ETW Providers

2024-11-10 07:04:22 +00:00 · 2023-04-03 10:48:53 +02:00 · 2023-04-03 10:48:53 +02:00 · 0a70636d28
commit 0a70636d28
parent d040c0e677
2 changed files with 81 additions and 5 deletions
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@ -26,7 +26,7 @@
    - [Wrapper input://](#wrapper-input)
    - [Wrapper zip://](#wrapper-zip)
    - [Wrapper phar://](#wrapper-phar)
-    - [Wrapper iconv:// and dechunk://](#wrapper-iconv-and-dechunk)
+    - [Wrapper convert.iconv:// and dechunk://](#wrapper-converticonv-and-dechunk)
  - [LFI to RCE via /proc/*/fd](#lfi-to-rce-via-procfd)
  - [LFI to RCE via /proc/self/environ](#lfi-to-rce-via-procselfenviron)
  - [LFI to RCE via upload](#lfi-to-rce-via-upload)
@ -252,9 +252,13 @@ include('phar://test.phar');
 NOTE: The unserialize is triggered for the phar:// wrapper in any file operation, `file_exists` and many more.


-### Wrapper iconv:// and dechunk://
+### Wrapper convert.iconv:// and dechunk://

-The goal is to leak the content of a file, one character at a time. 
+- `convert.iconv://`: convert input into another folder (`convert.iconv.utf-16le.utf-8`)
+- `dechunk://`: if the string contains no newlines, it will wipe the entire string if and only if
+the string starts with A-Fa-f0-9
+
+The goal of this exploitation is to leak the content of a file, one character at a time, based on the [DownUnderCTF](https://github.com/DownUnderCTF/Challenges_2022_Public/blob/main/web/minimal-php/solve/solution.py) writeup.
 
 **Requirements**:
 - Backend must not use `file_exists` or `is_file`.
--- a/Resources/Windows
+++ b/Resources/Windows
@ -192,9 +192,80 @@ ETW (Event Tracing for Windows) is a Windows-based logging mechanism that provid
 | Microsoft-Antimalware-Protection      | {E4B70372-261F-4C54-8FA6-A5A7914D73DA} |
 | Microsoft-Windows-Threat-Intelligence | {F4E1897C-BB5D-5668-F1D8-040F4D8DD344} |

+You can see all the providers registered to Windows using: `logman query providers`
+
+```ps1
+PS C:\Users\User\Documents> logman query providers
+
+Provider                                 GUID
+-------------------------------------------------------------------------------
+.NET Common Language Runtime             {E13C0D23-CCBC-4E12-931B-D9CC2EEE27E4}
+ACPI Driver Trace Provider               {DAB01D4D-2D48-477D-B1C3-DAAD0CE6F06B}
+Active Directory Domain Services: SAM    {8E598056-8993-11D2-819E-0000F875A064}
+Active Directory: Kerberos Client        {BBA3ADD2-C229-4CDB-AE2B-57EB6966B0C4}
+Active Directory: NetLogon               {F33959B4-DBEC-11D2-895B-00C04F79AB69}
+ADODB.1                                  {04C8A86F-3369-12F8-4769-24E484A9E725}
+ADOMD.1                                  {7EA56435-3F2F-3F63-A829-F0B35B5CAD41}
+...
+```
+
+We can get more information about the provider using:  `logman query providers {ProviderID}/Provider-Name`
+
+```ps1
+PS C:\Users\User\Documents> logman query providers Microsoft-Antimalware-Scan-Interface
+
+Provider                                 GUID
+-------------------------------------------------------------------------------
+Microsoft-Antimalware-Scan-Interface     {2A576B87-09A7-520E-C21A-4942F0271D67}
+
+Value               Keyword              Description
+-------------------------------------------------------------------------------
+0x0000000000000001  Event1
+0x8000000000000000  AMSI/Debug
+
+Value               Level                Description
+-------------------------------------------------------------------------------
+0x04                win:Informational    Information
+
+PID                 Image
+-------------------------------------------------------------------------------
+0x00002084          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+0x00002084          C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
+0x00001bd4
+0x00000ad0
+0x00000b98
+```
+
 The `Microsoft-Windows-Threat-Intelligence` provider corresponds to ETWTI, an additional security feature that an EDR can subscribe to and identify malicious uses of APIs (e.g. process injection).

-The most common bypassing technique is patching the function `EtwEventWrite` which is called to write/log ETW events. 
+```ps1
+0x0000000000000001  KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL
+0x0000000000000002  KERNEL_THREATINT_KEYWORD_ALLOCVM_LOCAL_KERNEL_CALLER
+0x0000000000000004  KERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE
+0x0000000000000008  KERNEL_THREATINT_KEYWORD_ALLOCVM_REMOTE_KERNEL_CALLER
+0x0000000000000010  KERNEL_THREATINT_KEYWORD_PROTECTVM_LOCAL
+0x0000000000000020  KERNEL_THREATINT_KEYWORD_PROTECTVM_LOCAL_KERNEL_CALLER
+0x0000000000000040  KERNEL_THREATINT_KEYWORD_PROTECTVM_REMOTE
+0x0000000000000080  KERNEL_THREATINT_KEYWORD_PROTECTVM_REMOTE_KERNEL_CALLER
+0x0000000000000100  KERNEL_THREATINT_KEYWORD_MAPVIEW_LOCAL
+0x0000000000000200  KERNEL_THREATINT_KEYWORD_MAPVIEW_LOCAL_KERNEL_CALLER
+0x0000000000000400  KERNEL_THREATINT_KEYWORD_MAPVIEW_REMOTE
+0x0000000000000800  KERNEL_THREATINT_KEYWORD_MAPVIEW_REMOTE_KERNEL_CALLER
+0x0000000000001000  KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC_REMOTE
+0x0000000000002000  KERNEL_THREATINT_KEYWORD_QUEUEUSERAPC_REMOTE_KERNEL_CALLER
+0x0000000000004000  KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT_REMOTE
+0x0000000000008000  KERNEL_THREATINT_KEYWORD_SETTHREADCONTEXT_REMOTE_KERNEL_CALLER
+0x0000000000010000  KERNEL_THREATINT_KEYWORD_READVM_LOCAL
+0x0000000000020000  KERNEL_THREATINT_KEYWORD_READVM_REMOTE
+0x0000000000040000  KERNEL_THREATINT_KEYWORD_WRITEVM_LOCAL
+0x0000000000080000  KERNEL_THREATINT_KEYWORD_WRITEVM_REMOTE
+0x0000000000100000  KERNEL_THREATINT_KEYWORD_SUSPEND_THREAD
+0x0000000000200000  KERNEL_THREATINT_KEYWORD_RESUME_THREAD
+0x0000000000400000  KERNEL_THREATINT_KEYWORD_SUSPEND_PROCESS
+0x0000000000800000  KERNEL_THREATINT_KEYWORD_RESUME_PROCESS
+```
+
+The most common bypassing technique is patching the function `EtwEventWrite` which is called to write/log ETW events. You can list the providers registered for a process with `logman query providers -pid <PID>`


 ## Windows Defender Antivirus
@ -302,4 +373,5 @@ The **Enterprise Context** column shows you what each app can do with your enter
 * [Determine the Enterprise Context of an app running in Windows Information Protection (WIP) - 03/10/2023 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context)
 * [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate - 12/09/2022 - Microsoft](https://learn.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate)
 * [DISABLING AV WITH PROCESS SUSPENSION - March 24, 2023 - By Christopher Paschen ](https://www.trustedsec.com/blog/disabling-av-with-process-suspension/)
-* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
+* [Disabling Event Tracing For Windows - UNPROTECT PROJECT - Tuesday 19 April 2022](https://unprotect.it/technique/disabling-event-tracing-for-windows-etw/)
+* [ETW: Event Tracing for Windows 101 - ired.team](https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/etw-event-tracing-for-windows-101)