All started when I was doing some penetration testing on a customer, trying to manipulate one application and Symantec “shout” on it and quarantined my malicious DLL :(
At that moment I was curious to see if there is a way to clear Symantec logs which are saved in:
C:\ProgramData\Symantec\Symantec Endpoint Protection\<version>\Data\Logs
If I will succeed to clean the logs, my activity won’t be reported to the main server.
Even with the fact that I had
SYSTEM privileges, it is not an easy task to clean the logs because Symantec has an open handle to its logs and you can’t stop it from working. Using
MoveFileEx with the flag
MOVEFILE_DELAY_UNTIL_REBOOT also won’t help because it seems that the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManagerPendingFileRenameOperations is also being protected and this API call is trying to modify it. Restarting with safe mode wasn’t possible, nor adding USB with different OS. The only thing that can solve is to find a vulnerable driver that will load before Symantec.
At this point I decided that I don’t have enough time to go deeply on this and another idea was popping to my head. What about if I could do my tests, without clearing any logs but stopping Symantec from telling the server about it ? In my case Symantec used port 8014 for the client to server connection, I just need to drop this connection.
Simulating a network connection
The first thing was to simulate a network connection like Symantec does which is not hard. I opened two CMD windows, one with python SimpleHTTPServer listening on port 6666
The second windows was with NetCat connecting to the 6666 port
Nostalgic from TCPView
I remembered the great old tool TCPView that was created by Mark Russinovich. It had a feature to close a network connection.
Unfortunately it should be done manually. I needed something more powerful.
I searched if there is something similar to TCPView with stronger functionalities and I found another similar tool called CurrPorts by Nir Sofer. This tool has GUI like TCPView and option to close connections but more importantly, it has option to close connections from the cmd using a
/close flag. This is exactly what we need ! But, today with all the third party software protections, running unknown binaries can be blocked, as in my case.
I decided that I will create a tool in PowerShell that can terminate network connection automatically each time the connection is established.
Normal people will search how to close TCP connection from Microsoft documentation but I thought it will be more fun and interesting to reverse engineer CurrPorts and TCPView to see how they do it.
I decided to start with CurrPorts, let’s see what libraries it uses:
We can see that it uses the ws2_32.dll library which is the only library that can be used for the network API.
The only API call that is related to closing a connection was
closesocket is the API call used to close connections that were created by different processes ? It seems that it is not legal in Windows to grab a socket handle in another process and close it.
So what API call is being used to close the network connection ?
Finding the API call that close the connection
I searched for the
/close flag in the strings and found it:
But Instead of start going deeply to each function and reverse them I thought it will be faster and easier to use a debugger.
Debugging with x64Dbg
I opened CurrPorts (cport.exe) with x64Dbg, searched for the flag location and set a breakpoint:
Then, in the
Command field I set the following command and pressed Enter:
init “C:\Users\myusername\Downloads\cport\cports.exe”, “/close * * 127.0.0.1 6666”
This will make sure the program will start with the command line we entered. Running the program will stop at the location of
/close. Now we will just search what function that will terminate the connection we created with Python and NetCat.
After some digging we found the one that terminates the connection, it was
SetTcpEntry which is taken from the library iphlpapi.dll dynamically.
After this finding we noticed that one function before the call to
SetTcpEntry, was a call to the function that retrieve all the functions from iphlpapi.dll:
What about TCPView ?
We found the mysterious API call
SetTcpEntry so we will use API monitor instead of reversing it and see if TCPView also uses this API call.
Notice that TCPView is 32bit and we needed to use API Monitor for 32bit applications.
We found that TCPView is also using
SetTcpEntry to close the connection of other processes with the flag
After we understood how to close network connection I created a PowerShell script named Invoke-DropNet that uses this API to automate this process.
Now I can use it to drop any network connection I will decide and it will do it automatically each time it will see that the connection is trying to connect.
Invoke-DropNet on Symantec
I currently don’t have a verification for stopping the logs but I can show a PoC how I was able to stop the Live update:
Here is a video of the PoC:
It was fun to learn about an API call by reversing other programs and eventually creating a script that can drop network connections. Now I can do my tests quietly and still be connected to the network :)
Special thanks to my friend David Cohen (@xDCrev) on the reversing.