Saturday, August 25, 2012

Reverse Engineering Powershell cmdlets

Powershell is a commandline interface into the .net framework for Windows. So the majority of reversing powershell is just getting an understanding on how to access the .net code base and decompiling it into readable format. When I started looking up on how to do this most of the posts where not on how to reverse powershell but how to make powershell run in c#. This post is going to explain how to take a powershell cmdlet and get back to the .net code.

This is extremely simple, so simple I was surprised that there where no posts about this. Basically you need to know 2 commands in powershell and use a .net decompiler.
.net reflector

Get-Command will show the dll that holds the cmdlet
 PS C:\> Get-Command Get-Process | fl DLL  

Trace-Command will show the method call used in the dll
 PS C:\> Trace-Command -name cmdlet,ETS -PSHost -Option executionflow -Command Get-Process notepad  
 DEBUG: Cmdlet Information: 0 : Constructor Enter Ctor Microsoft.PowerShell.Commands.GetProcessCommand: 37470457  
 DEBUG: Cmdlet Information: 0 : Constructor Leave Ctor Microsoft.PowerShell.Commands.GetProcessCommand: 37470457  
 DEBUG: ETS Information: 0 : Method   Enter PSObject..ctor():object = Microsoft.PowerShell.Commands.GetProcessCommand  
 DEBUG: ETS Information: 0 : Method   Leave PSObject..ctor()  
 DEBUG: ETS Information: 0 : Method   Enter PSObject..ctor():object = System.Diagnostics.Process (notepad)  
 DEBUG: ETS Information: 0 : Method   Leave PSObject..ctor()  
 Handles NPM(K)  PM(K)   WS(K) VM(M)  CPU(s)   Id  ProcessName  
 ------- ------  -----   ----- -----  ------   --  -----------  
    62    8      3136    7548  76     7.61     784 notepad  

As you can see above the cmdlet called is Microsoft.PowerShell.Commands.GetProcessCommand . All we need to do now is open .net reflector, attach to the dll, and go to that method call to see the source code.

Here is a good link to learn how to write (and read) cmdlets and allow you to reverse the cmdlet.

Monday, January 23, 2012

Question: How does loader know ASLR is enabled for a binary?

Most people know that ASLR randomizes the base address of the binary when loaded, but how does the loader know that a binary is ASLR capable? This is a fairly easy question to answer but from what I can tell is rarely documented as a detection method and the subject of this post.

In the PEHeader->IMAGE_OPTIONAL_HEADER there is a flag called DLLCharacteristics that defines many features for the executable on load, 1 of them being ASLR. If you look here IMAGE_OPTIONAL_HEADER structure and scroll down about mid way you will see the values it defines. If you look you will also notice this defines if DEP is enabled as well.

I created a little ruby script to give you access to these values over your whole file system, directories, or a file. There are many tools like cff explorer you can use to view these per a file but this one will give you the ability to crawl a file system to find multiple files with ASLR disabled, DEP disabled and more.

git dllcharacteristics


Thursday, January 19, 2012

QnA -> What is FS

Q: What is FS?

I wrote a challenge some time back on Securabit podcast I am a part of as a fun exercise. The question came from someone trying to reverse this challenge.
The anti-debugging technique was accessing the PEB offset +68 to detect if the debugger is attached. This is set to 70 when a debugger is attached. To find the base address of PEB I accessed FS[30] and stored that in a register.
Ok I skimmed over some items there like why is it set to 70 and what is the PEB but that is not the question. The question is what is FS.?

FS is a segment register that was added with the release of protected x86 32bit operating systems. Typically, in win32, FS points to the base of the Thread Information Block of the current active thread in PEs.

To break this down even more when you see commands such as

the DWORD pointer is saying start with base address of DS (another segment register) and add the value EAX to this and store that in EBX. so when I accessed

I was saying take the value in FS and add 30 to that and return what is there. This address stores the Base of the PEB.

Few other notes on FS:
FS[0] stores the pointer to the first SEH in the link list. This is usually called when an exception occurs in code.

FS points to the current active thread. This means a single application with multiple threads will have multiple pointers to different Thread Blocks.

Source for Challenge