Next generation rootkits | shimming based shellcodes
From my personal opinion, last year, one of the best briefings in Blackhat Europe was Sean’s work about shims. In a nutshell shims in Microsoft operating systems are for fast patching. For years nobody knew about their power for hacking until Mark Baggett discussed their usage for post exploitation in 2013. After 3 years, they are still under the radar and using it hackers can do pretty much whatever they dream. I was amazed when Sean built a simple rootkit live during the presentation. Sean’s favorite is the AV evasion and he explained the method in his Blackhat presentation. I recommend the reader to read Sean’s articles about shims.
Albeit the power of shims they have been rarely used in wild except it occurring usages to bypass windows UAC. One of the reasons is maybe the administrative privileges to run the shim. It’s unsaid that the attacker needs first to take control of the victim’s system to place the shims. In that case, shim should be used as a shellcode. Since shim by itself is just a hooking, it is not enough as a shellcode and the attacker still needs the final payload e.g. metasploit meterpreter reverse_tcp. For example in a shim based shellcode, the attacker terminates the Antivirus and then redirects execution to the next level payload that downloads metasploit payload and returns control back to the attacker.This doesn’t seem bad at all but if you noticed this is an at least 3 stages shellcode:
- Place the shims
- Downloader of the meterpreter reverse_tcp shellcode
- meterpreter reverse_tcp execution
Although it seems more difficult to implement, it is more powerful than an ordinary shellcode. First, the second stage doesn’t run exactly after the exploitation and it doesn’t raise any attention e.g. after a restart of the system when AV wants to load the second stage kicks in. Second, since your code doesn’t spawn a shell and shim by itself is not a malicious act AV evasion happens. Third you still get access in the presence of firewall by killing the antivirus. This was just a basic example of using shims in shellcodes, there are much more things that can be done by shims such as:
- API Logging
- Snoop network traffic
- Dll injection
- Hide registery keys
- Hide a directory contents
To see all the capabilities of shims install Microsoft Application Compatibility Toolkit and run it with “-x” option.