首页 > 恶意代码 > Windows NT’s GINA Interception

Windows NT’s GINA Interception

On Windows XP, Microsoft’s Graphical Identification and Authentication (GINA) interception is a technique that malware uses to steal user credentials. The GINA system was intended to allow legitimate third parties to customize the logon process by adding support for things like authentication with hard-ware radio-frequency identification (RFID) tokens or smart cards. Malware authors take advantage of this third-party support to load their credential stealers.

GINA is implemented in a DLL, msgina.dll, and is loaded by the Win-logon executable during the login process. Winlogon also works for third-party customizations implemented in DLLs by loading them in between Winlogon and the GINA DLL (like a man-in-the-middle attack). Windows conveniently provides the following registry location where third-party DLLs will be found and loaded by Winlogon:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

In one instance, we found a malicious file fsgina.dll installed in this regis-try location as a GINA interceptor.The following figure shows an example of the way that logon credentials flow through a system with a malicious file between Winlogon and msgina.dll. The malware (fsgina.dll) is able to capture all user credentials submitted to the system for authentication. It can log that information to disk or pass it over the network.
Windows Gina Msgina.Dll

Because fsgina.dll intercepts the communication between Winlogon and msgina.dll, it must pass the credential information on to msgina.dll so that the system will continue to operate normally. In order to do so, the malware must contain all DLL exports required by GINA; specifically, it must export more than 15 functions, most of which are prepended with Wlx. Clearly, if you find that you are analyzing a DLL with many export functions that begin with the string Wlx, you have a good indicator that you are examining a GINA interceptor.

Most of these exports simply call through to the real functions in msgina.dll. In the case of fsgina.dll, all but the WlxLoggedOutSAS export call through to the real functions. The following assembly code shows the WlxLoggedOutSAS export of fsgina.dll.

100014A0 WlxLoggedOutSAS 
100014A0         push    esi
100014A1         push    edi
100014A2         push    offset aWlxloggedout_0 ; "WlxLoggedOutSAS"
100014A7         call    Call_msgina_dll_function  ①
...
100014FB         push    eax ; Args
100014FC         push    offset aUSDSPSOpS ;"U: %s D: %s P: %s OP: %s"
10001501         push    offset aDRIVERS ; "drivers\tcpudp.sys"
10001503         call    Log_To_File   ②

As you can see at ①, the credential information is immediately passed to msgina.dll by the call we have labeled Call_msgina_dll_function. This function dynamically resolves and calls WlxLoggedOutSAS in msgina.dll, which is passed in as a parameter. The call at ②performs the logging. It takes parameters of the credential information, a format string that will be used to print the creden-tials, and the log filename. As a result, all successful user logons are logged to %SystemRoot%\system32\drivers\tcpudp.sys. The log includes the username, domain, password, and old password.

↑↑↑↑↑↑↑↑—Copyed from Practical Malware Analysis—↓↓↓↓↓↓↓↓—API and Structure’s Definition—

int WlxLoggedOutSAS(
  __in          PVOID pWlxContext,
  __in          DWORD dwSasType,
  __out         PLUID pAuthenticationId,
  __in_out      PSID pLogonSid,
  __out         PDWORD pdwOptions,
  __out         PHANDLE phToken,
  __out         PWLX_MPR_NOTIFY_INFO pNprNotifyInfo,
  __out         PVOID* pProfile
);
 
typedef struct _WLX_MPR_NOTIFY_INFO {
    PWSTR pszUserName;
    PWSTR pszDomain;
    PWSTR pszPassword;
    PWSTR pszOldPassword;
} WLX_MPR_NOTIFY_INFO,  *PWLX_MPR_NOTIFY_INFO;

觉得文章还不错?点击此处对作者进行打赏!


本文地址: 程序人生 >> Windows NT’s GINA Interception
作者:代码疯子(Wins0n) 本站内容如无声明均属原创,转载请保留作者信息与原文链接,谢谢!


更多



分类: 恶意代码 标签: , ,
  1. 2012年6月6日09:33 | #1

    [em008] 看不懂鸟~~

    [回复]

    代码疯子 回复:

    @胡阳, NT系统里面的东西,微软提供的第三方登陆验证接口,可以用来进行指纹之别或者其他自定义的验证,包括登陆界面的美化等。
    Vista开始已经没有了,被新的接口取代了。

    [回复]

  1. 本文目前尚无任何 trackbacks 和 pingbacks.