如何使用WFH搜索Windows可执行程序中的常见漏洞或功能搜索并识别Windows可执行程序中的常见安全漏洞和功能。当前版本的WFH能够自动识别动态链接库(DLL)中潜在的侧载问题和组件对象模型(COM)中的劫持攻击。DLL旁加载利用Windows中的WinSXS程序集从SXS列表加载恶意DLL文件。COM劫持将允许攻击者放置恶意代码,这些代码能够通过劫持COM引用和关系来替换合法软件的执行。WFH可以输出潜在的安全漏洞,并将有关目标Windows可执行文件中潜在漏洞的信息写入CSV文件。工具安装首先,研究人员需要使用如下命令将项目源码克隆到本地:gitclonehttps://github.com/ConsciousHacker/WFH然后运行以下命令安装配置相关依赖组件:pipinstall-rrequirements.txt工具帮助信息PSC:\Tools\WFH>python.\wfh.py-husage:wfh.py[-h]-tT[T...]-m{dll,com}[-v][-timeoutTIMEOUT]WindowsFeatureHunteroptionalarguments:-h,--helpshowthishelpmessageandexit-tT[T...],-targetsT[T...]listoftargetwindows可执行文件-m{dll,com},-mode{dll,com}vulnerabilitiestopotentiallyidentify-v,-verboseverboseoutputfromFridainstrumentation-timeoutTIMEOUTtimeoutvalueforFridainstrumentationEXAMPLEUSAGENOTE:ItsrecommendedtocopytargetidentificationDLstothesamedirectory(单):pythonwfh.py-t.\mspaint.exe-mdllDLLSideloadingIdentification(详细):pythonwfh.py-t.\mspaint.exe-mdll-vDLLSideloadingIdentification(Timeout30s):pythonwfh.py-t.\mspaint.exe-mdll-timeout30DLLSideloadingIdentification(通配符):pythonwfh.py-t*-mdllDLLSideloadingIdentification(列表):pythonwfh.py-t.\mspaint.exe.\charmap.exe-mdllCOMHijackingIdentification(Single):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcomHijackingIdentification(Verbose):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom-vCOMHijackingIdentification(Timeout60s):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom-timeout60COMHijackingIdentification(通配符):pythonwfh.py-t*-mcom-vCOMHijackingIdentification(列表):pythonwfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe""C:\Windows\System32\notepad.exe"-mcom-v工具使用(一)DLL侧载识别首先我们需要分析代码复制它到WFH工具所在目录,然后按照以下命令执行扫描分析:PSC:\Tools\WFH>copyC:\Windows\System32\mspaint.exe.PSC:\Tools\WFH>copyC:\Windows\System32\charmap.exe.PSC:\Tools\WFH>dirDirectory:C:\Tools\WFHModeLastWriteTimeLengthName----------------------------d-----5/14/20212:12PM.vscode-a----5/6/20212:39PM1928.gitignore-a----12/7/20192:09AM198656charmap.exe-a----5/18/20217:39AM6603loadlibrary.js-a----4/7/202112:48PM988160mspaint.exe-a----5/18/20217:53AM8705README.md-a----5/17/202111:27AM5948registry.js-a----5/6/20212:41PM11requirements.txt-a----5/18/20218:35AM10623wfh.py接下来,我们可以使用WFH分析目标代码,并尝试识别DLL侧载机会:PSC:\Tools\WFH>python.\wfh.py-t*-mdll======================================================运行Fridaagainstcharmap.exe--------------------------------------------------[+]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE[*]WritingrawFridainstrumentationtocharmap.exe-raw.log[*]WritingPotentialDLLSideloadingtocharmap.exe-sideload.log--------------------------------------------------========================================================运行Fridaagainstmspaint.exe------------------------------------------------[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:gdiplus。dll,dwFlags:NONE[-]PotentialDllExportSideloading:GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartup[+]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE[*]WritingrawFridainstrumentationtomspaint.exe-raw.log[*]WritingPotentialDLLSideloadingtomspaint.exe-sideload.log----------------------------------------------------==================================================[*]写dllresultstodll_results.csvPSC:\Tools\WFH>type.\dll_results.csvExecutable,WinAPI,DLL,EntryPoint/WinAPIArgscharmap.exe,LoadLibraryW,LPCWSTR:MSFTEDIT.DLLcharmap.exe,LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONEmspaint.exe,LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONEmspaint.exe,GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartupmspaint.exe,LoadLibraryW,LPCWSTR:MSFTEDIT.DLLmspaint.exe,LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE如果想让WFH输出更详细的内容,可以使用“-v”参数开启Verbose模式此时将能够查看WindowsAPI调用的详细情况:PSC:\Tools\WFH>python.\wfh.py-t*-mdll-v==================================================RunningFridaagainstcharmap.exe{'type':'send','payload':'LoadLibraryW,LPCWSTR:MSFTEDIT.DLL'}{'type':'send','payload':'LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE'}--------------------------------------------------[+]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE[*]WritingrawFridainstrumentationtocharmap.exe-raw.log[*]WritingPotentialDLLSideloadingtocharmap.exe-sideload.log--------------------------------------------------==================================================RunningFridaagainstmspaint.exe{'type':'send','payload':'LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE'}{'type':'send','payload':'GetProcAddress,hModule:C:\\WINDOWS\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_nebb760a27\\gdiplus。dll,LPCSTR:GdiplusStartup'}{'type':'send','payload':'LoadLibraryW,LPCWSTR:MSFTEDIT.DLL'}{'type':'send','payload':'LoadLibraryExW,LPCWSTR:MSFTEDIT。DLL,dwFlags:NONE'}---------------------------------------------------[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:gdiplus.dll,dwFlags:NONE[-]PotentialDllExportSideloading:GetProcAddress,hModule:C:\WINDOWS\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.789_none_faf0a7e97612e7bb\gdiplus.dll,LPCSTR:GdiplusStartup[+]PotentialDllMainSideloading:LoadLibraryW,LPCWSTR:MSFTEDIT.DLL[+]PotentialDllMainSideloading:LoadLibraryExW,LPCWSTR:MSFTEDIT.DLL,dwFlags:NONE[*]WritingrawFridainstrumentationtomspaint.exe-raw.log.exetingt[*]WritingelpaintlSideloadingtom-sideload.log------------------------------------------------================================================[*]Writingdllresultstodll_results.csv(2)COM劫持别PSC:\Tools\WFH>python.\wfh.py-t"C:\ProgramFiles\InternetExplorer\iexplore.exe"-mcom==========================================================针对C:\ProgramFiles\InternetExplorer\iexplore.exe运行Frida--------------------------------------------------[+]潜在的COMHijack:Path:HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0E5AAE11-A475-4C5B-AB00-C66DE400274E}\InProcServer*32,lpValueName:null,类型:REG_EXPAND_SZ,值:%SystemRoot%\system32\Windows.Storage.dll[+]PotentialCOMHijack:Path:HKEY_CLASSES_ROOT\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InProcServer*32,lpValueName:null,类型:REG_SZ,值:C:\ProgramFiles(x86)\Microsoft\Edge\Application\90.0.818.62\BHO\ie_to_edge_bho_64.dll[*]WritingrawFridainstrumentationto。\iexplore.exe-raw.log[*]WritingPotentialCOMHijackto.\iexplore.exe-comhijack.log-----------------------------------------------====================================================[*]Writingdllresultstocomhijack_results.csv工具使用示例(一)原生Windows签名代码复制所有原生Windows签名代码到tWFH脚本所在目录:Get-ChildItemc:\-File|ForEach-Object{if($_-match'.+?exe$'){Get-AuthenticodeSignature$_.fullname}}|where{$_.IsOSBinary}|ForEach-Object{Copy-Item$_.path.}(2)搜索DLL侧载机会pythonwfh.py-t*-mdll(3)搜索COM劫持机会pythonwfh.py-t*-mcom项目地址WFH:[GitHubPortal]
