关于WFH
WFH,全名为Windows Feature Hunter,即Windows功能搜索工具,该工具基于Python开发,使用Frida实现其功能,可以帮助广大研究人员搜索和识别Windows可执行程序中的常见安全漏洞以及功能。当前版本的WFH能够自动识别动态链接库DLL中潜在的侧加载问题以及组件对象模型COM中劫持攻击的实现可能。
DLL侧加载利用勒Windows中WinSXS程序集来从SXS列表中加载恶意DLL文件。COM劫持将允许攻击者置入恶意代码,而这些代码将能够通过劫持COM引用和关系代替合法软件的执行。
WFH可以输出潜在的安全漏洞,并将目标Windows可执行文件中的潜在漏洞相关信息写入至CSV文件中。
工具安装
首先, 广大研究人员需要使用下列命令将该项目源码克隆至本地:
gitclonehttps://github.com/ConsciousHacker/WFH
然后运行下列命令安装和配置相关依赖组件:
pipinstall-rrequirements.txt
工具帮助信息
PSC:\Tools\WFH>python.\wfh.py-h
usage:wfh.py[-h]-tT[T...]-m{dll,com}[-v][-timeoutTIMEOUT]
WindowsFeatureHunter
optionalarguments:
-h,--helpshowthishelpmessageandexit
-tT[T...],-targetsT[T...]
listoftargetwindowsexecutables
-m{dll,com},-mode{dll,com}
vulnerabilitiestopotentiallyidentify
-v,-verboseverboseoutputfromFridainstrumentation
-timeoutTIMEOUTtimeoutvalueforFridainstrumentation
EXAMPLEUSAGE
NOTE:ItisrecommendedtocopytargetbinariestothesamedirectoryaswfhforidentifyingDLLSideloading
DLLSideloadingIdentification(Single):pythonwfh.py-t.\mspaint.exe-mdll
DLLSideloadingIdentification(Verbose):pythonwfh.py-t.\mspaint.exe-mdll-v
DLLSideloadingIdentification(Timeout30s):pythonwfh.py-t.\mspaint.exe-mdll-timeout30
DLLSideloadingIdentification(Wildcard):pythonwfh.py-t*-mdll
DLLSideloadingIdentification(List):pythonwfh.py-t.\mspaint.exe.\charmap.exe-mdll
COMHijackingIdentification(Single):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom
COMHijackingIdentification(Verbose):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom-v
COMHijackingIdentification(Timeout60s):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom-timeout60
COMHijackingIdentification(Wildcard):pythonwfh.py-t*-mcom-v
COMHijackingIdentification(List):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe""C:\Windows\System32\notepad.exe"-mcom-v
工具使用
(1) DLL侧加载识别
首先,我们需要将需要分析的代码拷贝至WFH工具所在的目录下,然后按照下列命令执行扫描分析:
PSC:\Tools\WFH>copyC:\Windows\System32\mspaint.exe. PSC:\Tools\WFH>copyC:\Windows\System32\charmap.exe. PSC:\Tools\WFH>dir Directory:C:\Tools\WFH ModeLastWriteTimeLengthName --------------------------- d-----5/14/20212:12PM.vscode -a----5/6/20212:39PM1928.gitignore -a----12/7/20192:09AM198656charmap.exe -a----5/18/20217:39AM6603loadlibrary.js -a----4/7/202112:48PM988160mspaint.exe -a----5/18/20217:53AM8705README.md -a----5/17/202111:27AM5948registry.js -a----5/6/20212:41PM11requirements.txt -a----5/18/20218:35AM10623wfh.py
接下来,我们就可以使用WFH来对目标代码进行分析,并尝试识别其中的DLL侧加载机会:
PSC:\Tools\WFH>python.\wfh.py-t*-mdll ================================================== RunningFridaagainstcharmap.exe -------------------------------------------------- [+]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL [+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE [*]WritingrawFridainstrumentationtocharmap.exe-raw.log [*]WritingPotentialDLLSideloadingtocharmap.exe-sideload.log -------------------------------------------------- ================================================== RunningFridaagainstmspaint.exe -------------------------------------------------- [+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE [-]PotentialDllExportSideloading:GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartup [+]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL [+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE [*]WritingrawFridainstrumentationtomspaint.exe-raw.log [*]WritingPotentialDLLSideloadingtomspaint.exe-sideload.log -------------------------------------------------- ================================================== [*]Writingdllresultstodll_results.csv PSC:\Tools\WFH>type.\dll_results.csv Executable,WinAPI,DLL,EntryPoint/WinAPIArgs charmap.exe,LoadLibraryW,LPCWSTR:MSFTEDIT.DLL charmap.exe,LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE mspaint.exe,LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE mspaint.exe,GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartup mspaint.exe,LoadLibraryW,LPCWSTR:MSFTEDIT.DLL mspaint.exe,LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE
如果你想让WFH输出更多详细内容,可以使用“-v”参数开启Verbose模式。此时将能够查看Windows API调用的详细情况:
PSC:\Tools\WFH>python.\wfh.py-t*-mdll-v
==================================================
RunningFridaagainstcharmap.exe
{'type':'send','payload':'LoadLibraryW,LPCWSTR:MSFTEDIT.DLL'}
{'type':'send','payload':'LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE'}
--------------------------------------------------
[+]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL
[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE
[*]WritingrawFridainstrumentationtocharmap.exe-raw.log
[*]WritingPotentialDLLSideloadingtocharmap.exe-sideload.log
--------------------------------------------------
==================================================
RunningFridaagainstmspaint.exe
{'type':'send','payload':'LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE'}
{'type':'send','payload':'GetProcAddress,hModule:C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll,LPCSTR:GdiplusStartup'}
{'type':'send','payload':'LoadLibraryW,LPCWSTR:MSFTEDIT.DLL'}
{'type':'send','payload':'LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE'}
--------------------------------------------------
[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE
[-]PotentialDllExportSideloading:GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartup
[+]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL
[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE
[*]WritingrawFridainstrumentationtomspaint.exe-raw.log
[*]WritingPotentialDLLSideloadingtomspaint.exe-sideload.log
--------------------------------------------------
==================================================
[*]Writingdllresultstodll_results.csv
(2) COM劫持识别
PSC:\Tools\WFH>python.\wfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom
==================================================
RunningFridaagainstC:\ProgramFiles\InternetExplorer\iexplore.exe
--------------------------------------------------
[+]PotentialCOMHijack:Path:HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\InProcServer*32,lpValueName:null,Type:REG_EXPAND_SZ,Value:%SystemRoot%\system32\Windows.Storage.dll
[+]PotentialCOMHijack:Path:HKEY_CLASSES_ROOT\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InProcServer*32,lpValueName:null,Type:REG_SZ,Value:C:\ProgramFiles(x86)\Microsoft\Edge\Application\90.0.818.62\BHO\ie_to_edge_bho_64.dll
[*]WritingrawFridainstrumentationto.\iexplore.exe-raw.log
[*]WritingPotentialCOMHijackto.\iexplore.exe-comhijack.log
--------------------------------------------------
==================================================
[*]Writingdllresultstocomhijack_results.csv
工具使用样例
(1) 原生Windows签名代码
将所有的原生Windows签名代码拷贝至WFH脚本所在目录:
Get-ChildItemc:\-File|ForEach-Object{if($_-match'.+?exe$'){Get-AuthenticodeSignature$_.fullname}}|where{$_.IsOSBinary}|ForEach-Object{Copy-Item$_.path.}
(2) 搜索DLL侧加载机会
pythonwfh.py-t*-mdll
(3) 搜索COM劫持机会
pythonwfh.py-t*-mcom
项目地址
WFH:【GitHub
转载请注明:IT运维空间 » 安全防护 » 如何使用WFH搜索Windows可执行程序中的常见漏洞或功能
你可能喜欢:
-
解决MySql版本问题sql_mode=only_full_group_by
-
Python操作mysql数据库出现pymysql.err.ProgrammingError: (1064, “You have an error in your SQL syntax; check
-
Oracle PL/SQL如何动态调用存储过程 收藏
-
Mysql 不存在则插入,存在则更新 mysql 存在该记录则更新,不存在则插入记录的sql
-
MySQL与Oracle之间互相拷贝数据的Java程序
-
MySQL导入sql文件的三种方法小结
-
MS sql server和mysql中update多条数据的例子
-
mysql防SQL注入搜集
-
Oracle:SQL语句–给用户赋权限
-
如何在MySql中记录SQL日志(例如Sql Server Profiler)
继续浏览有关 安全 的文章
发表评论