有关WFH
WFH,全名叫Windows Feature Hunter,即Windows作用检索工具,该工具根据Python开发设计,应用Frida完成其作用,可以协助众多科学研究工作人员检索和鉴别Windows可执行文件中的普遍安全漏洞及其作用。现阶段版本的WFH可以自动检索动态链接库DLL中不确定性的侧加载问题及其部件领域模型COM中劫持进攻的完成很有可能。
DLL侧加载利用勒Windows中WinSXS程序流程集来从SXS目录中加载故意DLL文件。COM劫持将容许网络攻击嵌入恶意程序,而这种编码将可以根据劫持COM引入和关联替代合理合法手机软件的实行。
WFH可以輸出潜在性的安全漏洞,并将总体目标Windows可执行程序中的潜在性系统漏洞有关信息载入至CSV文档中。
工具安裝
最先, 众多科学研究员工必须应用以下指令将该新项目源代码复制至当地:
gitclonehttps://github.com/ConsciousHacker/WFH
随后运作以下指令安裝和配备有关依靠部件:
pipinstall-rrequirements.txt
工具协助信息内容
PSC:\Tools\WFH>python.\wfh.py-husage:wfh.py[-h]-tT[T...]-m{dll,com}[-v][-timeoutTIMEOUT]WindowsFeatureHunteroptionalarguments:-h,--helpshowthishelpmessageandexit-tT[T...],-targetsT[T...]listoftargetwindowsexecutables-m{dll,com},-mode{dll,com}vulnerabilitiestopotentiallyidentify-v,-verboseverboseoutputfromFridainstrumentation-timeoutTIMEOUTtimeoutvalueforFridainstrumentationEXAMPLEUSAGENOTE:ItisrecommendedtocopytargetbinariestothesamedirectoryaswfhforidentifyingDLLSideloadingDLLSideloadingIdentification(Single):pythonwfh.py-t.\mspaint.exe-mdllDLLSideloadingIdentification(Verbose):pythonwfh.py-t.\mspaint.exe-mdll-vDLLSideloadingIdentification(Timeout30s):pythonwfh.py-t.\mspaint.exe-mdll-timeout30DLLSideloadingIdentification(Wildcard):pythonwfh.py-t*-mdllDLLSideloadingIdentification(List):pythonwfh.py-t.\mspaint.exe.\charmap.exe-mdllCOMHijackingIdentification(Single):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcomCOMHijackingIdentification(Verbose):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom-vCOMHijackingIdentification(Timeout60s):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom-timeout60COMHijackingIdentification(Wildcard):pythonwfh.py-t*-mcom-vCOMHijackingIdentification(List):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe""C:\Windows\System32\notepad.exe"-mcom-v
工具应用
(1) DLL侧加载鉴别
最先,大家必须将需要研究的编码复制至WFH工具所属的文件目录下,随后依照以下指令实行扫描仪剖析:
PSC:\Tools\WFH>copyC:\Windows\System32\mspaint.exe.PSC:\Tools\WFH>copyC:\Windows\System32\charmap.exe.PSC:\Tools\WFH>dirDirectory:C:\Tools\WFHModeLastWriteTimeLengthName---------------------------d-----5/14/20212:12PM.vscode-a----5/6/20212:39PM1928.gitignore-a----12/7/20192:09AM198656charmap.exe-a----5/18/20217:39AM6603loadlibrary.js-a----4/7/202112:48PM988160mspaint.exe-a----5/18/20217:53AM8705README.md-a----5/17/202111:27AM5948registry.js-a----5/6/20212:41PM11requirements.txt-a----5/18/20218:35AM10623wfh.py
下面,大家就可以应用WFH来对目标编码实现剖析,并尝试识别在其中的DLL侧加载机会:
PSC:\Tools\WFH>python.\wfh.py-t*-mdll==================================================RunningFridaagainstcharmap.exe--------------------------------------------------[ ]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL[ ]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE[*]WritingrawFridainstrumentationtocharmap.exe-raw.log[*]WritingPotentialDLLSideloadingtocharmap.exe-sideload.log--------------------------------------------------==================================================RunningFridaagainstmspaint.exe--------------------------------------------------[ ]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE[-]PotentialDllExportSideloading:GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartup[ ]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL[ ]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE[*]WritingrawFridainstrumentationtomspaint.exe-raw.log[*]WritingPotentialDLLSideloadingtomspaint.exe-sideload.log--------------------------------------------------==================================================[*]Writingdllresultstodll_results.csvPSC:\Tools\WFH>type.\dll_results.csvExecutable,WinAPI,DLL,EntryPoint/WinAPIArgscharmap.exe,LoadLibraryW,LPCWSTR:MSFTEDIT.DLLcharmap.exe,LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONEmspaint.exe,LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONEmspaint.exe,GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartupmspaint.exe,LoadLibraryW,LPCWSTR:MSFTEDIT.DLLmspaint.exe,LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE
假如你想要让WFH輸出大量具体內容,可以应用“-v”主要参数打开Verbose方式。这时将可以查询Windows API启用的具体情况:
PSC:\Tools\WFH>python.\wfh.py-t*-mdll-v==================================================RunningFridaagainstcharmap.exe{'type':'send','payload':'LoadLibraryW,LPCWSTR:MSFTEDIT.DLL'}{'type':'send','payload':'LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE'}--------------------------------------------------[ ]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL[ ]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE[*]WritingrawFridainstrumentationtocharmap.exe-raw.log[*]WritingPotentialDLLSideloadingtocharmap.exe-sideload.log--------------------------------------------------==================================================RunningFridaagainstmspaint.exe{'type':'send','payload':'LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE'}{'type':'send','payload':'GetProcAddress,hModule:C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll,LPCSTR:GdiplusStartup'}{'type':'send','payload':'LoadLibraryW,LPCWSTR:MSFTEDIT.DLL'}{'type':'send','payload':'LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE'}--------------------------------------------------[ ]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE[-]PotentialDllExportSideloading:GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartup[ ]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL[ ]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE[*]WritingrawFridainstrumentationtomspaint.exe-raw.log[*]WritingPotentialDLLSideloadingtomspaint.exe-sideload.log--------------------------------------------------==================================================[*]Writingdllresultstodll_results.csv
(2) COM劫持识别
PSC:\Tools\WFH>python.\wfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom==================================================RunningFridaagainstC:\ProgramFiles\InternetExplorer\iexplore.exe--------------------------------------------------[ ]PotentialCOMHijack:Path:HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\InProcServer*32,lpValueName:null,Type:REG_EXPAND_SZ,Value:%SystemRoot%\system32\Windows.Storage.dll[ ]PotentialCOMHijack:Path:HKEY_CLASSES_ROOT\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InProcServer*32,lpValueName:null,Type:REG_SZ,Value:C:\ProgramFiles(x86)\Microsoft\Edge\Application\90.0.818.62\BHO\ie_to_edge_bho_64.dll[*]WritingrawFridainstrumentationto.\iexplore.exe-raw.log[*]WritingPotentialCOMHijackto.\iexplore.exe-comhijack.log--------------------------------------------------==================================================[*]Writingdllresultstocomhijack_results.csv
专用工具应用样例
(1) 原生态Windows签字编码
将全部的原生态Windows签字编码复制至WFH脚本制作所属文件目录:
Get-ChildItemc:\-File|ForEach-Object{if($_-match'. ?exe$'){Get-AuthenticodeSignature$_.fullname}}|where{$_.IsOSBinary}|ForEach-Object{Copy-Item$_.path.}
(2) 搜索DLL侧加载机会
pythonwfh.py-t*-mdll
(3) 搜索COM劫持机会
pythonwfh.py-t*-mcom
项目详细地址
WFH:【GitHub传送门】