Windows Reverse Shells#

Multi-threaded Technique#

It involves creation of the socket, two pipes, and two threads. Utilising CreateThread and CreatePipe.

GINA Interception#

GINA is A system introduced in windows XP to customise logon process by adding support to different functions such as RFID auth.

Third-party DLLs are found in the following registery HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL Malicious DLLs intercept the communication between msgina.dll and Winlogon; hence if there’s a DLL that exports many functions that starts with Wlx it’s an indication that a GINA interception is occuring.

Hash Dumping#

Grab NTLM and LM hashes using a pass-the-hash attack to authenticate a remote host. One of the most popular Hash Dumping tools pwdump which uses lsaext.dll, once it’s running inside lsass.exe; pwdump calls GetHash which exported by lsaext.dll.

samsrv.dll is also used to access SAM with some noticeable functions such as SamIConnect, SAmrQueryInformationUser, SamIGetPrivataeData.

Also secur32.dll can be used along with te function LsaEnumerateLogonSessions which retrieves a list of LUIDs

[!note] As the book is old, there are more info about pass-the-hash attack mostly common is Mimikatz tool, learn more here.

User-Space Keyloggers#

Uses either Hooking or Polling. Hooking uses Windows API to notify the malware whenever a key is pressed, typically with SetWindowHookEx function. Polling uses the windows API to constantly poll the state of the keys usually using GetAsyncKeyState and GetForegroundWindow functions.

Can be identified from checking strings or API calls.

Windows Registery#

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows APPInit_DLLs
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Winlogon Notify
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost Svchost group.
• HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<ServiceName>

service-dependant persistence techniques can be detected with dynamic analysis and monitoring registry keys, or CreateServiceA in the disassembly of the sample.

Trojanised System Binaries#

Malware can patch bytes of a system binary to force the system to execute the malware next time it runs. The system binary is modified by patching the entry function so it jumps to the malicious code.

pusha is commonly used in malicious code to save the initial state of the register so that it can be restored after it completes execution with popa.

DLL Load-Order Hijacking#

Happens when a malicious dll is placed in a position that makes the system to load that dll before the legit dll, so when the system reaches the path of the dll in its search order, the dll is already loaded. e.g: a malicious ntshrui.dll is placed in /Windows meanwhile the legit ntshrui.dll is placed in /System32 so windows loads the dll in /Windows first and when it’s loading dlls from /System32 it finds that ntshrui.dll is already loaded.

default loading order in win XP:

1. The directory from which the application loaded .
2. The current directory.
3. The system directory (the GetSystemDirectory function is used to get the path, such as …/Windows/System32/).
4. The 16-bit system directory (such as …/Windows/System/).
5. The Windows directory (the GetWindowsDirectory function is used to get the path, such as …/Windows/).
6. The directories listed in the PATH environment variable.

Using SeDebugPrivilege#

Malware utilise SeDebugPrivilege which is a tool created fro system-level debugging, that privilege is only given to local admin accounts, granting the SeDebugPrivilege to anyone is like giving them LocalSystem account access.

This technique can be detected by finding functions such as OpenProcessToken and LookupPrivilegeValue and AdjustTokenPrivileges.

User-Mode Rootkits#

Rootkits are used by malware to hide its presence.