Using WhatsApp for Malware Persistence
iSpeech
Here I demonstrate how a DLL Search Order Hijack bug in WhatsApp for Windows can be exploited by Malware to remain persistent. It's a little tongue-in-cheek, but showcases how to search for DLL insSearch Order Hijacks and also how commonly installed applications can be harnessed by bad-guys for malicious purposes.
If you want to find out more about DLL Search Order Hijacking you should definitely check out the following links:
https://docs.microsoft.com/en-us/windows/desktop/dlls/dynamic-link-library-security
http://www.binaryplanting.com/guidelinesDevelopers.htm
Link to my slides:
https://docs.google.com/presentation/d/1k4N0m03YKZh8Nr5E0Uzhs5IYKWUp2A4gLygNwXKVGng/edit?usp=sharing
How to compile your own DLLs using msfvenom:
https://kb.help.rapid7.com/discuss/599b70eba72c84001bddb4a4
Link to my PoC doc file:
https://www.virustotal.com/#/file/79d8a5c685009fdfcfc84f88826655e21931879d9484fa95541f97096705547c/detection
Link to ProcMon Filter file
https://jmp.sh/KaEQkWd
If you liked this video, please press "Like"
If you loved it, please Subscribe!
Also, if you want to chat malware / exploits / vulnerabilities then please follow me on https://twitter.com/cybercdh
Thanks for watching!
2019-01-20 20:03:11
source
Gloss