Using this, we can discover COM objects available on a system.įiring up OleViewDotNet, we can list all the COM classes exposed through their CLSIDs. One of the many amazing tools released by James Foreshaw is OleViewDotNet. Mbam.exe also imports the COM functions from the ole32 library: This time, it’s accompanied with another string NeedAKey which is passed into the input buffer for the service process. What about the GUI executable, mbam.exe? Let’s look for the same IPC methods beginning with named pipes:ĬallNamedPipe is documented to receive the target pipe name:Īgain, we will follow the reference to that function and again, we’ll see the \\.\pipe\MBLG string: This verifies that the service process also uses COM IPC. Initializes the COM library for use by the calling thread… If we look into the ole32 library imports, we can see this:
In the documentation for the available IPC methods, it states that “the foundation of OLE is the Component Object Model (COM)”. Perhaps MalwareBytes License Generator? Nevertheless, we’ve identified one of the IPC techniques. CreateNamedPipe is documented to receive the name of the pipe:įollowing the references of CreateNamedPipeW will lead us to:īut what does MBLG mean…? If we take a look at the ConnectNamedPipe references, there are strings which will give us a hint: While we’re here, let’s see if we can extract the pipe name. Starting with the service executable, MBAMService.exe, we can identify named pipe functions: How do we figure out which ones Malwabytes uses? Let’s start with analysing the imported functions of the GUI and service executables in IDA. There are multiple ways with which software can perform IPC.
PoC code snippets has been withheld until the vendor applies a patch or until a reasonable amount of time has passed. Especially if the COM information is inaccurate in any way, shape or form, please let me know and I will fix it as soon as possible. This article will be about diving into reverse engineering the communication protocol used in Malwarebytes and the issues that I identified as a result of bypassing the intended (and assumed?) approach towards controlling functionality.ĭisclaimer: I do not claim to know everything on the topics discussed here as fact, this is purely what I have inferred from my research. Here is the diagram that shows the interaction between these two components again, for completeness:
It made me curious as to how other vendors designed and developed their inter-process communication (IPC) methods between the untrusted client (the user-controlled software usually the GUI) and the high integrity service process. Attacking K7 Security was my first attempt at discovering, analysing, and exploiting software at the protocol level.
0 kommentar(er)
