/// <summary> /// Does it support ASLR /// </summary> /// <param name="binInfo"></param> /// <returns></returns> public bool ASLR(PEProp binInfo) { try { ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader; if (optionalHeader != null) { ushort field = (ushort) optionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics); if ((field & 0x40) != 0) { return true; } } else { return false; } } catch (Exception) { return false; } return false; }
public bool HighEntropy(SecurityInfo secInfo, PEProp binInfo) { // Compiler version must be 17 PEFile pE = binInfo.PE; ImageOptionalHeader optionalHeader = pE.OptionalHeader; ushort num = (ushort)optionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics); bool flag = (num & 32) != 0; ImageFileHeader fileHeader = pE.FileHeader; ushort num2 = (ushort)fileHeader.GetField(ImageFileHeader.Fields.Characteristics); bool flag2 = (num2 & 32) != 0; if (flag) { return false; } if (flag && flag2) { return true; } return false; }
public uint CodeSize(PEProp binInfo) { uint szSize = 0; ImageSectionHeader[] sectionHeaders = binInfo.PE.SectionHeaders; if (sectionHeaders != null) { foreach (ImageSectionHeader header in sectionHeaders) { uint field = (uint)header.GetField(ImageSectionHeader.Fields.Characteristics); if ((field & 0x20000000) != 0) { szSize += (uint)header.GetField(ImageSectionHeader.Fields.SizeOfRawData); } } } return szSize; }
public bool GS3Check(PEProp binInfo, SecurityInfo SecInfo) { foreach (string strImport in SecInfo.Imports) { if (strImport.ToString() == "_crt_debugger_hook") return true; } return false; }
public int GS2Check32(PEProp binInfo) { //Console.WriteLine("G32Check32 - " + binInfo.Path); long lngCnt; int intGS=0; int intGSFound=0; int intGS03=0; int intGS0508=0; System.IO.FileStream fsStream = new System.IO.FileStream(binInfo.Path, System.IO.FileMode.Open, System.IO.FileAccess.Read); System.IO.BinaryReader brReader = new System.IO.BinaryReader(fsStream); Byte[] strWorkBuff = brReader.ReadBytes((Int32)fsStream.Length); long lngSize = brReader.BaseStream.Length; brReader.Close(); fsStream.Close(); //OllieCantCode: try { for (lngCnt = 0; lngCnt < lngSize; lngCnt++) { // VS2003 /GS check // PUSH 0000008h if (strWorkBuff[lngCnt] == 0x6A) { if (strWorkBuff[lngCnt + 1] == 0x08) { // skip PUSH ???????? // skip call ???????? // AND DWORD PTR [ebp-04h],000000h if (strWorkBuff[lngCnt + 12] == 0x83) { if (strWorkBuff[lngCnt + 13] == 0x65) { if (strWorkBuff[lngCnt + 14] == 0xFC) { if (strWorkBuff[lngCnt + 15] == 0x00) { // PUSH 00000000h if (strWorkBuff[lngCnt + 16] == 0x6A) { if (strWorkBuff[lngCnt + 17] == 0x00) { // PUSH 00000001h if (strWorkBuff[lngCnt + 18] == 0x6A) { if (strWorkBuff[lngCnt + 19] == 0x01) { // skip CALL ???????? // this is to MSVCR71.dll!__security_error_handler if (strWorkBuff[lngCnt + 25] == 0x59) { if (strWorkBuff[lngCnt + 26] == 0x59) { // skip JMP ?? // XOR EAX,EAX if (strWorkBuff[lngCnt + 29] == 0x33) { if (strWorkBuff[lngCnt + 30] == 0xC0) { // INC EAX if (strWorkBuff[lngCnt + 31] == 0x40) { // RETN if (strWorkBuff[lngCnt + 32] == 0xC3) { intGS = 1; intGS03 = 1; //break; } } } } } } } } } } } } } } } } // VS 2005 __security_check_cookie stub check // CMP ECX, ????? if (strWorkBuff[lngCnt] == 0x3B) { if (strWorkBuff[lngCnt + 1] == 0x0D) { // skip the CMP ECX, ?????? // but copy the address in // TODO // memcpy(strGSAddr, &strWorkBuff[lngCnt + 2], 4); // JNZ ?? if (strWorkBuff[lngCnt + 6] == 0x75) { // TEST ECX,FFFF0000h if (strWorkBuff[lngCnt + 8] == 0xF7) { if (strWorkBuff[lngCnt + 9] == 0xC1) { if (strWorkBuff[lngCnt + 10] == 0x00) { if (strWorkBuff[lngCnt + 11] == 0x00) { if (strWorkBuff[lngCnt + 12] == 0xFF) { if (strWorkBuff[lngCnt + 13] == 0xFF) { // JNZ ?? if (strWorkBuff[lngCnt + 14] == 0x75) { // RET if (strWorkBuff[lngCnt + 16] == 0xC3) { intGS = 4; intGS0508 = 1; //break; } else if (strWorkBuff[lngCnt + 16] == 0xF3) { if (strWorkBuff[lngCnt + 17] == 0xC3) { intGS = 6; intGS0508 = 1; //break; } } } } } } } } // REP RETN } else if (strWorkBuff[lngCnt + 8] == 0xF3) { if (strWorkBuff[lngCnt + 9] == 0xC3) { // JMP ?????? if (strWorkBuff[lngCnt + 10] == 0xE9) { intGS = 3; intGS0508 = 1; //break; // ??? } else { intGS = 7; intGS0508 = 1; //break; } } } // JMP ???????? } else if (strWorkBuff[lngCnt + 6] == 0x0F) { // TEST ECX,FFFF0000h if (strWorkBuff[lngCnt + 12] == 0xF7) { if (strWorkBuff[lngCnt + 13] == 0xC1) { if (strWorkBuff[lngCnt + 14] == 0x00) { if (strWorkBuff[lngCnt + 15] == 0x00) { if (strWorkBuff[lngCnt + 16] == 0xFF) { if (strWorkBuff[lngCnt + 17] == 0xFF) { // JNZ ???????? if (strWorkBuff[lngCnt + 18] == 0x0F) { intGS = 5; intGS0508 = 1; //break; } } } } } } // REP RETN } else if (strWorkBuff[lngCnt + 12] == 0xF3) { if (strWorkBuff[lngCnt + 13] == 0xC3) { // JMP ?????? if (strWorkBuff[lngCnt + 14] == 0xE9) { intGS = 3; intGS0508 = 1; //break; // NOP } else { intGS = 7; intGS0508 = 1; //break; } } // JMP } else if (strWorkBuff[lngCnt + 12] == 0xE9) { intGS = 8; intGS0508 = 1; //break; } } } } // VS 2005 GSDriverEntry stub check // MOV EDI, EDI if (strWorkBuff[lngCnt] == 0x8B) { if (strWorkBuff[lngCnt + 1] == 0xFF) { // PUSH EBP if (strWorkBuff[lngCnt + 2] == 0x55) { // MOV EBP, ESP if (strWorkBuff[lngCnt + 3] == 0x8B) { if (strWorkBuff[lngCnt + 4] == 0xEC) { // MOV EAX, __security_cookie if (strWorkBuff[lngCnt + 5] == 0xA1) { // TODO //memcpy(strGSAddr, &strWorkBuff[lngCnt + 6], 4); // TEST EAX, EAX if (strWorkBuff[lngCnt + 10] == 0x85) { if (strWorkBuff[lngCnt + 11] == 0xC0) { // MOV EAX, XXXXXXXX if (strWorkBuff[lngCnt + 12] == 0xB9) { // JZ ?? if (strWorkBuff[lngCnt + 17] == 0x74) { // CMP EAX, ECX if (strWorkBuff[lngCnt + 19] == 0x3B) { if (strWorkBuff[lngCnt + 20] == 0xC1) { // JNZ ?? if (strWorkBuff[lngCnt + 21] == 0x75) { intGS = 9; intGS0508 = 1; //break; } } } } } } } } } } } } } } /* if(intGS==8){ lngTmp=0; //lngTmp=GSCookieHunter(strWorkBuff,lngSize,fff); if(lngTmp==0){ intGS=0; long lngStart=lngCnt+12; if(lngStart<=lngSize){ goto OllieCantCode; } } }*/ } catch { return 0; } if(intGS03==1 || intGS0508==1){ intGSFound=1; } else if(intGS03==1 && intGS0508==1) { intGSFound=9; } return intGS; }
public bool GetManifest(PEProp binInfo, SecurityInfo secInfo) { IntPtr hMod = LoadLibraryEx(binInfo.Path, IntPtr.Zero, 0x2); if (hMod != null) { IntPtr hRes = FindResource(hMod, 1, 24); if (hRes != null) { uint intSize = SizeofResource(hMod, hRes); if (intSize > 0) { IntPtr ptrRes = LoadResource(hMod, hRes); if (ptrRes != null) { IntPtr strMani = LockResource(ptrRes); if (strMani != null) { string strManifest = System.Runtime.InteropServices.Marshal.PtrToStringAnsi(strMani); int intIdx = strManifest.IndexOf("¿"); if (intIdx != 0) { secInfo.Manifest = strManifest.Substring(intIdx + 1); } else { secInfo.Manifest = strManifest; } return true; } } } } } return false; }
public bool EncodePointer(PEProp binInfo, SecurityInfo SecInfo) { return DoesImportviaLoadLibrary(binInfo, "EncodePointer", SecInfo); }
// .NET Strong Name public bool DotNetStrongName(PEProp binInfo) { try { Assembly assembly = new Assembly(binInfo.Path); byte[] publicKey = assembly.PublicKey; if ((publicKey != null) && (publicKey.Length > 0)) { return true; } } catch (Exception) { return false; } return false; }
public bool SetDEPPolicy(PEProp binInfo, SecurityInfo SecInfo) { return DoesImportviaLoadLibrary(binInfo, "SetProcessDEPPolicy", SecInfo); }
/// <summary> /// SafeSEH Check /// </summary> /// <param name="binInfo"></param> /// <returns></returns> public bool SafeSEH(PEProp binInfo) { try { ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader; if (optionalHeader != null) { ushort field = (ushort)binInfo.PE.OptionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics); if ((field & 0x400) != 0) { return false; } SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress); if (rva.Address == 0) { return false; } uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size); ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva)); int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size); if (FieldSize < 0x48) { return false; } uint SEHTable = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SEHandlerTable); uint SEHTableCount = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SEHandlerCount); if ((SEHTable != 0) && (SEHTableCount != 0)) { return true; } if (SEHTable == 0) { return false; } if (SEHTableCount == 0) { return false; } } else { return false; } } catch (Exception) { return false; } return false; }
public List<String> MSCompilerVers(PEProp binInfo) { BinaryReader binReader = new BinaryReader(File.OpenRead(binInfo.Path)); UInt32[] arraryDWORDs = new UInt32[1024]; int intCount=0; int intPos = 0; bool bFound = false; UInt32 XORKey = 0; List<String> lstCompilers = new List<String>(); try { if (binReader != null) { // Find the XOR key while (intCount < 1024 && intPos < binReader.BaseStream.Length) { arraryDWORDs[intCount] = binReader.ReadUInt32(); if (arraryDWORDs[intCount] == 0x68636952) { bFound = true; //Console.WriteLine("1 - "+ intCount.ToString()); break; } intPos += sizeof(UInt32); intCount++; } // Extract the XOR key if (bFound == true) { XORKey = binReader.ReadUInt32(); intPos += sizeof(UInt32); // Now find the start of the version numbers int intCount2 = 0; int intPos2 = 0; bool bFound2 = false; UInt32 intTemp = 0; binReader.BaseStream.Seek(0, SeekOrigin.Begin); while (intCount2 < intCount && intPos < binReader.BaseStream.Length) { intTemp = binReader.ReadUInt32(); intTemp ^= XORKey; //Console.WriteLine(intCount2.ToString()); if (intTemp == 0x536E6144) { //Console.WriteLine("2 - " + intCount2.ToString()); bFound2 = true; break; } intPos2 += sizeof(UInt32); intCount2++; } if (bFound2) { // Now work from the start of the block until the end // and decode binReader.BaseStream.Seek(intPos2, SeekOrigin.Begin); int intPos3 = intPos2; while (intPos3 < (intPos - 8)) { //Console.WriteLine(intPos3.ToString()); UInt32 intVer = binReader.ReadUInt32(); UInt32 intTimes = binReader.ReadUInt32(); intPos3 += (sizeof(UInt32) * 2); intVer ^= XORKey; intTimes ^= XORKey; intTemp ^= XORKey; if ((intVer != 0x536E6144) && ((intVer != 0))) { UInt32 intVerFin = 0; UInt32 intID = 0; intID = intVer >> 16; intVerFin = intVer & 0xFFFF; //Console.WriteLine("[] " + intVerFin.ToString() + " - " + intID.ToString() + " - " + intTimes.ToString()); if (intVerFin >= 8034 && intVerFin <= 8966) { lstCompilers.Add("VS6 " + intVerFin + " - " + intTimes + " times/objects"); } else if (intVerFin >= 9466 && intVerFin <= 9528) { lstCompilers.Add("VS2002 " + intVerFin + " - " + intTimes + " times/objects"); } else if (intVerFin == 3077) { lstCompilers.Add("VS2003 " + intVerFin + " - " + intTimes + " times/objects"); } else if (intVerFin == 4035) { lstCompilers.Add("VS2003 " + intVerFin + " - " + intTimes + " times/objects"); } else if (intVerFin == 50727) { lstCompilers.Add("VS2005 SP1 " + intVerFin + " - " + intTimes + " times/objects"); } else if (intVerFin == 21022) { lstCompilers.Add("VS2008 " + intVerFin + " - " + intTimes + " times/objects"); } else if (intVerFin == 30729) { lstCompilers.Add("VS2008 SP1 " + intVerFin + " - " + intTimes + " times/objects"); } else if (intVerFin == 30319) { lstCompilers.Add("VS2010 " + intVerFin + " - " + intTimes + " times/objects"); } else if (intVerFin == 40219) { lstCompilers.Add("VS2013 " + intVerFin + " - " + intTimes + " times/objects"); } else { lstCompilers.Add("Unknown " + intVerFin + " - " + intTimes + " times/objects"); } } } binReader.Close(); return lstCompilers; } } } binReader.Close(); } catch { lstCompilers.Add("Error"); return lstCompilers; } lstCompilers.Add("N/A"); return lstCompilers; }
/// <summary> /// Second size extraction for MS12-001 test /// </summary> /// <param name="binInfo"></param> /// <returns></returns> public uint MS12001SzTwo(PEProp binInfo) { try { ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader; if (optionalHeader != null) { SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress); if (rva.Address == 0) { return 0; } uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size); return DirSize; } else { return 0; } } catch (Exception) { return 0; } //return 0; }
/// <summary> /// Size extraction related to MS12-001 size check /// </summary> /// <param name="binInfo"></param> /// <returns></returns> public int MS12001Sz(PEProp binInfo) { try { ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader; if (optionalHeader != null) { SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress); if (rva.Address == 0) { return 0; } uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size); ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva)); int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size); return FieldSize; } else { return 0; } } catch (Exception) { return 0; } //return 0; }
/// <summary> /// MS12-001 Vulnerability Check /// /// </summary> /// <param name="binInfo"></param> /// <returns></returns> public bool MS12001(PEProp binInfo) { try { ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader; if (optionalHeader != null) { SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress); if (rva.Address == 0) { return false; } uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size); // This used to be != 64 // http://blogs.technet.com/b/srd/archive/2012/01/10/more-information-on-the-impact-of-ms12-001.aspx if (DirSize == 0x48) { return true; } /* ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva)); int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size); if (FieldSize != 64) { return true; } */ } else { return false; } } catch (Exception) { return false; } return false; }
public bool LoadLibrary(PEProp binInfo, SecurityInfo SecInfo) { if (DoesImport(binInfo, "LoadLibrary", false, SecInfo)) return true; return false; }
// .NET Allow Partially Trusted Callers public bool DotNetAllowPartialTrustCallers(PEProp binInfo) { try { Assembly assembly = new Assembly(binInfo.Path); CustomAttribute[] customAttributes = assembly.CustomAttributes; if (customAttributes == null) { return false; } foreach (CustomAttribute attribute in customAttributes) { if (attribute.TypeCtor.Type.Name == "AllowPartiallyTrustedCallersAttribute") { return true; } } } catch (Exception) { return false; } return false; }
public void SigDetails(SecurityInfo secInfo, PEProp binInfo) { X509Certificate xcert = null; X509Certificate2 xcert2 = null; try { secInfo.SigName = "N/A"; secInfo.SigAlgo = "N/A"; secInfo.SigIssuer = "N/A"; xcert = X509Certificate.CreateFromSignedFile(binInfo.Path); xcert2 = new X509Certificate2(xcert); secInfo.SigName = xcert.Subject; secInfo.SigAlgo = xcert.GetKeyAlgorithm(); JavaScience.EncryptTo eToo = new JavaScience.EncryptTo(); // show never happen if (xcert2.HasPrivateKey == true) MessageBox.Show(binInfo.Path + " includes a private key!", "Private key found", MessageBoxButtons.OK, MessageBoxIcon.Hand); if(secInfo.SigAlgo.Equals("1.2.840.113549.1.1.1")){ secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / RSA " + eToo.GetCertPublicKeySize(xcert); } else if (secInfo.SigAlgo.Equals("2.5.8.1.1")){ secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / RSA " + eToo.GetCertPublicKeySize(xcert); } else if (secInfo.SigAlgo.Equals("1.2.840.10040.4.1")){ secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / DSA " + eToo.GetCertPublicKeySize(xcert); } else if (secInfo.SigAlgo.Equals("1.2.840.10046.2.1")){ secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / DH " + eToo.GetCertPublicKeySize(xcert); } else if (secInfo.SigAlgo.Equals("1.3.6.1.4.1.3029.1.2.1")){ secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / ElGamal " + eToo.GetCertPublicKeySize(xcert); } else if (secInfo.SigAlgo.Equals("1.3.6.1.4.1.25258.1.1")){ secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / NR " + eToo.GetCertPublicKeySize(xcert); } else if (secInfo.SigAlgo.Equals("1.3.6.1.4.1.25258.1.2")){ secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / ECDSA " + eToo.GetCertPublicKeySize(xcert); } else if (secInfo.SigAlgo.Equals("1.2.643.2.2.19")){ secInfo.SigAlgo = xcert2.SignatureAlgorithm.FriendlyName + " / GOST-34.10 " + eToo.GetCertPublicKeySize(xcert); } secInfo.SigIssuer = xcert.Issuer; } catch (Exception e) { if(secInfo.SigName.Equals("") == true) secInfo.SigName = "N/A"; if(secInfo.SigAlgo.Equals("") == true) secInfo.SigAlgo = "N/A"; if(secInfo.SigIssuer.Equals("") == true) secInfo.SigIssuer = "N/A"; secInfo.Error = "Signature details error " + e.Message; } }
public string DotNetVer(PEProp binInfo) { bool bMaj = false; bool bMin = false; string strMaj = null; string strMin = null ; COMPEFile comPE = new COMPEFile(binInfo.PE); ImageCor20Header cor20Hdr = comPE.Cor20Header; Header.FieldInfo fieldInfo = new Header.FieldInfo(); object fieldValue = new object(); for(int intCount = 0;intCount < cor20Hdr.NumberOfFields; intCount++){ fieldInfo = cor20Hdr.GetFieldInfo(intCount); if (fieldInfo.Name.ToString() == "MajorRuntimeVersion") { bMaj = true; fieldValue = cor20Hdr.GetField(intCount); strMaj = fieldValue.ToString(); } else if (fieldInfo.Name.ToString() == "MinorRuntimeVersion"){ bMin = true; fieldValue = cor20Hdr.GetField(intCount); strMin = fieldValue.ToString(); } } StringBuilder strFinal = new System.Text.StringBuilder(); if (bMaj == true && bMin == true) { strFinal.Append(strMaj.ToString()); strFinal.Append("."); strFinal.Append(strMin.ToString()); } else { strFinal.Append("Error"); } return strFinal.ToString(); }
/// <summary> /// SetDllDirectory, SetDefaultDllDirectories, AddDllDirectory /// </summary> /// <param name="binInfo"></param> /// <param name="secInfo"></param> /// <returns></returns> public bool DLLPlanting(PEProp binInfo, SecurityInfo SecInfo) { if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo) || DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo) || DoesImport(binInfo, "AddDllDirectory", false, SecInfo)) { if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo)){ SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports SetDLLDirectory "; } if (DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo)){ SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports SetDefaultDllDirectories "; } if (DoesImport(binInfo, "AddDllDirectory", false, SecInfo)){ SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports AddDllDirectory "; } return true; } if (DoesImportviaLoadLibrary(binInfo, "SetDLLDirectory", SecInfo) || DoesImportviaLoadLibrary(binInfo, "SetDefaultDllDirectories", SecInfo) || DoesImportviaLoadLibrary(binInfo, "AddDllDirectory", SecInfo)) { if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo)) { SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports via LoadLibrary SetDLLDirectory "; } if (DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo)) { SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports via LoadLibrary SetDefaultDllDirectories "; } if (DoesImport(binInfo, "AddDllDirectory", false, SecInfo)) { SecInfo.DLLPlantReason = SecInfo.DLLPlantReason + "Imports via LoadLibrary AddDllDirectory "; } return true; } return false; }
public void GetFileSize(SecurityInfo secInfo, PEProp binInfo) { secInfo.FileSize = binInfo.Length; }
public string UACIntLevel(PEProp binInfo) { IntPtr hMod = LoadLibraryEx(binInfo.Path, IntPtr.Zero, 0x2); if (hMod != null) { IntPtr hRes = FindResource(hMod, 1, 24); if (hRes != null) { uint intSize = SizeofResource(hMod, hRes); if (intSize > 0) { IntPtr ptrRes = LoadResource(hMod, hRes); if (ptrRes != null) { IntPtr strMani = LockResource(ptrRes); if (strMani != null) { string strManifest = System.Runtime.InteropServices.Marshal.PtrToStringAnsi(strMani); //Console.WriteLine(strManifest.ToString()); if (strManifest != null) { if (strManifest.Contains("level=\"requireAdministrator\"") == true) { return "Administrator"; } else if (strManifest.Contains("level=\"highestAvailable\"") == true) { return "Highest"; } else if (strManifest.Contains("level=\"asInvoker\"") == true) { return "Invoker"; } else if (strManifest.Contains("requestedExecutionLevel") == true) { return "Present"; } else { return "Error"; } } else { return "Null"; } } } } } } return "Not found"; }
public bool GS1Check(PEProp binInfo) { try { ImageOptionalHeader optionalHeader = binInfo.PE.OptionalHeader; if (optionalHeader != null) { ushort field = (ushort)binInfo.PE.OptionalHeader.GetField(ImageOptionalHeader.Fields.DllCharacteristics); if ((field & 0x400) != 0) { return false; } SafePointer rva = (SafePointer)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.VirtualAddress); if (rva.Address == 0) { return false; } uint DirSize = (uint)binInfo.PE.OptionalHeader.DirectoryEntries[10].GetField(ImageDataDirectory.Fields.Size); ImageLoadConfigDirectory32 directory = new ImageLoadConfigDirectory32(binInfo.PE.RVA2VA(rva)); int FieldSize = (int)directory.GetField(ImageLoadConfigDirectory32.Fields.Size); if (FieldSize < 0x48) { return false; } uint GSCookieLoc = (uint)directory.GetField(ImageLoadConfigDirectory32.Fields.SecurityCookie); if (GSCookieLoc != 0) { return true; } } else { return false; } } catch (Exception) { return false; } return false; }
public string UACUIAccess(PEProp binInfo) { IntPtr hMod = LoadLibraryEx(binInfo.Path, IntPtr.Zero, 0x2); if(hMod != null){ IntPtr hRes = FindResource(hMod, 1, 24); if (hRes != null) { uint intSize = SizeofResource(hMod, hRes); if (intSize > 0) { IntPtr ptrRes = LoadResource(hMod, hRes); if (ptrRes != null) { IntPtr strMani = LockResource(ptrRes); if (strMani != null) { string strManifest = System.Runtime.InteropServices.Marshal.PtrToStringAnsi(strMani); if (strManifest != null) { //Console.WriteLine(strManifest.ToString()); if (strManifest.Contains("uiAccess=\"false\"") == true) { return "False"; } else if (strManifest.Contains("uiAccess=\"true\"") == true) { return "True"; } else if (strManifest.Contains("uiAcces") == true) { return "Present"; } else { return "Error"; } } else { return "Null"; } } } } } } return "Not found"; }
public bool VirtualAlloc(PEProp binInfo, SecurityInfo SecInfo) { foreach (string strImport in SecInfo.Imports) { if (strImport.ToString() == "VirtualAlloc") return true; } return false; }
public string DLLPlantingReason(PEProp binInfo, SecurityInfo SecInfo) { string strDLLPlantReason = ""; if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo) || DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo) || DoesImport(binInfo, "AddDllDirectory", false, SecInfo)) { if (DoesImport(binInfo, "SetDLLDirectory", false, SecInfo)) { strDLLPlantReason = strDLLPlantReason + "Imports SetDLLDirectory "; } if (DoesImport(binInfo, "SetDefaultDllDirectories", false, SecInfo)) { strDLLPlantReason = strDLLPlantReason + "Imports SetDefaultDllDirectories "; } if (DoesImport(binInfo, "AddDllDirectory", false, SecInfo)) { strDLLPlantReason = strDLLPlantReason + "Imports AddDllDirectory "; } } if (DoesImportviaLoadLibrary(binInfo, "SetDLLDirectory", SecInfo) || DoesImportviaLoadLibrary(binInfo, "SetDefaultDllDirectories", SecInfo) || DoesImportviaLoadLibrary(binInfo, "AddDllDirectory", SecInfo)) { if (DoesImportviaLoadLibrary(binInfo, "SetDLLDirectory", SecInfo)) { strDLLPlantReason = strDLLPlantReason + "Imports via LoadLibrary SetDLLDirectory "; } if (DoesImportviaLoadLibrary(binInfo, "SetDefaultDllDirectories", SecInfo)) { strDLLPlantReason = strDLLPlantReason + "Imports via LoadLibrary SetDefaultDllDirectories "; } if (DoesImportviaLoadLibrary(binInfo, "AddDllDirectory", SecInfo)) { strDLLPlantReason = strDLLPlantReason + "Imports via LoadLibrary AddDllDirectory "; } } return strDLLPlantReason; }
public bool GSCheck64(PEProp binInfo) { long lngCnt; System.IO.FileStream fsStream = new System.IO.FileStream(binInfo.Path, System.IO.FileMode.Open, System.IO.FileAccess.Read); System.IO.BinaryReader brReader = new System.IO.BinaryReader(fsStream); Byte[] strWorkBuff = brReader.ReadBytes((Int32)fsStream.Length); long lngSize = brReader.BaseStream.Length; brReader.Close(); fsStream.Close(); try { for (lngCnt = 0; lngCnt < lngSize; lngCnt++) { if ( // epilogue strWorkBuff[lngCnt] == 0x75 && strWorkBuff[lngCnt + 1] == 0x11 && strWorkBuff[lngCnt + 2] == 0x48 && strWorkBuff[lngCnt + 3] == 0xc1 && strWorkBuff[lngCnt + 4] == 0xc1 && strWorkBuff[lngCnt + 5] == 0x10 && strWorkBuff[lngCnt + 6] == 0x66 && strWorkBuff[lngCnt + 7] == 0xf7 && strWorkBuff[lngCnt + 8] == 0xc1 && strWorkBuff[lngCnt + 9] == 0xff && strWorkBuff[lngCnt + 10] == 0xff && strWorkBuff[lngCnt + 11] == 0x75 && strWorkBuff[lngCnt + 12] == 0x02 && strWorkBuff[lngCnt + 13] == 0xf3 && strWorkBuff[lngCnt + 14] == 0xc3 ) { return true; //0 1 2 3 4 5 6 //48 8D 0D XX XX XX XX lea rcx,[GS_ContextRecord (13FC630F0h)] //7 8 9 10 11 12 //FF 15 XX XX XX XX call qword ptr [__imp_RtlCaptureContext (13FC62028h)] //13 14 15 16 17 18 19 //48/4C 8B XX XX XX XX XX mov rax,qword ptr [GS_ContextRecord+0F8h (13FC631E8h)] //20 21 22 23 24 //48/4C XX XX XX XX //25 26 27 //45 33 C0 } else if ( // __report_gs_failure - well part of strWorkBuff[lngCnt] == 0x48 && strWorkBuff[lngCnt + 1] == 0x8D && strWorkBuff[lngCnt + 2] == 0x0D && strWorkBuff[lngCnt + 7] == 0xFF && strWorkBuff[lngCnt + 8] == 0x15 && (strWorkBuff[lngCnt + 13] == 0x48 || strWorkBuff[lngCnt + 13] == 0x4C) && strWorkBuff[lngCnt + 14] == 0x8B && (strWorkBuff[lngCnt + 20] == 0x48 || strWorkBuff[lngCnt + 20] == 0x4C) && strWorkBuff[lngCnt + 25] == 0x45 && strWorkBuff[lngCnt + 26] == 0x33 && strWorkBuff[lngCnt + 27] == 0xC0 ) { return true; /* 1 2 3 4 5 6 FF 15 XX XX XX XX 7 8 9 10 11 4C 8B 5C 24 38 12 13 14 4C 33 DB 15 16 17 18 19 20 21 22 23 24 48 B8 FF FF FF FF FF FF 00 00 25 26 27 4C 23 D8 28 29 30 31 32 33 34 35 36 37 48 B8 33 A2 DF 2D 99 2B 00 00 */ } else if ( // ___security_init_cookie - part of strWorkBuff[lngCnt] == 0xFF && strWorkBuff[lngCnt + 1] == 0x15 && strWorkBuff[lngCnt + 6] == 0x4C && strWorkBuff[lngCnt + 7] == 0x8B && strWorkBuff[lngCnt + 8] == 0x5C && strWorkBuff[lngCnt + 9] == 0x24 && strWorkBuff[lngCnt + 10] == 0x38 && strWorkBuff[lngCnt + 11] == 0x4C && strWorkBuff[lngCnt + 12] == 0x33 && strWorkBuff[lngCnt + 13] == 0xDB && strWorkBuff[lngCnt + 14] == 0x48 && strWorkBuff[lngCnt + 15] == 0xB8 && strWorkBuff[lngCnt + 16] == 0xFF && strWorkBuff[lngCnt + 17] == 0xFF && strWorkBuff[lngCnt + 18] == 0xFF && strWorkBuff[lngCnt + 19] == 0xFF && strWorkBuff[lngCnt + 20] == 0xFF && strWorkBuff[lngCnt + 21] == 0xFF && strWorkBuff[lngCnt + 22] == 0x00 && strWorkBuff[lngCnt + 23] == 0x00 && strWorkBuff[lngCnt + 24] == 0x4C && strWorkBuff[lngCnt + 25] == 0x23 && strWorkBuff[lngCnt + 26] == 0xD8 && strWorkBuff[lngCnt + 27] == 0x48 && strWorkBuff[lngCnt + 28] == 0xB8 && strWorkBuff[lngCnt + 29] == 0x33 && strWorkBuff[lngCnt + 30] == 0xA2 && strWorkBuff[lngCnt + 31] == 0xDF && strWorkBuff[lngCnt + 32] == 0x2D && strWorkBuff[lngCnt + 33] == 0x99 && strWorkBuff[lngCnt + 34] == 0x2B && strWorkBuff[lngCnt + 35] == 0x00 && strWorkBuff[lngCnt + 36] == 0x00 ) { return true; } else if ( // ___security_init_cookie - part of strWorkBuff[lngCnt] == 0x48 && strWorkBuff[lngCnt + 1] == 0xBA && strWorkBuff[lngCnt + 2] == 0xFF && strWorkBuff[lngCnt + 3] == 0xFF && strWorkBuff[lngCnt + 4] == 0xFF && strWorkBuff[lngCnt + 5] == 0xFF && strWorkBuff[lngCnt + 6] == 0xFF && strWorkBuff[lngCnt + 7] == 0xFF && strWorkBuff[lngCnt + 8] == 0x00 && strWorkBuff[lngCnt + 9] == 0x00 && strWorkBuff[lngCnt + 10] == 0x48 && strWorkBuff[lngCnt + 11] == 0x33 && strWorkBuff[lngCnt + 12] == 0xC1 && strWorkBuff[lngCnt + 13] == 0x48 && strWorkBuff[lngCnt + 14] == 0x23 && strWorkBuff[lngCnt + 15] == 0xC2 && strWorkBuff[lngCnt + 16] == 0x48 && strWorkBuff[lngCnt + 17] == 0x89 && strWorkBuff[lngCnt + 18] == 0x01 ) { return true; } } } catch { return false; } return false; }
/// <summary> /// Checks if the the string is in the list of imports /// </summary> /// <param name="binInfo"></param> /// <param name="strTheOne"></param> /// <returns></returns> public bool DoesImport(PEProp binInfo, string strTheOne, bool bExact, SecurityInfo SecInfo) { foreach (string strImport in SecInfo.Imports) { if (bExact == true) { if (strImport.ToString().Equals(strTheOne)) return true; } else { if (strImport.ToString().Contains(strTheOne)) return true; } } return false; }
/// <summary> /// Checks if the binary / uses HeapSetInformation /// </summary> /// <param name="binInfo"></param> /// <returns></returns> public bool HeapSetInfo(PEProp binInfo, SecurityInfo SecInfo) { return DoesImportviaLoadLibrary(binInfo, "HeapSetInformation", SecInfo); }
public bool DoesImportviaLoadLibrary(PEProp binInfo, string strTheOne, SecurityInfo SecInfo) { if (DoesImport(binInfo, strTheOne, true, SecInfo)) return true; if (DoesImport(binInfo, "LoadLibrary", false, SecInfo) && DoesImport(binInfo, "GetProcAddress", false, SecInfo)) { System.IO.FileStream fsStream = new System.IO.FileStream(binInfo.Path, System.IO.FileMode.Open, System.IO.FileAccess.Read); System.IO.BinaryReader brReader = new System.IO.BinaryReader(fsStream); Byte[] strWorkBuff = brReader.ReadBytes((Int32)fsStream.Length); long lngSize = brReader.BaseStream.Length; long lngCnt = 0; long lngInnerCnt = 0; brReader.Close(); fsStream.Close(); for (lngCnt = 0; lngCnt < lngSize; lngCnt++) { for (lngInnerCnt = 0; lngInnerCnt < strTheOne.Length; lngInnerCnt++) { if (strWorkBuff[lngCnt + lngInnerCnt].CompareTo(Convert.ToByte(strTheOne[(int)lngInnerCnt])) == 0) break; } if (lngInnerCnt == strTheOne.Length) { return true; } } } return false; }
/// <summary> /// Processes a file results are in the SecInfo object of file /// </summary> /// <param name="strFile">Full path to file to analyze</param> public void ProcessFile(string strFile) { SecInfo = new WinBinAuditv1.SecurityInfo(); try { this.OpenPE = new PEFile(strFile); this.OpenPEBI = new PEProp(strFile); WinBinAuditv1PEChecks PEChecks = new WinBinAuditv1PEChecks(); SecInfo.MD5 = this.OpenPEBI.MD5Hash.ToString(); SecInfo.SHA1 = this.OpenPEBI.SHA1Hash.ToString(); // if (OpenPEBI.PE.IsPEFile == true) { SecInfo.Type = "PE"; SecInfo.IsPE = true; SecInfo.Platform = OpenPEBI.Machine.ToString(); if (SecInfo.Platform.Contains("UNKNOWN") == true) { return; } try { SecInfo.LinkerVer = OpenPEBI.LinkerVersion.ToString(); } catch (Exception) { SecInfo.LinkerVer = "UNKNOWN"; } } else { SecInfo.IsPE = false; return; } if (OpenPEBI.PE.Is64Bit == true) { SecInfo.Is32or64bit = "64"; StringBuilder sbType = new StringBuilder(); sbType.Append("PE+"); SecInfo.Type = sbType.ToString(); } else { SecInfo.Is32or64bit = "32"; StringBuilder sbType = new StringBuilder(); sbType.Append("PE"); SecInfo.Type = sbType.ToString(); } if (OpenPEBI.Kernel == true) { SecInfo.IsKernel = true; } else { SecInfo.IsKernel = false; if (PEChecks.IsDLL(this.OpenPEBI)) { SecInfo.isDLL = true; } else { SecInfo.isDLL = false; } if (PEChecks.GetManifest(this.OpenPEBI, SecInfo)) { string UACLvl = PEChecks.UACIntLevel(this.OpenPEBI); SecInfo.UACIntegrityLvl = UACLvl; string UACUI = PEChecks.UACUIAccess(this.OpenPEBI); SecInfo.UACUIAccess = UACUI; } if (OpenPEBI.Managed == true) { SecInfo.DotNet = true; if (OpenPEBI.ManagedP) { SecInfo.DotNetFullyManaged = true; } else { SecInfo.DotNetFullyManaged = false; } try { if (OpenPEBI.SkipValidation) { SecInfo.DotNetSkipValidation = true; } else { SecInfo.DotNetSkipValidation = false; } } catch (Exception) { SecInfo.DotNetSkipValidation = false; } if (PEChecks.DotNetStrongName(this.OpenPEBI) == true) { SecInfo.DotNetStrongName = true; } if (PEChecks.DotNetAllowPartialTrustCallers(this.OpenPEBI) == true) { SecInfo.DotNetAllowPartialTrustCallers = true; } SecInfo.DotNetVer = PEChecks.DotNetVer(this.OpenPEBI).ToString(); if (SecInfo.DotNetVer.ToString() == "") { SecInfo.DotNetVer = new StringBuilder("Unknown").ToString(); } if (PEChecks.NoSEH(this.OpenPEBI) == true) { SecInfo.NoSEH = true; } else if (PEChecks.SafeSEH(this.OpenPEBI) == true) { SecInfo.SafeSEH = true; } } else { SecInfo.Imports = OpenPEBI.ImportFunctionsGet(OpenPE); SecInfo.bDelayLoaded = OpenPEBI.DelayLoadImports(OpenPE); if (SecInfo.bDelayLoaded) { SecInfo.DelayImports = OpenPEBI.DelayLoadImportFunctionsGet(OpenPE, strFile); } if (SecInfo.Imports != null) { // FIX SecInfo.MSSDLCBannedCount = PEChecks.MSBannedAPIs(SecInfo, SecInfo.Imports); } if (PEChecks.NX(this.OpenPEBI) == true) { SecInfo.DEP = true; } if (PEChecks.NoSEH(this.OpenPEBI) == true) { SecInfo.NoSEH = true; } else if (PEChecks.SafeSEH(this.OpenPEBI) == true) { SecInfo.SafeSEH = true; } if (PEChecks.AppContainer(this.OpenPEBI) == true) { SecInfo.AppContainer = true; } if (PEChecks.ControlFlowGuard(this.OpenPEBI) == true) { SecInfo.CFG = true; } if (PEChecks.MS12001(this.OpenPEBI) == true) { SecInfo.MS12001 = true; } SecInfo.MS12001Sz = PEChecks.MS12001Sz(this.OpenPEBI); SecInfo.MS12001SzTwo = PEChecks.MS12001SzTwo(this.OpenPEBI); SecInfo.CodeSz = PEChecks.CodeSize(this.OpenPEBI); if (PEChecks.ASLR(this.OpenPEBI) == true) { SecInfo.ASLR = true; } if (PEChecks.InsecureSection(this.OpenPEBI) == true) { SecInfo.InsecureSection = true; } if (PEChecks.HeapSetInfo(this.OpenPEBI, SecInfo) == true) { SecInfo.HeapSetInformation = true; } if (PEChecks.LoadLibrary(this.OpenPEBI, SecInfo) == true) { SecInfo.LoadLibrary = true; } if (PEChecks.DLLPlanting(this.OpenPEBI, SecInfo) == true) { SecInfo.DLLPlanting = true; SecInfo.DLLPlantReason = PEChecks.DLLPlantingReason(this.OpenPEBI, this.SecInfo); } if (PEChecks.VirtualAlloc(this.OpenPEBI, SecInfo) == true) { SecInfo.VirtualAlloc = true; } if (PEChecks.EncodePointer(this.OpenPEBI, SecInfo) == true) { SecInfo.EncodePointer = true; } if (PEChecks.SetDEPPolicy(this.OpenPEBI, SecInfo) == true) { SecInfo.SetDEPPolicy = true; } if (PEChecks.ForceInt(this.OpenPEBI) == true) { SecInfo.ForceInt = true; } if (PEChecks.ProcessHeapExec(this.OpenPEBI) == true) { SecInfo.ProcessHeapExec = true; } if (this.OpenPE.Is64Bit == false) { if (PEChecks.GS1Check(this.OpenPEBI) == true) { SecInfo.GS1 = true; SecInfo.GS1Which = 1; } else { } if (PEChecks.GS3Check(this.OpenPEBI, SecInfo) == true) { SecInfo.GS1 = true; if (SecInfo.GS1Which == 1) { SecInfo.GS1Which = 3; } else { SecInfo.GS1Which = 2; } } } if (this.OpenPE.Is64Bit == false) { int intGS2 = PEChecks.GS2Check32(this.OpenPEBI); if (intGS2 > 0) { SecInfo.GS2 = intGS2; } } else { bool bGS = PEChecks.GSCheck64(this.OpenPEBI); SecInfo.GS1 = bGS; } SecInfo.CompilerVer = PEChecks.MSCompilerVers(this.OpenPEBI); } // From file properties try { SecInfo.Vendor = OpenPEBI.Vendor.ToString(); } catch (Exception) { SecInfo.Vendor = "N/A"; } // From file properties try { SecInfo.Version = OpenPEBI.Version.ToString(); } catch (Exception) { SecInfo.Version = "N/A"; } // Digital Signature PEChecks.SigDetails(SecInfo, this.OpenPEBI); // File size PEChecks.GetFileSize(SecInfo, this.OpenPEBI); if (this.OpenPE.Is64Bit == true) { SecInfo.HighEntropy = PEChecks.HighEntropy(SecInfo, this.OpenPEBI); } SecInfo.Success = true; } } catch (System.Threading.ThreadAbortException) { } catch (Exception exception) { SecInfo.Success = false; StringBuilder strErrorLocal = new StringBuilder(); DateTime current = DateTime.Now; strErrorLocal.Append("Couldn't process " + strFile + " - " + exception.ToString()); SecInfo.Error = strErrorLocal.ToString(); try { SecInfo.Vendor = OpenPEBI.Vendor.ToString(); } catch (Exception) { SecInfo.Vendor = "N/A"; } } }
/// <summary> /// Is the file a DLL /// </summary> /// <param name="binInfo"></param> /// <returns></returns> public bool IsDLL(PEProp binInfo) { // IMAGE_FILE_DLL try { ushort field = (ushort)binInfo.PE.FileHeader.GetField(ImageFileHeader.Fields.Characteristics); if (( field & 0x2000) != 0) { return true; } } catch (Exception) { return false; } return false; }