grinder icon indicating copy to clipboard operation
grinder copied to clipboard

Published 20 hours ago verified publisher icon stephenfewer

Grinder for Edge on Win10

Open pyoor opened this issue 9 years ago • 14 comments

Has anyone got a working stub for Edge on Win10?

pyoor avatar Oct 23 '15 06:10 pyoor

@pyoor I will be starting to write one now. Let me see how it works out.

hacksysteam avatar Dec 03 '15 08:12 hacksysteam

@hacksysteam I hope that You will succeed :)

mtowalski avatar Dec 06 '15 10:12 mtowalski

Latest Edge come with new mitigation that prevent inject unsigned DLL. Grinder logger works only with successful dll injection. This is a problem :(. https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/

ca0nguyen avatar Dec 16 '15 17:12 ca0nguyen

Can't you workaround this problem with some leaked code signing certs? (e.g. https://www.duosecurity.com/static/files/DellCertificates.zip)

v-p-b avatar Dec 18 '15 10:12 v-p-b

@v-p-b Nice. But how about self signed certificate and trusting the root CA?

hacksysteam avatar Dec 18 '15 14:12 hacksysteam

@hacksysteam Sounds good! Self-signed might be problematic but registering an internal CA seems like a universal solution.

v-p-b avatar Dec 18 '15 14:12 v-p-b

I've already tried to add a Root CA and signed the DLL. Windows 10 tells "This digital signature is OK", but still cannot inject to MicrosoftEdgeCP.exe. According to msedgedev blog, Edge uses enforcement in the kernel. Maybe have to look the kernel to see what happening.

ca0nguyen avatar Dec 19 '15 14:12 ca0nguyen

@ca0nguyen Quoting from MS Edge blog *"DLLs that are either Microsoft-signed, or WHQL-signed, will be allowed to load, and all others will be blocked." *. I guess we need to dig kernel then.

hacksysteam avatar Dec 19 '15 16:12 hacksysteam

@hacksysteam Thanks to point out. I missed that part and took hours to make signtool work. The more challenge now since I don't know much about kernel stuff.

ca0nguyen avatar Dec 19 '15 17:12 ca0nguyen

@ca0nguyen Now, that's a good thing. We can now inject grinder_logger in Edge

http://www.sekoia.fr/blog/microsoft-edge-binary-injection-mitigation-overview/

hacksysteam avatar Jan 04 '16 11:01 hacksysteam

@hacksysteam Did you manage to create a PoC for this? If I understand correctly this would require patching LoadLibrary() (with a kernel debugger perhaps?), no configuration option is available, right?

v-p-b avatar Mar 25 '17 16:03 v-p-b

@v-p-b unfortunately no. Currently I'm not fuzzing browsers. But with new mitigations in Edge, it would be hard to run this logger. However, I can not guarantee as I have not tested it.

hacksysteam avatar Mar 26 '17 04:03 hacksysteam

Can't you workaround this problem with some leaked code signing certs? (e.g. https://www.duosecurity.com/static/files/DellCertificates.zip)

Hi v-p-b, do you have that zip file still? I would like to use them. :-)

jessefmoore avatar Feb 10 '19 02:02 jessefmoore

DellCertificates.zip

Got it, never mind. https://duo.com/assets/files/DellCertificates.zip

jessefmoore avatar Feb 10 '19 02:02 jessefmoore