logo
securityArticlesConferencesPresentations

Relocation Bonus: Attacking the Windows Loader Makes Analysts Switch Careers

Conference:  Defcon 26

2018-08-01

Summary

The presentation discusses a method of bypassing ASLR by brute-forcing and pre-selecting base addresses.
  • The attack involves a route process and a drone process
  • The drone process launches and throws back a specific return code based on whether or not it has the desired base address
  • The route process maps the file in a loop until it finds the desired base address
  • The attack can be embedded in any PE and is position agnostic
  • The attack cannot obfuscate imports and can be slow
  • The presenter discovered a method of invalidating base addresses by copying and launching the file repeatedly
  • The attack can be used to bypass ASLR on Windows 10 by tweaking ASLR configuration or invalidating base addresses
The presenter discovered that copying and launching a file repeatedly can invalidate the base address being reused by Windows, allowing for brute-forcing and pre-selecting of desired base addresses.

Abstract

The arbiters of defense wield many static analysis tools; disassemblers, PE viewers, and anti-viruses are among them. When you peer into their minds, these tools reveal their perilous implementations of PE file parsing. They assume PE files come as-is, but the Windows Loader actually applies many mutations (some at the command of the PE itself) before execution ever begins. This talk is about bending that loader to one's whim with the Relocations Table as a command spell. It will demonstrate how the loader can be instrumented into a mutation engine capable of transforming an utterly mangled PE file into a valid executable. This method starts with multiple ASLR Preselection attacks that force binary mapping at a predictable address. It then mangles the PE file, garbling any byte not required prior to relocation. Finally, it embeds a new Relocations Table which, when paired with a preselected base address, causes the loader to reconstruct the PE and execute it with ease. This isn't a packer or a POC, it is a PE rebuilder which generates completely valid, stable, and vastly tool-breaking executables. This talk will show you how this attack twists the protocols of a machine against the controls meant to protect it. It flexes on tools with various look-what-I-can-break demonstrations and, if you write similar tools, it'll make you rethink how you do it.
Materials:
Tags:

Post a comment

Related work

Lost in the Loader: The Many Faces of the Windows PE File Format

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Zombie Ant Farming: Practical Tips for Playing Hide and Seek with Linux EDRs

Conference:  BlackHat USA 2019
Authors:
2019-08-08

Reconstruct the World from Vanished Shadow: Recovering Deleted VSS Snapshots

Conference:  BlackHat USA 2018
Authors:
2018-08-09

Come Join the CAFSA - Continuous Automated Firmware Security Analysis

Conference:  BlackHat USA 2019
Authors:
2019-08-07

Zero Trust: Regaining Trust in a Remote Work World

Conference:  RSA Conference 2021
Authors:
2021-05-17

Zombie Ant Farm: Practical Tips for Playing Hide and Seek with Linux EDRs

Conference:  Defcon 27
Authors:
2019-08-01