Notes From Addressing Penetration Test Findings
I have seen a few methods of identifying the language used to develop an application, first of which is CFF Explorer. ### CFF Explorer This has been used each time the binary has been misidentified as C++ when it was actually written in csharp, however it is not a fault with CFF Explorer, it is simply that the wrong executable had been analysed. 
### Grep on WSL While I am working Windows to build a WPF application I can still use useful Linux commands like file and grep through WSL to find out more about a file. ``` bash
mburton@zitherldwx01:mntc/UsersanonAppDataLocalWpfSampleAppFullFramework$ ls
Update.exe WpfApp2FullFramework.exe app-1.0.0 packages mburton@zitherldwx01:mntc/UsersanonAppDataLocalWpfSampleAppFullFramework$ file WpfApp2FullFramework.exe
WpfApp2FullFramework.exe: PE32 executable (GUI) Intel 80386, for MS Windows mburton@zitherldwx01:mntc/UsersanonAppDataLocalWpfSampleAppFullFramework$ cd app-1.0.0/ mburton@zitherldwx01:mntc/UsersanonAppDataLocalWpfSampleAppFullFrameworkapp-1.0.0$ file WpfApp2FullFramework.exe
WpfApp2FullFramework.exe: PE32 executable (GUI) Intel 80386 Mono.Net assembly, for MS Windows mburton@zitherldwx01:mntc/UsersanonAppDataLocalWpfSampleAppFullFrameworkapp-1.0.0$ file *.dll | grep "Mono.Net" | wc -l
10 mburton@zitherldwx01:mntc/UsersanonAppDataLocalWpfSampleAppFullFrameworkapp-1.0.0$ ls *.dll
DeltaCompressionDotNet.MsDelta.dll Mono.Cecil.Mdb.dll Mono.Cecil.dll Squirrel.dll
DeltaCompressionDotNet.PatchApi.dll Mono.Cecil.Pdb.dll NuGet.Squirrel.dll
DeltaCompressionDotNet.dll Mono.Cecil.Rocks.dll SharpCompress.dll mburton@zitherldwx01:mntc/UsersanonAppDataLocalWpfSampleAppFullFrameworkapp-1.0.0$ file *.dll | grep "Mono.Net" | wc -l
10
## Binary Security Having identified the binary the reports then flag security options which have not been used. This can be done using a PowerShell Module [PESecurity](https:/github.comNetSPIPESecurity.git) <p className="alert alert-warning" />WARNING!!! Use [PESecurity](https:/github.comNetSPIPESecurity.git) at your own risk, read the code yourself before you use it!<<p className="alert alert-warning"> />
<p> <p> ``` powershell PS C:\Source\GitRepos\PESecurity> Get-PESecurity -file $env:LOCALAPPDATA\WpfSampleAppFullFramework\app-1.0.0\WpfApp2FullFramework.exe FileName : $env:LOCALAPPDATA\WpfSampleAppFullFramework\app-1.0.0\WpfApp2FullFramework.exe
ARCH : I386
DotNET : True
ASLR : True
DEP : True
Authenticode : False
StrongNaming : False
SafeSEH : NA
ControlFlowGuard : NA
HighentropyVA : NA
``` ``` powershell
PS C:\Source\GitRepos\PESecurity> Get-PESecurity -file $env:LOCALAPPDATA\WpfSampleAppFullFramework\WpfApp2FullFramework.exe FileName : $env:LOCALAPPDATA\WpfSampleAppFullFramework\WpfApp2FullFramework.exe
ARCH : I386
DotNET : False
ASLR : True
DEP : True
Authenticode : False
StrongNaming : NA
SafeSEH : True
ControlFlowGuard : False
HighentropyVA : NA
``` ## The Cause of the misidentification The application installer is built using [Squirrel](https:/github.comSquirrelSquirrel.Windows), the file being opened in `CFF Explorer` is part of the Squirrel installer as described in the [Installing Documentation](https:/github.comSquirrelSquirrel.Windowsblobdevelopdocsgetting-started4-installing.md). The actual application executable is in the application version subdirectory `app-n.n.n`. ## How to fix it? I had a very constructive discussion with [caesay](https:/github.comcaesay) who is one of the maintainers of [Clowd.Squirrel](https:/github.comclowdClowd.Squirrel), a fork of [Squirrel.Windows](https:/github.comSquirrelSquirrel.Windows) moments after our discussion this commit [Enable ControlFlowGuard for Setup.exe](https:/github.comclowdClowd.Squirrelcommit5cb8fdd8be220167e65af5f43a521c4307bd783a) was made.