In my last post I brought a post about DLL Hijacking / Man-In-The-Middle technique with DLL importation. In the end of the post I wrote some countermeasure methods to mitigate this type of hijacking. The method I describe here is efficient and a little tricky for RE, but of course it's "ugly" and manual. It's just an idea, trying to think creatively.
Basically instead of using the IAT to reach the function on DLL you have to manually set the address of the function. To do that we only need the offset of the function in the DLL, get the handle of the DLL module and sum with the offset.
I will use the same example of the last post. You can get the function offset in many ways. In this example I just grab the address from the IAT to get the offset of the function.
With the address we can code in the dll-consume a dynamic function call.
As you can see I create a function-type to create an object of that function-type and then I dynamically set the address of function. This way I know exactly that will go to my function. If I try to load the DLL Fake the program will crash, because Fake image doesn't have the function in the same address. I renamed the function because I imported the windows.h and this header already have a send function.
The only way to bypass this is patching the application or generating an DLL with this function in the same address.
Conclusion
In conclusion we just have to be creative to mitigate flaws in software. Always thinking both in offensive and defensive. Try to break your own programs and at the same time how to mitigate it. Anything at all just contact me. Thanks! :)
No comments:
Post a Comment