Saturday 8 November 2014

DOS attack on windows application using global objects for single instance check.

Usually applications use global object like mutex so that only single instance of their application runs at a time. The algorithm is as follows:

Step 1: Check if some one has acquired mutex "APP_BLOCKER"
Step 2: If Yes then Goto Step 6.
Step 3: Acquire the mutex.
Step 4: Application logic comes here.
Step 5: Release the mutex.
Step 6: Exit.

With this understanding now lets start the attack,
The first thing that we need to block the application is the name of the mutex.
If the name of the mutex is taken in the code itself, we can easily extract it.

"strings" tool can be used to extract all the printable characters from the file. The tool can be downloaded from here. Extract the tool to a folder.
Now on command line move to the directory where you extracted the file. Now on the command line run the following command.

strings "C:\FULL_PATH_TO_EXE\victim.exe" >> data.txt

Now open the file data.txt in a text editor, and try to find the string "Global\AnyTextCanComeHere"
This is the most crucial part, if you find such string, its good. Or else we will go into more detailed analysis of the binary. For now we will assume that we have found the mutex name.

Now, compile the following program in visual studio,

#include <stdio.h>
#include <windows.h>

#define GLOBAL_OBJECT_NAME L"Global\\AnyTextCanComeHere"

int main()
{
    HANDLE hMutex;

    hMutex = CreateMutex(NULL, FALSE, GLOBAL_OBJECT_NAME);
    if (NULL == hMutex)
    {
        printf("\nCreateMutex failed %d", GetLastError());

        getchar();
        return EXIT_FAILURE;
    }

    printf("\nCreateMutex done.");
    WaitForSingleObject(hMutex, INFINITE);
    printf("\nWait returned.");

    getchar();
    CloseHandle(hMutex);
}

and run the exe.
Now try to run the application, if we picked the correct mutex name, the application will not run.
The application tries to acquire the mutex, but our application has already acquired the mutex, hence the legitimate application terminates.

What if the application is not blocked:
There can be n number of reasons,
1. The name of the mutex that we selected is not used for single instance check.
2. The name we selected was correct but the code at runtime applies some logic to modify the name, and then uses it,
3. Perhaps the, developer has not used mutex but some other kernel object, eg, event.

Ultimately our goal is to get the specific kernel object created, and consume it.

Most of the application's today will apply some kind of obfuscation to hide the name of the kernel object.


Thanks And Regards,
Suraj K.

4 comments:

  1. it’s awesome and I found this one바카라사이트 informative

    ReplyDelete
  2. Thanks for sharing with us this important Content. I feel strongly about it and really enjoyed learning 카지노사이트more about this topic.

    ReplyDelete
  3. It's actually incredible. I marvel you created such an excellent short article. I'm still thrilled. Take a look at the response of these individuals currently. Everybody agrees with me. As an individual that can actually connect, I do not wish to conserve praises. You must constantly be an author. 바카라사이트

    ReplyDelete

  4. Hello there! Quick question that’s completely off topic.
    Do you know how to make your site mobile friendly? My website looks weird when viewing from my iphone.
    I’m trying to find a template or plugin that might
    be able to resolve this issue. If you have any recommendations, please share.
    Thank you!

    website:파워볼


    ReplyDelete