Forensics

Forensics reveals secrets.

If it possible performing some basic forensic test cases can reveal some juicy information about an application if nothing then atleast it can provide some extra information about the application that can be used later.

1. Logging

In testing phase devlopers log some output to console or some file and it is a common mistake to not remove these peice of code vefore pushing to production.

Run your application via command line and redirect all logs to a file.

e.g. DVTA.exe > log.txt

Then browse your application as a normal user and close application. Now review log.txt file. You will Database credentials, SQL queries etc.

2. Developer backdoor

If it is possible to decompile application's source code then review it properly for some backdoor of application or what extra functionality a privileged user can have.

e.g. In DVTA admin can export all user's expenses to his FTP server.

3. Signing

Organizations should always sign their application for trustworthiness. When a application is signed with company's private key it ensure it hasn't been tampered with.

Sigcheck is another tool from sysinternal suite that can be used for checking this.

As you can see DVTA applicatoin is unsigned and should be signed.

4. Assembly Controls

Executables and DLLs can be shipped with some extra security measures to prevent against memory corruption attacks.

Address space Layout randomization (ASLR): Location of application in memory is randomized to make it harder for attacker to ovrwrite/guess return addresses
SafeSEH: the linker only produces an image if it can also produce a table of the image's safe exception handlers. This table specifies to the operating system which exception handlers are valid for the image.
Data execution prevention (DEP): Area of memory can be marked as non executable to prevent against like buffer overflows
Authenticode/Strong naming: Code can be signed by owner.
Controlflowgaurd: Extension of DEP and ASLR which helps in mitigating memory corruption, overflow attacks.
HighEntripyVA: Specifies whether executable supports 64 bit ASLR.

PESecurity is one such tool to check security control of an executable or a dll.

Tool Link: https://github.com/NetSPI/PESecurity

You will have to import the script first. Import-Module .\Get-PESecurity.psm1 .

If you get permission error you will have to bypass execution policy, which is a security mechanism to prevent executing malicous scripts.

Set-ExecutionPolicy -Scope Currentuser -ExecutionPolicy Unrestricted

Now import the script and run Get-PESecurity -file <PATH>\DVTA.exe

PreviousDLL hijacking NextExtra resources

Last updated 1 year ago