Usually applications use global object like mutex so that only single instance of their application runs at a time. The algorithm is as follows:
Step 1: Check if some one has acquired mutex "APP_BLOCKER"
Step 2: If Yes then Goto Step 6.
Step 3: Acquire the mutex.
Step 4: Application logic comes here.
Step 5: Release the mutex.
Step 6: Exit.
With this understanding now lets start the attack,
The first thing that we need to block the application is the name of the mutex.
If the name of the mutex is taken in the code itself, we can easily extract it.
"strings" tool can be used to extract all the printable characters from the file. The tool can be downloaded from here. Extract the tool to a folder.
Now on command line move to the directory where you extracted the file. Now on the command line run the following command.
strings "C:\FULL_PATH_TO_EXE\victim.exe" >> data.txt
Now open the file data.txt in a text editor, and try to find the string "Global\AnyTextCanComeHere"
This is the most crucial part, if you find such string, its good. Or else we will go into more detailed analysis of the binary. For now we will assume that we have found the mutex name.
Now, compile the following program in visual studio,
#include <stdio.h>
#include <windows.h>
#define GLOBAL_OBJECT_NAME L"Global\\AnyTextCanComeHere"
int main()
{
HANDLE hMutex;
hMutex = CreateMutex(NULL, FALSE, GLOBAL_OBJECT_NAME);
if (NULL == hMutex)
{
printf("\nCreateMutex failed %d", GetLastError());
getchar();
return EXIT_FAILURE;
}
printf("\nCreateMutex done.");
WaitForSingleObject(hMutex, INFINITE);
printf("\nWait returned.");
getchar();
CloseHandle(hMutex);
}
Step 1: Check if some one has acquired mutex "APP_BLOCKER"
Step 2: If Yes then Goto Step 6.
Step 3: Acquire the mutex.
Step 4: Application logic comes here.
Step 5: Release the mutex.
Step 6: Exit.
With this understanding now lets start the attack,
The first thing that we need to block the application is the name of the mutex.
If the name of the mutex is taken in the code itself, we can easily extract it.
"strings" tool can be used to extract all the printable characters from the file. The tool can be downloaded from here. Extract the tool to a folder.
Now on command line move to the directory where you extracted the file. Now on the command line run the following command.
strings "C:\FULL_PATH_TO_EXE\victim.exe" >> data.txt
Now open the file data.txt in a text editor, and try to find the string "Global\AnyTextCanComeHere"
This is the most crucial part, if you find such string, its good. Or else we will go into more detailed analysis of the binary. For now we will assume that we have found the mutex name.
Now, compile the following program in visual studio,
#include <stdio.h>
#include <windows.h>
#define GLOBAL_OBJECT_NAME L"Global\\AnyTextCanComeHere"
int main()
{
HANDLE hMutex;
hMutex = CreateMutex(NULL, FALSE, GLOBAL_OBJECT_NAME);
if (NULL == hMutex)
{
printf("\nCreateMutex failed %d", GetLastError());
getchar();
return EXIT_FAILURE;
}
printf("\nCreateMutex done.");
WaitForSingleObject(hMutex, INFINITE);
printf("\nWait returned.");
getchar();
CloseHandle(hMutex);
}
and run the exe.
Now try to run the application, if we picked the correct mutex name, the application will not run.
The application tries to acquire the mutex, but our application has already acquired the mutex, hence the legitimate application terminates.
What if the application is not blocked:
There can be n number of reasons,
1. The name of the mutex that we selected is not used for single instance check.
2. The name we selected was correct but the code at runtime applies some logic to modify the name, and then uses it,
3. Perhaps the, developer has not used mutex but some other kernel object, eg, event.
Ultimately our goal is to get the specific kernel object created, and consume it.
Most of the application's today will apply some kind of obfuscation to hide the name of the kernel object.
Thanks And Regards,
Suraj K.
Now try to run the application, if we picked the correct mutex name, the application will not run.
The application tries to acquire the mutex, but our application has already acquired the mutex, hence the legitimate application terminates.
What if the application is not blocked:
There can be n number of reasons,
1. The name of the mutex that we selected is not used for single instance check.
2. The name we selected was correct but the code at runtime applies some logic to modify the name, and then uses it,
3. Perhaps the, developer has not used mutex but some other kernel object, eg, event.
Ultimately our goal is to get the specific kernel object created, and consume it.
Most of the application's today will apply some kind of obfuscation to hide the name of the kernel object.
Thanks And Regards,
Suraj K.
ReplyDeleteIt's late finding this act. At least, it's a thing to be familiar with that there are such events exist. I agree with your Blog and I will be back to inspect it more in the future so please keep up your act 야설
It is perfect time to make some plans for the future and it is time to be happy. I've read this post and if I could I desire to suggest you some interesting things or suggestions. Perhaps you could write next articles referring to this article. I want to read more things about it! 국산야동
ReplyDelete
ReplyDeleteIts an amazing website, really enjoy your articles. Helpful and interesting too. Keep doing this in future. I will support you. 야동
it’s awesome and I found this one바카라사이트 informative
ReplyDeleteThanks for sharing with us this important Content. I feel strongly about it and really enjoyed learning 카지노사이트more about this topic.
ReplyDeleteIt's actually incredible. I marvel you created such an excellent short article. I'm still thrilled. Take a look at the response of these individuals currently. Everybody agrees with me. As an individual that can actually connect, I do not wish to conserve praises. You must constantly be an author. 바카라사이트
ReplyDelete
ReplyDeleteHello there! Quick question that’s completely off topic.
Do you know how to make your site mobile friendly? My website looks weird when viewing from my iphone.
I’m trying to find a template or plugin that might
be able to resolve this issue. If you have any recommendations, please share.
Thank you!
website:파워볼
3 SECRET 카지노사이트 샌즈카지노 우리카지노Work Missions At The Diamond Resort In GTA 5 Online That You Might Not Know About!
ReplyDelete