One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 1214313 |
| Date de publication | 2019-07-19 14:03:26 (vue: 2019-07-19 15:02:05) |
| Titre | Heap-based AMSI bypass for MS Excel VBA and others |
| Texte | This blog post describes how to bypass Microsoft's AMSI (Antimalware Scan Interface) in Excel using VBA (Visual Basic for Applications). In contrast to other bypasses this approach does not use hardcoded offsets or opcodes but identifies crucial data on the heap and modifies it. The idea of an heap-based bypass has been mentioned by other researchers before but at the time of writing this article no public PoC was available. This blog post will provide the reader with some insights into the AMSI implementation and a generic way to bypass it.IntroductionSince Microsoft rolled out their AMSI implementation many writeups about bypassing the implemented mechanism have been released. Code White regularly conducts Red Team scenarios where phishing plays a great role. Phishing is often related to MS Office, in detail to malicious scripts written in VBA. As per Microsoft AMSI also covers VBA code placed into MS Office documents. This fact motivated some research performed earlier this year. It has been evaluated if and how AMSI can be defeated in an MS Office Excel environment.In the past several different approaches have been published to bypass AMSI. The following links contain information which were used as inspiration or reference:https://modexp.wordpress.com/2019/06/03/disable-amsi-wldp-dotnet also lists a lot of other writeups and implements a nice data-based approachhttps://outflank.nl/blog/2019/04/17/bypassing-amsi-for-vba/ AMSI Bypass for VBA The first article from the list above also mentions a heap-based approach. Independent from that writeup, Code White's approach used exactly that idea. During the time of writing this article there was no code publicly available which implements this idea. This was another motivation to write this blog post. Porting the bypass to MS Excel/VBA revealed some nice challenges which were to be solved. The following chapters show the evolution of Code White's implementation in a chronological way:Implementing our own AMSI Client in C to have a debugging platformUnderstanding how the AMSI API worksBypassing AMSI in our own clientPorting this approach to VBAImproving the bypass Improving the bypass - making it production-readyImplementing our own AMSI ClientIn order to ease debugging we will implement our own small AMSI client in C which triggers a scan on the malicious string 'amsiutils'. This string gets flagged as evil since some AMSI Bypasses of Matt Graeber used it. Scanning this simple string depicts a simple way to check if AMSI works at all and to verify if our bypass is functional. A ready-to-use AMSI client can be found on sinn3r's github . This code provided us a good starting point and also contained important hints, e.g. the pre-condition in the Local Group Policies.We will implement our test client using Microsoft Visual Studio Community 2017. In a first step, we end up with two functions, amsiInit() and amsiScan(), not to be confused with functions exported by amsi.dll. Later we will add another function amsiByPass() which does what its name suggests. See this gist for the final code including the bypass. |
| Envoyé | Oui |
| Condensat | acceptable adaptions address addresses again:this also amsi any approach are assembly based because below blog boundary but bypass can caught code comes common course curious decided depending details detection develop documented during enjoyed everything excel excercise expect extensively feasibility forward found from fun function functions generate get getprocaddress getprocessheaps goal heap heapwalk here holds hope how idea implement implementing important information initial integrated its job language latter left library like load looked lookup loop main many may measure mechanisms microsoft more much net new not one only others own part per post powershell processor put putting reaction reader reading ready required rest result runtime same second seconds security self shellcode shellcodeenvironment should showed significantly size slight snippets solutions some start straight structure summarywe support than think thread time together total understood unlikely use vary vba well which why will without works written |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.