關(guān)于WFH
WFH��,全名為Windows Feature Hunter�����,即Windows功能搜索工具���,該工具基于Python開發(fā),使用Frida實現(xiàn)其功能��,可以幫助廣大研究人員搜索和識別Windows可執(zhí)行程序中的常見安全漏洞以及功能�。當前版本的WFH能夠自動識別動態(tài)鏈接庫DLL中潛在的側(cè)加載問題以及組件對象模型COM中劫持攻擊的實現(xiàn)可能。
DLL側(cè)加載利用勒Windows中WinSXS程序集來從SXS列表中加載惡意DLL文件��。COM劫持將允許攻擊者置入惡意代碼�����,而這些代碼將能夠通過劫持COM引用和關(guān)系代替合法軟件的執(zhí)行����。
WFH可以輸出潛在的安全漏洞����,并將目標Windows可執(zhí)行文件中的潛在漏洞相關(guān)信息寫入至CSV文件中����。
工具安裝
首先, 廣大研究人員需要使用下列命令將該項目源碼克隆至本地:
git clone https://github.com/ConsciousHacker/WFH
然后運行下列命令安裝和配置相關(guān)依賴組件:
pip install -r requirements.txt
工具幫助信息
PS C:\Tools\WFH > python .\wfh.py -h
usage: wfh.py [-h] -t T [T ...] -m {dll,com} [-v] [-timeout TIMEOUT]
Windows Feature Hunter
optional arguments:
-h, --help show this help message and exit
-t T [T ...], -targets T [T ...]
list of target windows executables
-m {dll,com}, -mode {dll,com}
vulnerabilities to potentially identify
-v, -verbose verbose output from Frida instrumentation
-timeout TIMEOUT timeout value for Frida instrumentation
EXAMPLE USAGE
NOTE: It is recommended to copy target binaries to the same directory as wfh for identifying DLL Sideloading
DLL Sideloading Identification (Single): python wfh.py -t .\mspaint.exe -m dll
DLL Sideloading Identification (Verbose): python wfh.py -t .\mspaint.exe -m dll -v
DLL Sideloading Identification (Timeout 30s): python wfh.py -t .\mspaint.exe -m dll -timeout 30
DLL Sideloading Identification (Wildcard): python wfh.py -t * -m dll
DLL Sideloading Identification (List): python wfh.py -t .\mspaint.exe .\charmap.exe -m dll
COM Hijacking Identification (Single): python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com
COM Hijacking Identification (Verbose): python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com -v
COM Hijacking Identification (Timeout 60s): python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com -timeout 60
COM Hijacking Identification (Wildcard): python wfh.py -t * -m com -v
COM Hijacking Identification (List): python wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" "C:\Windows\System32\notepad.exe" -m com -v
工具使用
(1) DLL側(cè)加載識別
首先�,我們需要將需要分析的代碼拷貝至WFH工具所在的目錄下,然后按照下列命令執(zhí)行掃描分析:
PS C:\Tools\WFH > copy C:\Windows\System32\mspaint.exe .
PS C:\Tools\WFH > copy C:\Windows\System32\charmap.exe .
PS C:\Tools\WFH > dir
Directory: C:\Tools\WFH
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/14/2021 2:12 PM .vscode
-a---- 5/6/2021 2:39 PM 1928 .gitignore
-a---- 12/7/2019 2:09 AM 198656 charmap.exe
-a---- 5/18/2021 7:39 AM 6603 loadlibrary.js
-a---- 4/7/2021 12:48 PM 988160 mspaint.exe
-a---- 5/18/2021 7:53 AM 8705 README.md
-a---- 5/17/2021 11:27 AM 5948 registry.js
-a---- 5/6/2021 2:41 PM 11 requirements.txt
-a---- 5/18/2021 8:35 AM 10623 wfh.py
接下來���,我們就可以使用WFH來對目標代碼進行分析�����,并嘗試識別其中的DLL側(cè)加載機會:
PS C:\Tools\WFH > python .\wfh.py -t * -m dll
==================================================
Running Frida against charmap.exe
--------------------------------------------------
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[*] Writing raw Frida instrumentation to charmap.exe-raw.log
[*] Writing Potential DLL Sideloading to charmap.exe-sideload.log
--------------------------------------------------
==================================================
Running Frida against mspaint.exe
--------------------------------------------------
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
[-] Potential DllExport Sideloading: GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[*] Writing raw Frida instrumentation to mspaint.exe-raw.log
[*] Writing Potential DLL Sideloading to mspaint.exe-sideload.log
--------------------------------------------------
==================================================
[*] Writing dll results to dll_results.csv
PS C:\Tools\WFH > type .\dll_results.csv
Executable,WinAPI,DLL,EntryPoint / WinAPI Args
charmap.exe,LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
charmap.exe,LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
mspaint.exe,LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
mspaint.exe,GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup
mspaint.exe,LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
mspaint.exe,LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
如果你想讓WFH輸出更多詳細內(nèi)容�����,可以使用“-v”參數(shù)開啟Verbose模式�����。此時將能夠查看Windows API調(diào)用的詳細情況:
PS C:\Tools\WFH > python .\wfh.py -t * -m dll -v
==================================================
Running Frida against charmap.exe
{'type': 'send', 'payload': 'LoadLibraryW,LPCWSTR: MSFTEDIT.DLL'}
{'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE'}
--------------------------------------------------
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[*] Writing raw Frida instrumentation to charmap.exe-raw.log
[*] Writing Potential DLL Sideloading to charmap.exe-sideload.log
--------------------------------------------------
==================================================
Running Frida against mspaint.exe
{'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE'}
{'type': 'send', 'payload': 'GetProcAddress,hModule : C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\\gdiplus.dll, LPCSTR: GdiplusStartup'}
{'type': 'send', 'payload': 'LoadLibraryW,LPCWSTR: MSFTEDIT.DLL'}
{'type': 'send', 'payload': 'LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE'}
--------------------------------------------------
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : gdiplus.dll, dwFlags : NONE
[-] Potential DllExport Sideloading: GetProcAddress,hModule : C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll, LPCSTR: GdiplusStartup
[+] Potential DllMain Sideloading: LoadLibraryW,LPCWSTR: MSFTEDIT.DLL
[+] Potential DllMain Sideloading: LoadLibraryExW,LPCWSTR : MSFTEDIT.DLL, dwFlags : NONE
[*] Writing raw Frida instrumentation to mspaint.exe-raw.log
[*] Writing Potential DLL Sideloading to mspaint.exe-sideload.log
--------------------------------------------------
==================================================
[*] Writing dll results to dll_results.csv
(2) COM劫持識別
PS C:\Tools\WFH > python .\wfh.py -t "C:\Program Files\Internet Explorer\iexplore.exe" -m com
==================================================
Running Frida against C:\Program Files\Internet Explorer\iexplore.exe
--------------------------------------------------
[+] Potential COM Hijack: Path : HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\InProcServer*32,lpValueName : null,Type : REG_EXPAND_SZ, Value : %SystemRoot%\system32\Windows.Storage.dll
[+] Potential COM Hijack: Path : HKEY_CLASSES_ROOT\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InProcServer*32,lpValueName : null,Type : REG_SZ, Value : C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.62\BHO\ie_to_edge_bho_64.dll
[*] Writing raw Frida instrumentation to .\iexplore.exe-raw.log
[*] Writing Potential COM Hijack to .\iexplore.exe-comhijack.log
--------------------------------------------------
==================================================
[*] Writing dll results to comhijack_results.csv
工具使用樣例
(1) 原生Windows簽名代碼
將所有的原生Windows簽名代碼拷貝至WFH腳本所在目錄:
Get-ChildItem c:\ -File | ForEach-Object { if($_ -match '.+?exe$') {Get-AuthenticodeSignature $_.fullname} } | where {$_.IsOSBinary} | ForEach-Object {Copy-Item $_.path . }
(2) 搜索DLL側(cè)加載機會
python wfh.py -t * -m dll
(3) 搜索COM劫持機會
python wfh.py -t * -m com
經(jīng)營性網(wǎng)站備案信息
可信網(wǎng)站信用評價
網(wǎng)絡(luò)警察提醒您
誠信網(wǎng)站
中國互聯(lián)網(wǎng)舉報中心
網(wǎng)絡(luò)舉報APP下載
