-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Maurice Huber
committed
Oct 26, 2021
1 parent
f682452
commit 9c1e0f4
Showing
1 changed file
with
24 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,4 +1,27 @@ | ||
| # BYTAGE | ||
|
|
||
| Hash Checker Bypass and Process Hacker | ||
|
|
||
|  | ||
|  | ||
|
|
||
| ## Use Case | ||
|
|
||
| This project was designed to bypass hash checkers in authentication systems that have their authentication code in a DLL library. Said library is checked for tampering in the main program by comparing the file hashes. | ||
|
|
||
| ### How the auth systems work | ||
|
|
||
| The entire code of the auth system is inside either a .NET or Native DLL library. It includes the essential functions for the authentication system like for example the web requests to the API and the functions for grabbing the hardware identifiers. | ||
|
|
||
| But this design has one big flaw: if you would just de-compile the DLL (it doesn't matter if it's obfuscated as all we need is the method signatures and not the body) and return `true` for example in the `Login(username, password)` method and replace the DLL, the auth would be bypassed completely. | ||
|
|
||
| To protect against this rather simple attack, the creators of the auth systems stated to implement a hash check. They simply compare the hash of the DLL file at runtime with the original hash. If it doesn't match, the file has been tampered with and the program terminates. | ||
|
|
||
| Of course, if the program isn't obfuscated properly you could just change said hash. But then you could just remove the entire auth as well. | ||
|
|
||
| ### How BYTAGE bypasses this protection | ||
|
|
||
| As stated above, the hash of the DLL file is checked at program startup. So you can't just replace the DLL with a modified version that bypasses the auth. Or can you? | ||
|
|
||
| With a little bit of help from this project - BYTAGE - you can. | ||
|
|
||
| BYTAGE starts the target process and suspends it after a certain amount of time, after the hash check succeeded. It then replaces the DLL with a modified one that replaces the auth. But as the hash check only gets called once at the start and the DLL gets replaced later, we can just swap it and should be able to log in with any credentials. |