GINA-Graphical Identification and Authentication

From aldeid
Jump to navigation Jump to search

Description

The Graphical Identification and Authentication (GINA) is a component of Windows 2000, Windows XP and Windows Server 2003 that provides secure authentication and interactive logon services

GINA is discontinued in Windows Vista.

GINA Interception

On Windows XP, GINA interception is a technique that malware uses to steal user credentials.

GINA is implemented in a DLL, msgina.dll, and is loaded by the Winlogon executable during the login process.

The GINA interception consists of injecting a malicious DLL between winlogon.exe and msgina.dll to intercept credentials: 

+--------------+       +---------------+       +------------+
| winlogon.exe | ----> | malicious.dll | ----> | msgina.dll |
+--------------+       +---------------+       +------------+

The path of the malicious DLL should be specified in 

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL

The malware needs to export all necessary functions required by msgina.dll to ensure the OS will continue to work normally. It implies that the malicious DLL exports all functions, many of which start with Wlx. Below is an example of such export table: 

$ objdump -x Data_1.bin

[SNIP]

Il y a une table d'exportation dans .rdata à 0x10002320

Les tables d'exportation (contenus interprété de la section .rdata)

Fanion d'exportation 			0
Tampon Heure/Date 		4855dd42
Majeur/Mineur 			0/0
Nom 				000024a8 gina.dll
base de nombre ordinal 			1
Numéro dans:
	Table d'adresses d'exportation 		00000034
	Table [Nom pointeur/Nombre ordinal]	00000018
Table d'adresses
	Table d'adresse d'exportation 		00002348
	Table des noms de pointeurs 		00002418
	Table des ordinals 			00002478

[SNIP]

Table [Ordinal/Nom de pointeur]
	[  50] DllRegister
	[  51] DllUnregister
	[  28] ShellShutdownDialog
	[  29] WlxActivateUserShell
	[  30] WlxDisconnectNotify
	[  31] WlxDisplayLockedNotice
	[  32] WlxDisplaySASNotice
	[  33] WlxDisplayStatusMessage
	[  34] WlxGetConsoleSwitchCredentials
	[  35] WlxGetStatusMessage
	[  36] WlxInitialize
	[  37] WlxIsLockOk
	[  38] WlxIsLogoffOk
	[  39] WlxLoggedOnSAS
	[  40] WlxLoggedOutSAS
	[  41] WlxLogoff
	[  42] WlxNegotiate
	[  43] WlxNetworkProviderLoad
	[  44] WlxReconnectNotify
	[  45] WlxRemoveStatusMessage
	[  46] WlxScreenSaverNotify
	[  47] WlxShutdown
	[  48] WlxStartApplication
	[  49] WlxWkstaLockedSAS

The majority of these functions are actually pass-thru functions that give the control to the true function of the same name in msgina.dll, excepted for functions where the malware is intercepting things.

Retrieved from "https://www.aldeid.com/w/index.php?title=GINA-Graphical_Identification_and_Authentication&oldid=27568"