The password filter architecture is useful to check that a password is compliant with the system security policy. It will typically check that when a user changes his password, it follows the required complexity.

Microsoft opened the API so that users can extend the functionality with their own filters.

Mubix diverted this API by developing a password logger: the DLL just logs the password both on the disk and a remote server,  and does nothing else.

A perfect way to maintain a persistent access… I tested it:

Evilpassfilter exploitation process

1. Evilpassfilter.dll is loaded into lsass.exe
2. A user updates his password
3. The password goes through the Evilpassfilter password filter, which notifies the attacker through HTTP and also logs it locally.

Here is what I did to get it work (Windows 7 x64):

• Make sure the local password security policy is enabled on the target
• Create a new Win32 project in Visual Studio (2012)
• Eventually delete unnecessary files, to start with an empty project (stadfx.h and cie)
• Import the source code
• Create a Evilpassfilter.def file, which defines the exports:

  LIBRARY Evilpassfilter
  EXPORTS
     InitializeChangeNotify
     PasswordFilter
     PasswordChangeNotify

• In the project properties, make sure to select the appropriate architecture, matching with the one of your target.
  

  Selecting the compilation target architecture (win32/x64)

• In the input settings of the link editor, add wininet.lib as additional dependancy.
• Also add Evilpassfilter.def as module definition file.
  

  Evilpassfilter Visual Studio settings

• In the source code, fix line 72: return; –> return 1;
• Now you should be able to compile the library. You may want to make sure that the DLL is valid and integrated the exports (open it with IDA or a PE tool):
  

  Evilpassfilter.dll exports seen in IDA

• Copy the resulting DLL to the system32 folder.
• Open regedit HKLM\System\CurrentControlSet\Control\Lsa
  and add Evilpassfilter to the Notification Packages

Reboot and… now you should know what to do next :-)

Prerequisite :

• IDA Pro (6.0) with the IDA Python plug-in (1.4.3)

Steps :

1. Prepare your forensic disk image.
   In general, it is that simple :

   $ dd if=<source> of=disk.img bs=65536 conv=noerror

   Or :

   $ ddrescue -n <source> <dest> file.log

   Check the disk geometry using :

   $ fdisk -luc disk.img

   These values will be useful for step 5.
   However, if you have an exotic disk, it may be much trickier. For example, I got some geometry errors with a flash disk when using Bochs at step 11. Special thanks to Gene Cumm from the bochs-developpers mailing list who gave me the tip to specify the geometry to dd :

   $ dd if=input of=output bs=2064384 count=507

Refer to CHS if you wonder how to get these values.

2. Extract the MBR from the disk or from the image you just took.

   $ dd if=<source> of=mbr.dump bs=512 count=5

3. Download and install the Bochs x86-64 emulator, which comes with a debugger that will work nicely with IDA.
4. Download this archive from Hexblog (IDA Pro’s blog). We will use two files from there : bochrc, wich is the configuration file for Bochs, and mbr.py which a python file helpful from preparing the debugging environment.
5. Copy bochrc in your working directory and edit the following line to match your disk image geometry :

   ata0-master: type=disk, path="sdb.img", mode=flat, cylinders=507, heads=64, spt=63

   Before going on, you may test that Bochs can use the image with these settings :

   C:\>"c:\Program Files\Bochs-2.4.5\bochsdbg.exe" -f bochsrc -q

6. In the same directory, copy mbr.py and edit the following settings :

   # Some constants
   SECTOR_SIZE = 512
   BOOT_START  = 0x7C00
   BOOT_SIZE   = 0x7C00 + SECTOR_SIZE * 4
   BOOT_END    = BOOT_START + BOOT_SIZE
   SECTOR2     = BOOT_START + SECTOR_SIZE
   MBRNAME    = "mbr.img"
   IMGNAME     = "sdb.img"

7. Now open a console and type :

   C:\> mbr update

8. With IDA Pro, open the boshrc file. IDA should recognize the format and set the proper settings.
9. From the menu, open File/Script File and select mbr.py. It will close IDA after execution.
10. Open again your *.idb file, set a breakpoint at 0x7C00.
11. Start the debugger.

You should now be able to go ahead and debug the MBR step by step.

References :

• Hexblog : Develop your master boot record and debug it with IDA Pro and the Bochs debugger plugin
• MISC Magazine #53 : Votre MBR pris en otage ! – Nicolas Brulez (Kaspersky labs)
• Bochs User Manual : Chapter 8, Tips and Techniques