# Simple Reverse - 0x17(2023 Lab - WinMalware - sub_140001030)
## Description
> 分析 eductf-lab.exe 中的 function sub_140001030 在做什麼,並找出其行為所對應的 MITRE ATT&CK technique ID。
> Flag format: FLAG{T1234}
## Background
* [SystemTimeToFileTime](https://learn.microsoft.com/zh-tw/windows/win32/api/timezoneapi/nf-timezoneapi-systemtimetofiletime)
* [CreateWaitableTimerW](https://learn.microsoft.com/zh-tw/windows/win32/api/synchapi/nf-synchapi-createwaitabletimerw)
* [SetWaitableTimer](https://learn.microsoft.com/zh-tw/windows/win32/api/synchapi/nf-synchapi-setwaitabletimer)
* [WaitForSingleObject](https://learn.microsoft.com/zh-tw/windows/win32/api/synchapi/nf-synchapi-waitforsingleobject)
## Source code
* sub_140001030
:::spoiler IDA Source Code
```cpp
int waitUntil20231118()
{
HANDLE Result; // rax
HANDLE hTimer; // [rsp+30h] [rbp-38h]
SYSTEMTIME SystemTime; // [rsp+38h] [rbp-30h] BYREF
struct _FILETIME FileTime; // [rsp+48h] [rbp-20h] BYREF
LARGE_INTEGER DueTime; // [rsp+50h] [rbp-18h] BYREF
SystemTime.wYear = 2023;
SystemTime.wMonth = 11;
SystemTime.wDay = 18;
SystemTime.wDayOfWeek = 6;
SystemTime.wHour = 0;
SystemTime.wMinute = 0;
SystemTime.wSecond = 0;
SystemTime.wMilliseconds = 0;
LODWORD(Result) = SystemTimeToFileTime(&SystemTime, &FileTime);
if ( Result )
{
DueTime = FileTime;
Result = CreateWaitableTimerW(0i64, 0, 0i64);
hTimer = Result;
if ( Result )
{
LODWORD(Result) = SetWaitableTimer(Result, &DueTime, 0, 0i64, 0i64, 0);
if ( Result )
LODWORD(Result) = WaitForSingleObject(hTimer, 0xFFFFFFFF);
}
}
return Result;
}
```
:::
## Recon
攻擊者的完整意圖
1. 設定一個時間(2023/11/18 0:0:0)
2. 開啟一個waitable timer
3. 設定waitable timer為一開始的截止時間
4. 開始等待
根據以上的流程很明顯他是要一直等待直到11/18號那一天才會往下執行,這樣對修課生的壞處是沒辦法交作業,所以對我們來說是一大難處,他必須要符合時間等到11/18這個條件才會開始執行$\to$Execution Guardrails
## Exploit
從[Att&CK - Defense Evasion Execution Guardrails (T1480)](https://attack.mitre.org/techniques/T1480/)可以看到
> Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.
常見的條件有: 漏洞、系統語言、時間、Hostname...
Flag: `FLAG{1480}`
Sign in with Wallet
Connect another wallet