- #REVERSE A SYNCOVERY OVERWRITE 64 BITS#
- #REVERSE A SYNCOVERY OVERWRITE CODE#
- #REVERSE A SYNCOVERY OVERWRITE SERIES#
#REVERSE A SYNCOVERY OVERWRITE CODE#
Using the script it has found that the name of the process associated with the hash 0x388CC1E7 is services.exe, meaning that Trickbot's shellcode will inject its malicious code into services.exe process instead of lsass.exe. The objective is to obtain the name of the process associated with the unknown hash 0x388CC1E7 that appears in the trickbot's shellcode. Ror edx, 13 Rotate right our hash valueĪdd edx, eax Add the next byte of the stringĪt this point, the original calc_hash function from the shellcode have been found in order to create a python script with the same functionality. Lodsb Read in the next byte of the ASCII string Useful for comparing ASCII string in shellcode. _find_target_process_loop function of the original shellcode from GitHub: The EternalBlue POC can be found in this GitHub:Ĭomparing both the trickbot's shellcode and the original shellcode from GitHub, it have been noticed that the original one doesn't perform an APC injection into lsass.exe process as the original shellcode does. This is the first part of the trickbot shellcode.ĭoing a little research, it have found that the initial part of the shellcode corresponds to this code:
The first one is the Ring 0 part that gets ready in order to perform a Ring 3 APC injection into the targeted process to execute the malicious Ring 3 code (if the injection is performed in lsass.exe or services.exe it will be executed with System priviledges) The examples given here come from x86 shellcode.
#REVERSE A SYNCOVERY OVERWRITE 64 BITS#
This module contains two shellcodes, one for 32 bits systems (left) and the other for 64 bits systems (right)īoth shellcodes contain a malicious URL from which the malicious code will be downloaded. The final stage of this process is to inject a shellcode into the targeted system. Then, the function creates the required structures to perform the EternalBlue attack and takes advantage of the vulnerability. If the version contains one of these strings, it will try to infect the device:
If everything works as expected, the EternalBlue infection starts:įirst, the module checks the OS version. This function performs socket operations in order to establish communication with the targeted machine. With this info, OpenSocket_ThenEternalBlue function is called. Then, it obtains the IP of the hosts using gethostbyname and inet_ntoa functions. When the new thread is created, the module enumerates all the servers from the same domain using NetServerEnum. The export that starts the malicious operations is Control. This module tries to infect all the devices into the same domain of the infected machine using EternalBlue.Īs it is usual in the Trickbot modules, the DLL has 4 exports: In this post, I going to analyze Trickbot's wormDll32 module, this module allows Trickbot to spreads using EternalBlue. This exploit takes advantage of a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol ( CVE-2017-0143), sending crafted packets using SMBv1 allows arbitrary code execution into the target system. Was widely known when was used as part of the wordwide Wannacry ransomware attack on May 12,2017. Is an exploit developed by the NSA, leaked by the Shadow Brokers hacker group on April 14, 2017.
#REVERSE A SYNCOVERY OVERWRITE SERIES#
In this series of articles, I going to explain how the different malware families implement EternalBlue and how they take advantage of it.
0 kommentar(er)
