An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack

An Inconvenient Truth:
Evading the Ransomware Protection
in Windows 10

My Profile
SOYA AOYAMA
Security Researcher @ Fujitsu System Integration Laboratories Ltd
Organizer @ BSides Tokyo
1992 ~ 2015
software developer of Windows.
2015 ~
security researcher
- 2016 AVTOKYO
- 2017 BSides Las Vegas
- 2018 GrrCON / ToorCon / DerbyCon / AVTOKYO
- 2019 HackMiami
2018 ~
BSides Tokyo Organizer
- 2018 first BSides in East Asia

My research history
2016 2017 2018 2019
Jump the AirGap
Way to escalate
privilege to
Administrator
Way to evading
the ransomware
protection

How to escalate privileges
to administrator in latest Windows”
• Basic Concept
• Detail

When I execute the CompMgmtLauncher
It all started...

CompMgmtLauncher.exe
– does not display the UAC screen
– executes with administrator privileges
– loads 3rd Party dll (in Program Files folder)
Which process can access Program Files folder?
– Explorer.exe?
Which means...
UAC
bypass

Explorer.exe
– loads OneDrive dll (in User's Folder)
– can access Program Files folder
I found a way to get administrator privileges
Which means...
UAC
bypass

Basic Concept
DLL
Func_A()
DLL
Func_A()
Replace the correct dll with malicious one
Pass through the function to the correct dll
EXE DLLMalicious DLL
Call Func_A()
EXE
Call Func_A()
Malicious DLL
Call Func_A()
Func_A()
Func_A()?

the implementation necessary
1. Load the correct DLL and get its handle
hModule = LoadLibraryEx(lpLibFileName, hFile, dwFlags);
2. Get address of each function using handle
Address = GetProcAddress(hModule, lpProcName);
3. When called from EXE, call the corresponding
function with the correct arguments
return Address(arg1, arg2, …);
To realize concept

What functions the dll has
I used the dumpbin command

Only need to implement four export functions
So...
EXE
Call LoadLibraryEx()
Call DllCanUnloadNow()
Call DllGetClassObject()
Call DllRegisterServer()
Call DllUnregisterServer()
Malicious DLL
Call LoadLibraryEx()
Call DllCanUnloadNow()
Call DllGetClassObject()
Call DllRegisterServer()
Call DllUnregisterServer()
DllMain()
DllCanUnloadNow()
DllGetClassObject()
DllRegisterServer()
DllUnregisterServer()
DLL
DllMain()
DllCanUnloadNow()
DllGetClassObject()
DllRegisterServer()
DllUnregisterServer()

Describe on Microsoft web site.
– HRESULT DllCanUnloadNow(void);
– HRESULT DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID
*ppv);
– HRESULT DllRegisterServer(void);
– HRESULT DllUnregisterServer (void);
Export functions API
https://docs.microsoft.com/en-us/windows/desktop/api/_com/

Source Code
#include <Shobjidl.h>
typedef HRESULT(__stdcall *CUN)(void);
typedef HRESULT(__stdcall *GCO)(REFCLSID rclsid, REFIID riid, LPVOID *ppv);
typedef HRESULT(__stdcall *RS)(void);
typedef HRESULT(__stdcall *US)(void);
CUN CanUnloadNow;
GCO GetClassObject;
RS RegisterServer;
US UnregisterServer;
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
if (DLL_PROCESS_ATTACH == ul_reason_for_call) {
WCHAR dll[MAX_PATH + 1] = { 0 };
GetModuleFileName(hModule, dll, MAX_PATH);
wcscat(dll, L"_");
HINSTANCE hDllInstance = ::LoadLibraryEx(dll, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
CanUnloadNow = (CUN)GetProcAddress(hDllInstance, "DllCanUnloadNow");
GetClassObject = (GCO)GetProcAddress(hDllInstance, "DllGetClassObject");
RegisterServer = (RS)GetProcAddress(hDllInstance, "DllRegisterServer");
UnregisterServer = (US)GetProcAddress(hDllInstance, "DllUnregisterServer");
}
return TRUE;
}
STDAPI DllCanUnloadNow(void) { return CanUnloadNow(); }
STDAPI DllGetClassObject(REFCLSID rclsid, REFIID riid, LPVOID *ppv) { return GetClassObject(rclsid, riid, ppv); }
STDAPI DllRegisterServer(void) { return RegisterServer(); }
STDAPI DllUnregisterServer(void) { return UnregisterServer(); }
Malicious code has been removed

File Process
Low Integrity Level
Medium Integrity Level
High Integrity Level
System Integrity Level
Malicious. bat
Any Folder
Malicious.dllMalicious.dll
Malicious. batMalicious. bat
Any Folder
Mechanism
User executes malicious program

File
%UserProfile%...OneDrive
Malicious.bat
Any Folder
Malicious.dll
FileSyncShell64.dll_
Malicious.dll
FileSyncShell64.dllFileSyncShell64.dll
Process
Low Integrity Level
Malicious. bat
Mechanism
Malicious program replaces correct dll with itself

File Process
Low Integrity Level
Explorer.exe
FileSyncShell64.dll
Any Folder
Malicious.bat
Any Folder
Mechanism
Explorer loads malicious dll

File
FileSyncShell64.dll
c:Program FilesWinMerge
ShellExtensionX64.dll_
ShellExtensionX64.dllShellExtensionX64.dll
Process
Low Integrity Level
Explorer.exe
FileSyncShell64.dll
UAC
bypass
Mechanism
Malicious program replaces correct dll with itself
Need
Administrator
privileges

File
ShellExtensionX64.dll
ShellExtensionX64.dll_
FileSyncShell64.dll
c:windowssystem32
Process
Low Integrity Level
Explorer.exe
FileSyncShell64.dll
Mechanism
Malicious program executes CompMgmtLauncher

Process
Explorer.exe
FileSyncShell64.dll
File
FileSyncShell64.dll
c:windowssystem32
CompMgmtLauncher.exeCompMgmtLauncher.exe
Yay!
Mechanism
Malicious program gets administrative privileges
Need
Administrator
privileges
UAC
bypass

Bug Bounty Program
https://www.microsoft.com/en-us/msrc/bounty?rtc=1

I submitted a vulnerability report
MSRC said…

MSRC said…
can not pay the reward

ProcessFile
FileSyncShell64.dll
c:windowssystem32
CompMgmtLauncher.exeCompMgmtLauncher.exe
Explorer.exe
FileSyncShell64.dll
Microsoft quietly fixed!!
However…
This issue has been fixed

Microsoft gave one answer for it

TANMAY GANACHARYA
Principal Group Manager, Windows Defender Research
Ransomware protection on Windows 10
For end users, the dreaded ransom
note announces that ransomware has
already taken their files hostage:
documents, precious photos and
videos, and other important files
encrypted. On Windows 10 Fall
Creators Update, a new feature helps
stop ransomware from accessing
important files in real-time, even if it
manages to infect the computer. When
enabled, Controlled folder access locks
down folders, allowing only authorized
apps to access files.
https://www.microsoft.com/security/blog/2017/10/23/
stopping-ransomware-where-it-counts-protecting-
your-data-with-controlled-folder-access/

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack

Windows system folder is NOT
protected by default.

apps folders
allowed apps
cmdExplorer
Protected folders
Documents Pictures
PowerShell System32
Ransomware protection Mechanism

app folders
allowed apps
cmdExplorer
Protected folders
Documents Pictures
PowerShell System32
Simple Idea

YAGO JESUS
MICROSOFT ANTI RANSOMWARE BYPASS
By default, Office executables are included in the whitelist so these programs
could make changes in protected folders without restrictions.
This access level is granted even if a malicious user uses OLE/COM objects to
drive Office executables programmatically.
So a Ransomware developer could adapt their software to use OLE objects to
change / delete / encrypt files invisibly for the files owner
http://www.securitybydefault.com/2018/01/microsoft-anti-ransomware-bypass-not.html

Why does Explorer load OneDrive dll?
It all started ...

I searched in the registry
It was found in HKEY_CLASSES_ROOT

HKCR is that merges HKLM with HKCU
HKCU takes precedence from HKLM
What HKEY_CLASSES_ROOT?
https://docs.microsoft.com/en-us/windows/desktop/sysinfo/merged-view-of-hkey-classes-root

I found it
Which dll meets the requirements?

File Process
Low Integrity Level
Malicious. bat
Any Folder
Malicious. bat
Any Folder
Malicious. bat
User executes malicious program
Mechanism

Process
Low Integrity Level
Malicious. bat
Registry
Malicious.bat
HKCR
Malicious.bat
HKCUSoftwareClasses
Malicious.bat
HKLMSoftwareClasses
%SysteRoot%system32shell32.dll
Any FolderMalicious.dll
%SysteRoot%system32shell32.dllAny FolderMalicious.dll
Mechanism
Malicious program writes malicious path in HKCU

Registry
Malicious.bat
HKCR
Malicious.bat
HKCU
Malicious.bat
HKLM
Malicious.batAny FolderMalicious.dll
Malicious.batAny FolderMalicious.dll
Malicious.bat%SysteRoot%system32shell32.dll
Process
Low Integrity Level
Explorer.exe
Malicious.dll
Yay!
Mechanism
Explorer loads malicious dll

It’s revenge
I submitted a vulnerability report
MSRC said…

The bar for security servicing
Security Boundary Security Goal
Network boundary An unauthorized network endpoint cannot access or tamper with the code and data on a
customer’s device.
Kernel boundary A non-administrative user mode process cannot access or tamper with kernel code and data.
Administrator-to-kernel is not a security boundary.
Process boundary An unauthorized user mode process cannot access or tamper with the code and data of another
process.
AppContainer
sandbox boundary
An AppContainer-based sandbox process cannot access or tamper with code and data outside of
the sandbox based on the container capabilities
User boundary A user cannot access or tamper with the code and data of another user without being authorized.
Session boundary A user logon session cannot access or tamper with another user logon session without being
authorized.
Web browser
boundary
An unauthorized website cannot violate the same-origin policy, nor can it access or tamper with
the native code and data of the Microsoft Edge web browser sandbox.
Virtual machine
boundary
An unauthorized Hyper-V guest virtual machine cannot access or tamper with the code and data
of another guest virtual machine; this includes Hyper-V Isolated Containers.
Virtual Secure Mode
boundary
Data and code within a VSM trustlet or enclave cannot be accessed or tampered with by code
executing outside of the VSM trustlet or enclave.
https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria

https://www.microsoft.com/en-us/msrc/windows-security-servicing-criteria
Defense-in-depth security features
Security feature Security Goal
User Account Control (UAC) Prevent unwanted system-wide changes (files, registry, etc) without administrator consent
AppLocker Prevent unauthorized applications from executing
Controlled Folder Access Protect access and modification to controlled folders from apps that may be malicious
Mark of the Web (MOTW) Prevent active content download from the web from elevating privileges when viewed
locally
Kernel Address Space
Layout Randomization
(KASLR)
The layout of the kernel virtual address space is not predictable to an attacker (on 64-bit)
Control Flow Guard (CFG) CFG protected code can only make indirect calls to valid indirect call targets
Windows Defender Exploit
Guard (WDEG)
Allow apps to enable additional defense-in-depth exploit mitigation features that make it
more difficult to exploit vulnerabilities
Protected Process Light
(PPL)
Prevent non-administrative non-PPL processes from accessing or tampering with code and
data in a PPL process via open process functions
Shielded Virtual Machines Help protect a VM’s secrets and its data against malicious fabric admins or malware
running on the host from both runtime and offline attacks
NOT covered by active bug bounty programs
User Account Control (UAC)
Controlled Folder Access

How about others antimalware
application?

No antimalware application
can block my malware

About the Local Hacking
No rewards
No researcher
No secure

https://www.facebook.com/soya.aoyama.3
@SoyaAoyama
https://www.slideshare.net/SoyaAoyama

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack

More Related Content

Similar to An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack (20)

Recently uploaded (20)

An inconvenient truth: Evading the Ransomware Protection in windows 10 @ LeHack

Editor's Notes