Dave Kukfa Security bub

DLL Injection with an Old MMO Client

On and off over the past few months, I’ve been working on reversing the client of an old out-of-service MMO I used to play. This post goes over basic DLL injection, with the hope to update as I move into more advanced techniques and demonstrate a possible usage case.

To start off, we’re going to need a few tools. Process Explorer from the Sysinternals suite is used to inspect each running process and the DLLs it has loaded. I used Visual Studio to build the DLL and NCLoader to inject it, although there are other tools that can be substituted if preferred.

Use your program of choice to write the DLL and build it. Here’s the code I used:

#include <windows.h>

BOOL APIENTRY DllMain(HINSTANCE hInst     /* Library instance handle. */,
	DWORD reason        /* Reason this function is being called. */,
	LPVOID reserved     /* Not used. */)
{
	switch (reason)
	{
	case DLL_PROCESS_ATTACH:
		MessageBox(0, (LPCWSTR) L"From DLL\n", (LPCWSTR) L"Process loading DLL", MB_ICONINFORMATION);
		break;

	case DLL_PROCESS_DETACH:
		MessageBox(0, (LPCWSTR) L"From DLL\n", (LPCWSTR) L"Process unloading DLL", MB_ICONINFORMATION);
		break;

	case DLL_THREAD_ATTACH:
		MessageBox(0, (LPCWSTR) L"From DLL\n", (LPCWSTR) L"Creating new thread", MB_ICONINFORMATION);
		break;

	case DLL_THREAD_DETACH:
		MessageBox(0, (LPCWSTR) L"From DLL\n", (LPCWSTR) L"Thread exiting", MB_ICONINFORMATION);
		break;
	}

	return TRUE;
}

The code defines the DLL entry point function, which executes when processes load and unload the DLL, and processes that have already loaded the DLL create and terminate threads. In our case, we just throw up a message box letting us know what happened (not the best way of doing things, but for our test purposes, it works). For more information, TutorialsPoint and MSDN have great pages on the topic.

Once we have the DLL built, open the target program (the MMO, in my case) and find it in Process Explorer. We’ll need the process ID (PID) of the target for the DLL injector.

Finding the PID using Process Explorer

Next, open the DLL injector and inject the DLL into the process. Using NCLoader:

Injecting using NCLoader

Notice that we can see the DLL loaded in the target process (the purple DLL in Process Explorer), and the DLL_PROCESS_ATTACH case triggered its message box when the process loaded the DLL.

The next step is to modify the DLL to include useful functionality for reversing the client. More to come soon!

ASIST CTF

This Sunday, RIT sent two teams down to Alfred State to play in the Fall 2015 Alfred State Information Security Team (ASIST) CTF. The challenges featured a set of 16 primary objectives, which served as a story line for a penetration test of an insurance company. The story began with reconnaissance challenges, then branched into web and database security. Things started getting tricky when we had to track down and gain access to an internal backup server by tracing through a cronned backup script. We then pivoted to a mail server and found an encoded screenshot with further credentials inside an email. The series ended by pivoting to an internal Windows server and pulling the domain administrator’s password. Other side challenges were mixed in, including lockpicking, NFC tags, hacking a makeshift fire alarm system, and pinning a white-team member with a clothespin.

Our team took home first place, with the other RIT team taking second. Huge thanks to ASIST for putting on a great event! I learned a ton and had an awesome time working through the challenges.

RC3 CTF

I competed in the 2nd annual RIT Competitive Cybersecurity Club (RC3) CTF over the weekend. This was a CTF designed to appeal to both beginners and experts, with a wide variety of challenges to choose from. Categories included web, crypto, forensics, reversing, trivia, and an interesting ‘misc’ section containing challenges too unique for the other containers. The competition went from Friday at 7pm to Sunday at 8pm, with 60 registered teams participating.

Our team had a rather slow start, and picked off most of the low-hanging fruit during the first night of the competition. Saturday was spent working on a mix of mid and high-level challenges, which landed us in 7th place at the end of the day. After a few hours of work on Sunday, we had completed many of the mid-level challenges and began to focus on the more difficult challenges with high rewards. At around 4pm, our work began to pay off as we started finding flags and shot into 5th place. In the last 15 minutes of the competition, we decided to focus on a crypto challenge that would jump us to 3rd if we were successful. Everyone started applying different techniques to the challenge, until at 7:56 – 4 minutes until submissions closed – a teammate posted the flag to our Slack chat, and we leaped into 3rd place to finish the competition.

Needless to say, I had an awesome time solving challenges, and picked up quite a few web, forensics, and reversing techniques along the way. Very proud of our team for our diligent work and the big finish!

Graph of team points

CPTC 2015

Last weekend, I had the opportunity to represent RIT at the first ever Collegiate Penetration Testing Competition (CPTC). The CPTC is designed to emulate a realistic pentesting engagement for a (fictitious) government technology services firm. Before the start of the competition, the company issued a Request for Proposal (RFP) which teams responded to by creating proposals that address the scope of the engagement and outline their testing methodology. On the first day, each team had a meeting with the company’s management to review the team’s proposal and the scope and limitations of the penetration test. Afterwards, teams began their testing of the company’s infrastructure – complete with external and internal networks, AD domains, databases, and web applications – and worked on their reports and presentations (through the night for many of us). The next morning, teams presented their findings and recommendations to the company executives and answered any questions about the engagement.

RIT had the honor of placing 2nd out of 9 teams this year. We were also featured in an RIT News article! A huge thanks goes to the system administrators – both staff and students – who were in charge of managing the infrastructure during the pressure of the competition. We all had an amazing time competing, and look forward to next year’s event.

RIT CPTC team

Rustle and Bromley Name Generator

This was something fun I put together for my friends in a local band. The script uses two word banks to generate a different take on the band’s name, with a 5% chance of something totally unrelated popping up instead. I modified a script by Niels Gamborg to generate the names and display them.