Usually applications use global object like mutex so that only single instance of their application runs at a time. The algorithm is as follows:
Step 1: Check if some one has acquired mutex "APP_BLOCKER"
Step 2: If Yes then Goto Step 6.
Step 3: Acquire the mutex.
Step 4: Application logic comes here.
Step 5: Release the mutex.
Step 6: Exit.
With this understanding now lets start the attack,
The first thing that we need to block the application is the name of the mutex.
If the name of the mutex is taken in the code itself, we can easily extract it.
"strings" tool can be used to extract all the printable characters from the file. The tool can be downloaded from here. Extract the tool to a folder.
Now on command line move to the directory where you extracted the file. Now on the command line run the following command.
strings "C:\FULL_PATH_TO_EXE\victim.exe" >> data.txt
Now open the file data.txt in a text editor, and try to find the string "Global\AnyTextCanComeHere"
This is the most crucial part, if you find such string, its good. Or else we will go into more detailed analysis of the binary. For now we will assume that we have found the mutex name.
Now, compile the following program in visual studio,
#include <stdio.h>
#include <windows.h>
#define GLOBAL_OBJECT_NAME L"Global\\AnyTextCanComeHere"
int main()
{
HANDLE hMutex;
hMutex = CreateMutex(NULL, FALSE, GLOBAL_OBJECT_NAME);
if (NULL == hMutex)
{
printf("\nCreateMutex failed %d", GetLastError());
getchar();
return EXIT_FAILURE;
}
printf("\nCreateMutex done.");
WaitForSingleObject(hMutex, INFINITE);
printf("\nWait returned.");
getchar();
CloseHandle(hMutex);
}
Step 1: Check if some one has acquired mutex "APP_BLOCKER"
Step 2: If Yes then Goto Step 6.
Step 3: Acquire the mutex.
Step 4: Application logic comes here.
Step 5: Release the mutex.
Step 6: Exit.
With this understanding now lets start the attack,
The first thing that we need to block the application is the name of the mutex.
If the name of the mutex is taken in the code itself, we can easily extract it.
"strings" tool can be used to extract all the printable characters from the file. The tool can be downloaded from here. Extract the tool to a folder.
Now on command line move to the directory where you extracted the file. Now on the command line run the following command.
strings "C:\FULL_PATH_TO_EXE\victim.exe" >> data.txt
Now open the file data.txt in a text editor, and try to find the string "Global\AnyTextCanComeHere"
This is the most crucial part, if you find such string, its good. Or else we will go into more detailed analysis of the binary. For now we will assume that we have found the mutex name.
Now, compile the following program in visual studio,
#include <stdio.h>
#include <windows.h>
#define GLOBAL_OBJECT_NAME L"Global\\AnyTextCanComeHere"
int main()
{
HANDLE hMutex;
hMutex = CreateMutex(NULL, FALSE, GLOBAL_OBJECT_NAME);
if (NULL == hMutex)
{
printf("\nCreateMutex failed %d", GetLastError());
getchar();
return EXIT_FAILURE;
}
printf("\nCreateMutex done.");
WaitForSingleObject(hMutex, INFINITE);
printf("\nWait returned.");
getchar();
CloseHandle(hMutex);
}
and run the exe.
Now try to run the application, if we picked the correct mutex name, the application will not run.
The application tries to acquire the mutex, but our application has already acquired the mutex, hence the legitimate application terminates.
What if the application is not blocked:
There can be n number of reasons,
1. The name of the mutex that we selected is not used for single instance check.
2. The name we selected was correct but the code at runtime applies some logic to modify the name, and then uses it,
3. Perhaps the, developer has not used mutex but some other kernel object, eg, event.
Ultimately our goal is to get the specific kernel object created, and consume it.
Most of the application's today will apply some kind of obfuscation to hide the name of the kernel object.
Thanks And Regards,
Suraj K.
Now try to run the application, if we picked the correct mutex name, the application will not run.
The application tries to acquire the mutex, but our application has already acquired the mutex, hence the legitimate application terminates.
What if the application is not blocked:
There can be n number of reasons,
1. The name of the mutex that we selected is not used for single instance check.
2. The name we selected was correct but the code at runtime applies some logic to modify the name, and then uses it,
3. Perhaps the, developer has not used mutex but some other kernel object, eg, event.
Ultimately our goal is to get the specific kernel object created, and consume it.
Most of the application's today will apply some kind of obfuscation to hide the name of the kernel object.
Thanks And Regards,
Suraj K.
