🔏
roguebook
  • group
    • Web
      • Concepts
      • OAuth 2.0
      • File upload
      • API testing
      • Web Cache Decpetion
      • CORS
      • CSRF
      • Cross site web socket hijacking
      • XS-Leaks
    • Bug Bounty
      • Recon
        • Dorking
          • SSL Checker
        • Wordlists
          • Twitter wordlist suggestions
      • Tips & Tricks
        • Combined
        • CSP Bypasses & open redirect
        • 403 Bypass
        • Arrays in JSON
        • Open Redirect
        • Next.js Application
        • Locla File Read
        • External Link
        • xss bypass
        • CSRF cors bypass
        • ssrf
      • Talks/Interviews/Podcasts
        • Bug Bounty Talks
        • Podcasts
          • Critical Thinking - Bug Bounty Podcast
            • Learning
      • Tools
    • Android
      • Getting Started
      • Intent Attack Surface
      • Broadcast Receivers
      • Android Permissions
      • Android Services
      • Content and FileProvider
      • WebView & CustomTabs
      • Insecure Storage
      • Tips & Tricks
    • Thick Client
      • Lab Setup
      • Information Gathering
      • Traffic analysis
      • Insecure Data storage
      • Input validation
      • DLL hijacking
      • Forensics
      • Extra resources
    • OSINT
      • OpSec
    • Malware Analysis
      • Lab Setup
      • Networking
      • Tools
      • Malware source
      • Basic Static Analysis
      • Basic Dynamic Analysis
      • Advanced Analysis
      • Advanced Static Analysis
      • Advanced Dynamic Analysis
      • Malicious Document Analysis
      • Shellcode Analysis
    • Malware Development
    • Blue Team
      • Tools
      • Malware Analysis
        • Basic Static Analysis
    • Assembly
      • Instructions
    • Binary Exploitation
    • Infographics
    • Malware Analysis
    • Threat Modeling
Powered by GitBook
On this page
  • 1. Logging
  • 2. Developer backdoor
  • 3. Signing
  • 4. Assembly Controls
  1. group
  2. Thick Client

Forensics

Forensics reveals secrets.

PreviousDLL hijackingNextExtra resources

Last updated 2 years ago

If it possible performing some basic forensic test cases can reveal some juicy information about an application if nothing then atleast it can provide some extra information about the application that can be used later.

1. Logging

In testing phase devlopers log some output to console or some file and it is a common mistake to not remove these peice of code vefore pushing to production.

Run your application via command line and redirect all logs to a file.

e.g. DVTA.exe > log.txt

Then browse your application as a normal user and close application. Now review log.txt file. You will Database credentials, SQL queries etc.

2. Developer backdoor

If it is possible to decompile application's source code then review it properly for some backdoor of application or what extra functionality a privileged user can have.

e.g. In DVTA admin can export all user's expenses to his FTP server.

3. Signing

Organizations should always sign their application for trustworthiness. When a application is signed with company's private key it ensure it hasn't been tampered with.

Sigcheck is another tool from sysinternal suite that can be used for checking this.

As you can see DVTA applicatoin is unsigned and should be signed.

4. Assembly Controls

Executables and DLLs can be shipped with some extra security measures to prevent against memory corruption attacks.

  • Address space Layout randomization (ASLR): Location of application in memory is randomized to make it harder for attacker to ovrwrite/guess return addresses

  • SafeSEH: the linker only produces an image if it can also produce a table of the image's safe exception handlers. This table specifies to the operating system which exception handlers are valid for the image.

  • Data execution prevention (DEP): Area of memory can be marked as non executable to prevent against like buffer overflows

  • Authenticode/Strong naming: Code can be signed by owner.

  • Controlflowgaurd: Extension of DEP and ASLR which helps in mitigating memory corruption, overflow attacks.

  • HighEntripyVA: Specifies whether executable supports 64 bit ASLR.

PESecurity is one such tool to check security control of an executable or a dll.

You will have to import the script first. Import-Module .\Get-PESecurity.psm1 .

Set-ExecutionPolicy -Scope Currentuser -ExecutionPolicy Unrestricted

Now import the script and run Get-PESecurity -file <PATH>\DVTA.exe

Tool Link:

If you get permission error you will have to bypass execution policy, which is a to prevent executing malicous scripts.

https://github.com/NetSPI/PESecurity
security mechanism