site about it codes up on github or are enjoy po installer and it's in the development branch of veil evasion it's going to hit on 515 so every month

we do something called d date where we release new payload modules for the framework we've been doing this for I think like six seven months eight months we still have enough research for like another year of releases add some stool cool stuff coming up around like the desk on time frame and like the Derby contacting and things like that so all Python palos now can utilize a dynamically generated ponens dollar load by achieving the option and I'll show you a sort of looks like a little Python compilation thing the default still fine scholar because legitimate products do use by installers so like there's some benefits for that but if you're at a client that can like throw up custom

signatures or something want to have something that dynamically changes some of these are going to work in some situations some won't work in others we just want to give people options river for what they want to do now recap find solar some awesome stuff it will hopefully send a lifetime the veil evasion payloads by making sex and reasonably difficult to write this is a be sure before might refer to talk about on the internet response was this is script kiddie garbage the harm users of pie installer with Hades flight without benefiting anyone who matters I hope you get booed off the stage and besides those things in it so really just support maybe you guys won't boo me off

the stage and again or maybe you're just nice and you'll come and tell me I'm an idiot afterwards this is my my 22nd shameless sidebar one second we actually got to hack into NASA at my job which is the coolest thing I've ever done so I had to play line whatever Hackel the things but we had a really cool team with a bunch of 0 SE te OSC p0 SE es it's a very productive threat division or based out of Virginia you read to me pen testing we actually have a pool research hours which like we don't only just have to do this on our own I don't know many companies all ok here's a

whole bunch of time go research some cool stuff and do it ever you want and then go talk it cons about it like here so it's a great group you're interested I'll hit me up on the google resume room thing afterwards in case you're interested then any questions a Twitter my email there's a blog post about it the slides got tweeted out the gate hubs right there are you pull in the veil evasion the development branch now and master branch will take on the fifteenth I'm sorry little short but that's about it I'm not there's any questions or stuff about maybe Beijing in general or about the ethics of it or about poem installer by installer

I'll uses the same kind of method we couldn't get that running on sorry the question was how does Heidi DXE use the same kind of methods by installer and I haven't dived into kind of the guts of hiding Hickson quite as much but we had the only way we get a running was on windows we can get it running on cali natively so we have it will spit over all the set of files and stuff if you want to do but you have to drop it a windows machine same kind of concept though is still extracting the zip archive we just don't default to it but we had that originally in and we just you know no reason to take it out in

case we know a few people use it sometimes but is it some forensic Lee just a little bit different than fine stalling

the files are being loaded so you mentioned the exe is being generated what about the rest of the item via though we haven't we haven't a dynamically done that stuff yet um that might be the next thing I said this is you know just the first version kind of getting it out there this stuff with this these are like the Python 1.5 is a known known good type of DLL to where like I don't think because some maybe dinners have like start to flag on the little pine sol loader because all these people started using maliciously I don't really know how they could flag on the Python vol itself because that would probably destroy a lot of installations

across a large number of clients but on and this stuff is all zipped up anyway so if it's sitting there in disk unless they're doing dynamic analysis they can extract the sea archive inspect all this stuff and then look at the script and do all those types of things there's not really a way for me to get that out unless they're doing proper behavioral analysis which hopefully didn't move towards any other questions

cool all right yeah neither like I said the slides are up any other questions at all in the up after or you know talk to me online shoot me an email or something I love talking about this stuff tabi of aging in general or offensive type tool sets and all those types of things go thank you guys appreciated