Bypassing device Guard UMCI http://ift.tt/2rNTboD location

New features introduced in Windows 10 Enterprise and Server 2016 Device Guard is a white list mechanism that can be used to prevent unauthorized code execution. Simple to understand, as long as it does not contain Microsoft digital signature program, can not be used to execute the code. However, if you can find a program with a Microsoft signature, then you can bypass the Device Guard on the application of the interception, to achieve code execution.

Matt Nelson @enigma0x3 recently shared the two ways he bypassed Device Guard, which is the third and fourth way to bypass Matt Graeber mattifestation and Casey Smith @SubTee. This article will reproduce the two processes , To complete his two jobs left to the reader, optimize the dnx.exe environment to build steps to share learning experience.

The link is as follows:

http://ift.tt/2qYIfDu

dnx.exe

Dnx.exe is built into the .NET Execution environment and contains a digital signature that can be used to execute the C# code

First dnx.exe to build the use of the environment

Reference:

http://ift.tt/1OlGqdM

Data display requires powershell v4.0 and install Visual C ++ 2013 redistributable package, the actual test “print helloworld” does not need these conditions, while the configuration steps can also be simplified, the following is a simplified configuration steps:

Test system: Win8 x86

1, Download and install Microsoft .NET Framework 4.5.2:

http://ift.tt/2qY7Xbu

2, Install DNVM

Cmd:

xx

3, Install DNX

Cmd:

dnvm list

Enter y, install dnx

Cmd:

xx

Cmd:

xx

You will see the operating instructions for dnx

4, Update DNX and DNVM bits

Cmd:

xx

5, Configure Package

Cmd:

xx

6, Add the script file

Create a new file, Program.cs, as follows:

xx

Note:

Class name must be Program, otherwise error

Create a new project project.json, as follows:

xx

7, Test the script

Cmd:

xx

Cmd:

xx

Note:

If you only test the above code, just complete Step 3

8, Win10 Device Guard test

Dnx.exe test is successful, then need to find dnx.exe Win10 on the need to use what support files, the most intuitive way to help ProcessMonitor

Use ProcessMonitor to get the operation of dnx.exe at run time

Find key directories:

C:\Users\a\.dnx\runtimes\dnx-clr-win-x86.1.0.0-rc1-update2\bin\

The actual test, the use of Win10, only the directory of some of the documents, the size of 7.44MB

The file list is as follows:

Dnx.clr.dll

Dnx.exe

Dnx.onecore.dll

Microsoft.CodeAnalysis.CSharp.dll

Microsoft.CodeAnalysis.dll

Microsoft.Dnx.ApplicationHost.dll

Microsoft.Dnx.Compilation.Abstractions.dll

Microsoft.Dnx.Compilation.CSharp.Abstractions.dll

Microsoft.Dnx.Compilation.CSharp.Common.dll

Microsoft.Dnx.Compilation.CSharp.dll

Microsoft.Dnx.Compilation.dll

Microsoft.Dnx.Host.Clr.dll

Microsoft.Dnx.Host.dll

Microsoft.Dnx.Loader.dll

Microsoft.Dnx.Runtime.dll

Microsoft.Extensions.PlatformAbstractions.dll

System.Collections.Immutable.dll

System.Reflection.Metadata.dll

Vcruntime140.dll (also can be ignored, but will be given, does not affect the code execution)

The files in this directory do not need:

Dnu.cmd

Dnx.win32.dll

Microsoft.Dnx.Compilation.DesignTime.dll

Microsoft.Dnx.DesignTimeHost.Abstractions.dll

Microsoft.Dnx.dll

Microsoft.Dnx.Host.Mono.dll

Microsoft.Dnx.Runtime.Internals.dll

As shown, because dnx.exe contains Microsoft’s signature certificate, so in the Device Guard UMCI (user mode code integrity) to open the environment still has execute permissions

Bypass success

rcsi.exe

Rcsi.exe is built into Microsoft “Roslyn” CTP and contains Microsoft digital signatures

Microsoft “Roslyn” CTP download address: http://ift.tt/2shDetD (24d3dfde6075d394de05e49e871fa656) (256380) (2459594) (TnL5HPStwNw-qGm27mnsJb9VbqZPmTLajQ) ()

Installation prerequisites:

Install Visual Studio 2012

Install the VS2012 SDK

1, The actual test

Test System: Win8.1 x86 Install Visual Studio 2012, VS2012 SDK, Microsoft “Roslyn” CTP

2, The implementation of the code

The path to rcsi.exe is:

C:\Program Files\Microsoft Roslyn CTP\Binaries

Create the new file test.csx as follows:

xx

Cmd:

xx

The successful implementation of C # code

Rcsi.exe similar to csi.exe, can be used to implement c # code, the difference is that csi.exe support interaction, and rcsi.exe can not

3, Win10 Device Guard test

Rcsi.exe run on Win10 also need to support the same document using ProcessMonitor rcsi.exe in the run-time operation, as shown in Figure

Find the support file for rcsi.exe as follows:

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Roslyn.Compilers.CSharp\v4.0_1.2.0.0__31bf3856ad364e35\Roslyn.Compilers.CSharp.dll

C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Roslyn.Compilers\v4.0_1.2.0.0__31bf3856ad364e35\Roslyn.Compilers.dll

Note:

This is also Matt Nelson enigma0x3 left to the reader’s homework

Win10 test success, as shown in Figure

Defense

Refer to Matt Graeber’s method to update Device Guard Bypass Mitigation Rules to block code execution using WinDbg / CDB, csi.exe, dnx.exe and rcsi.exe, respectively

The reference address is as follows:

http://ift.tt/2cgyg8e

The post Bypassing device Guard UMCI with dnx.exe/rcsi.exe appeared first on Penetration Testing. http://ift.tt/2si4tEj http://ift.tt/2aM8QhC

Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s