Created by Erik Pistelli, a freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. Popular Alternatives to CFF Explorer for Windows, Linux, PortableApps.com, Software as a Service (SaaS), Mac and more. Explore 15 apps like CFF Explorer, all suggested and ranked by the AlternativeTo user community. CFF Explorer is another invaluable tool for.NET reversers. Unfortunately it is closed-source and is not actively maintained anymore. One of the most annoying problems is that it cannot correctly process.NET metadata in some assemblies protected by ConfuserEx (and few other protectors). As you can see, Module data make no sense and Methods also look weird.

This post will be the first part in a series on DLL Security covering topicssuch as DLL Proxying, DLL Injection, and IAT Hooking. Stay tuned :)

In this post we’ll focus on the theory of a technique known as DLL Proxying,also known as DLL Redirection or DLL Reflection. In a next post we’ll focus onimplementing the technique!

Tools and Prerequisites

Since CFF Explorer is closed-source, I had to reverse-engineer parts of it. Then I created a small code cave and added extra code that checks flag value and skips over extraData field, if necessary. If you're interested how exactly it was done, check address 004689CC and added code at 00589800. CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable’s internal structure. This application includes a series of tools which might help not only reverse engineers but also programmers. It offers a multi-file environment and a switchable interface.

The following software is used to examine the PE Header of an executable:CFF Explorer

Cff Explorer Windows 10 Arrow Clever Page

This post is rather technical, and as such, assumes knowledge of C++ and WindowsProgramming using Visual Studios. A basic understanding of DLL’s and how toimplement one in C/C++ is a bonus.

Explorer windows 10 download

Introduction

When studying the PE Executable Format, I ran into an explanation of how thecomputer worm Stuxnet used a technique known as DLL Proxying, which is madepossible by a PE feature called Forward Exports. DLL Proxying was used inStuxnet’s attack phase to control and monitor communication to ProgrammableLogic Controllers (PLCs), specifically targeting the centrifuge rotors at atoo-low or too-high frequency. The study of Stuxnet is fascinating on its own,I deeply encourage readers to read more at:The Stuxnet Worm.

Absolutely fascinated by how Stuxnet used DLL Proxying in its attack phase, Iwanted to consider how exactly this technique is done, and in turn, implementsuch a technique (in a non-malicious way of course).

This post will focus on how exactly DLL Proxying works. We’ll first begin withan overview of this technique and then explore how it is made possible withfeatures of the PE executable format.

Please note this post is related to a project I created which automates much ofthis technique. The project with its details can be found here:DLL Wrapper

DLL Proxying Overview

DLL Proxying is a technique in which an attacker replaces a DLL with a Trojanversion, renaming the original rather than deleting it. This Trojan DLLimplements exclusively the functions which the attacker wishes tointercept/modify, while forwarding all other functions to the original DLL, thusthe name “Proxy”. The attacker can then Man in the Middle the functionsthey’re interested in, and forward the rest to the original DLL, minimizing theamount of work needed while ensuring functionality is not reduced or broken.

The entire attack is conducted in a six-step process:

  1. Analyze the original DLL, from here referred to as “target DLL
  2. Identify functions to intercept/modify
  3. Implement intercepted functions in Trojan DLL
  4. Forward all other functions to the target DLL (the original DLL)
  5. Rename the target DLL
  6. Place Trojan DLL with original name of target DLL

While the entire attack is a six-step process, this process can be grouped intotwo phases:

  1. Creation of the Trojan DLL
  2. Implementation of the Trojan DLL

In the first phase, the Trojan DLL must be coded, with intercepted functionsimplemented and exported. All remaining functions must make use of the PEformats Forward Exports to export to the original DLL.

In the second phase, write permissions will be required at the target DLLslocation to rename the original DLL, and write the Trojan in its place.

This technique has several advantages:

Explorer
  1. It’s simple to implement
  2. We have full control over intercepted functions, including the ability to monitor calls to the original
  3. We do not directly modify the target application or DLL

This technique relies on the ability to forward non-implemented functions to theoriginal DLL (which has been renamed). The next section will give an overview ofwhat an exported function is, followed by an overview of the PE executableformat, specifying how it can be leveraged to implement such a technique.

DLL Exported Functions

Arrow

Let’s begin by reviewing what is an exported function. A function that isexported by an executable can be called and used by other applications.Retrieving an exported function is done through two functions in Windows:

  • LoadLibrary – Returns a handle for an executable
  • GetProcAddress – Returns a function pointer to the exported function

An exported function can be retrieved by name, or by ordinal. The name would bethe function name given by the developer, and the ordinal is a unique numericalvalue given to each exported function. It’s important to note that giving a nameto an exported function is optional, an ordinal value on the other hand is not.If an ordinal value is not explicitly given, the linker will assign one of itschoice.

Despite the name being optional, most developers export functions with a name,and retrieve it with a name as the ordinal value can be changed from one updateto the next. Also, frankly, names are much easier to remember and identify.

Finally, the last detail to know about exported functions; the function does nothave to be implemented in the DLL that is exporting it!

Wait, what?

This is known as a Forward Export, and, although not commonly used, is used byWindows NTDLL.dll, Kernel32.dll, etc.

A Forward Export allows a developer to export a function from one module to behandled by another. This is very useful for backwards compatibility(for example), and of course, was very useful for Stuxent when implementing it’sattack phase.

We’ll detail what a Forward Exported Function looks like in the next section.

PE Executable Format

The PE Executable Format is used for all windows executables, including DLLs,System Files (kernel drivers), Control Panel files (.cpl), and even Screensavers(.scr). It is used by the Windows Loader to manage the executable code,detailing where execution should start, the size of the image in memory,code/data sections, Thread Local Storage information, Imports, Exports, etc.

The PE Executable format is far too large of a topic to cover thoroughly in thispost, rather, we will see how we can use CFF Explorer to parse the PE formatfor us, and of course, how to find the exported functions.

Let’s begin by defining two terms:

  • RVA – Relative virtual address. This is the file offset in bytes (usually represented in hexadecimal), and the offset relative to where the file is mapped in memory.
  • VirtualAddress – The address of an item after it is loaded into memory. Equal to the offset + base address of image.

Let’s now take a look at a DLL, Attacker_Example.dll, using CFF Explorer. Thisis a DLL I specifically made for this purpose, it contains Exported Functions aswell as a Forward Exported Function.

CFF Explorer DOS-Header:

The PE Header, for legacy reasons, always starts with a DOS Header. The value wecare about in this header is e_lfanew. This specifies the file offsetwhere the PE Header can be found.

CFF Explorer NT Header

Inside the PE Header (also called the NT Header) we have a few key elements:

  • Machine: Architecture of the executable. This file is a x64 DLL, thus it’s AMD64.
  • Characteristics: We can see this is a DLL.

CFF Explorer NT Optional Header

The NT Header contains an Optional Header (which ironically is not optional).The key elements are:

  • Magic: Confirms whether x32 or x64 executable. Here it’s PE64, confirming we have an x64 file.
  • AddressOfEntryPoint: RVA of where code will start executing once loaded by the Windows Loader. If debugging an unknown file, this is a good place to set a breakpoint.
  • DllCharacteristics: A few interesting values to note:
    • DLL can move: Supports ASLR
    • Image is NX Compatible: Supports DEP
  • DataDirectories: An array containing a VirtualAddress and Size for each directory. Directories include: Export, Import, Resource, Debug, etc.
    • Note: The section it is located in must be manually computed. CFF Explorerdid it for us.

CFF Explorer DataDirectories

Now, to find the Export Directories location in the file, we need to use thefollowing formula:

In this case:

  • Section = rdata
  • Section.RawAddress = 8000
  • Section.VirtualAddress = 19000
  • DataDirectory.VirtualAddress = 1B8F0

Our file offset is A8F0.

Cff Explorer Windows 10arrowclever

This step is necessary because CFF Explorer will not show us if an exportedfunction is a Forward Export or not.

CFF Explorer Export Directory

As we can see, we have three functions, exported by name. These are the namesused when calling GetProcAddress to get a function pointer. Again, wecannot tell just by this screen that print_dll_name is a Forward Export.To do so, we must open the Hex Editor and go to offset A8F0.

Cff Explorer Windows 10 Arrow Clever Lite

CFF Explorer Hex Editor

We can see the name of print_dll_name follows a different format than theothers; it begins with a DLL name.

This is telling us that although this DLL is exporting a function namedprint_dll_name, the function is actually located in Target_DLL2.dll.

When calling Forward Exported functions, the Windows Loader will check if theDLL referred to (here Target_DLL2.dll) is loaded. If the referred DLL isnot already loaded into memory, the Windows Loader will load it, and finally,will retrieve the address of the function (here print_dll_name) so that wemay call it.

Conclusion

As we saw, DLL Proxying is made possible by a feature of the PE executableformat known as Forward Exports. The Trojan DLL simply replaces the original,renaming the original DLL rather than deleting it, and forwarding to it allnon-implemented functions.

Detection of such a technique is simple. The signature of the Trojan DLL will beradically different to the original, and upon manual static analysis, willcontain a lot of forward exported functions.

Thanks for reading!

References

This post was made possible thanks to intercept_apis_dll_redirectionwhich I used as a reference when implementing this technique. I highly encouragereaders to take a look, it’s amazing.

Enjoy the comfort of being able to have all the necessary tools in one simple, clean interface.

PE Explorer is the most feature-packed program for inspecting the inner workings of your own software, and more importantly, third party Windows applications and libraries for which you do not have source code. Once you have selected the file you wish to examine, PE Explorer will analyze the file and display a summary of the PE header information, and all of the resources contained in the PE file. From here, the tool allows you to explore the specific elements within an executable file.

Besides being an effective Resource Editor, PE Explorer also provides several tools that elevate it to Power Coder status: an API Function Syntax Lookup, Dependency Scanner, Section Editor, and a powerful yet easy-to-use Disassembler for generating annotated code dumps. With PE Explorer you can view, examine and edit EXE and DLL files, or correct and repair the internal structures of any PE (portable executable) files with the click of a button.

  • See what's inside an executable
  • Customize the GUI elements of your favorite Windows programs
  • Track down what a program accesses and which DLLs are called
  • Understand the way a program works, behaves, and interacts with others
  • Say good bye to digging through bloated help files just to hash out an API reference
  • Open UPX-, Upack- and NsPack-compressed files seamlessly in PE Explorer, without long workarounds
  • Special support for Delphi applications

PE Explorer runs on all versions of Windows from 95 through XP, Vista, 7, 8 and 10.

Minimum hardware requirements:
Intel Pentium® or AMD K5 processor with 166 MHz
16 MB RAM

For maximum editing and inspecting power, purchase a PE Explorer Personal license now for $129. A Business license is available for $229.95. When you utilize all the different tools PE Explorer integrates, you will agree that this is definitely an awesome price. PE Explorer is a bargain with its many features! It will save you hours of time and it’s easy to use!





⇐ ⇐ Download Game Kon Pcwesternhunter
⇒ ⇒ Danganronpa 2 Goodbye Despair Sub Indo Batch