code injection in windows
DESCRIPTION
Code Injection in Windows by Raashid Bhat @ null Pune Meet, September 2011TRANSCRIPT
![Page 1: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/1.jpg)
Code Injection on Windows
Raashid BhatKashmir
Student Computer Security2nd year BE
http://Twitter.com/raashidbhatt!
![Page 2: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/2.jpg)
Agenda
• Why Inject Code?
• Ways to Inject Code
• Questions?
![Page 3: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/3.jpg)
Why inject Code?
• Trivially bypass anti-virus software
• To be stealthy
• Malware makes the heavy use of injection
• Stealing credentials (Post Form grabbers, HTML injection etc. .etc.)
• Etc. etc.
![Page 4: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/4.jpg)
Portable Executable(PE) Format
• File format for Windows executable
• Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug)
• Imports and Exports by EXE file are stored in idata and rdata sections
• Texe 1.2 by Raashid Bhatt(PE Dumper) http://texe.codeplex.com
• Briefly Documented in <winnt.h>
![Page 5: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/5.jpg)
Code injection Technique #1
# PE File Infection
![Page 6: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/6.jpg)
PE File Infection• Overwrite the .code section ( or any section convenient for
infection )
• Change the Entry Point of the Executable
• Save the registers , ESP, EBP etc
• Return to original EP by Either
• Push EP ; Ret
• Or JMP EP
![Page 7: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/7.jpg)
The bad News?
• Calling functions eg Loadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC)
• Sections .data,.bss are usually marked as writable and readable
![Page 8: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/8.jpg)
Remedy
• Use PEB(Process Environment Block) to find kernel32.dll address
• PEB is located at FS[0x30]• Consists heaps, binary information and loaded
module information.• Further Reading > The Last Stage of Delerium • Win32 Assembly Components. • http://www.lsd-pl.net/documents/winasm-1.0.1.pdf;
![Page 9: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/9.jpg)
Non-Executable Sections
• Sections .data,.bss.idata.edata etc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE
• Change >>
• PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)
![Page 10: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/10.jpg)
Code injection Technique #2
# IAT Hooking
![Page 11: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/11.jpg)
IAT
• IAT(import address table) holds information regarding the DLL to be loaded by a PE file
• Functions are Linked either by a ordinal or by name.
• Stored in .idata section of PE file.
• Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h>
![Page 12: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/12.jpg)
IAT hooking
• Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection)
• Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll
• Activated when any function is called in org DLL
![Page 13: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/13.jpg)
Proxy Dll(user32.dll)
• dllmain(...)
• int WINAPI MessageBoxA(...){• user32.ldd_MessageBoxA(...);• /* user code */• }.• Example for user32.dll proxy dll
![Page 14: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/14.jpg)
Code injection Technique #3
# Runtime Code Injection
![Page 15: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/15.jpg)
CreateRemoteThread
• Windows has CreateRemoteThread() API• According to MSDN “The CreateRemoteThread
function creates a thread that runs in the virtual address space of another process”
• memory allocation in another process (possible) using VirtualAllocEx() API
• Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()
![Page 16: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/16.jpg)
1: DLL Loading
DLL’s can be loaded in another process using CreateRemoteThread
. Steps:1: Allocate memory for the DLL name in the remote target process
2:Write the DLL name, including full path, to the allocated memory.
3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary
![Page 17: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/17.jpg)
pLibRemote = VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM_COMMIT, PAGE_READWRITE );
bWriteCheck = WriteProcessMemory(hProc, pLibRemote, (void*)szDllPath, sizeof(szDllPath), NULL );
hThread = CreateRemoteThread( hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA"),pLibRemote,NULL, NULL);
Equivalent to LoadlibraryA(“Dll name”);
![Page 18: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/18.jpg)
2:In memory Execution
• First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security
• Implemented in Metasploit Playload
• Involves Writing a Exe or dll file in the memory and executing from within
• Stealthy Execution
![Page 19: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/19.jpg)
2:In memory Execution Implementing a minimal Portable Executable (PE) file loader.
• 1: Allocate Memory and Copy the file to memory
• 2:Parse the Import Address table of PE File and Perform Fixups
• 3:calculate the new base and Perform relocation (IMPORTANT)
• 4:JUMP to Entry point of The PE File
![Page 20: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/20.jpg)
Image Relocations
• Certain hardcoded addresses need to be fixed
• Int x; int *p = &x;(hardcoded into p)
• PE file Stores Relocation Entries in .reloc section
• .reloc section stores offsets to the addresses to be fixed
![Page 21: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/21.jpg)
Example of .reloc section
• 0x0001 --- DD (pointer) 0x0013 >>• 0x0010 --- 0xdeadbeef• 0x0011 --- 0xdeadbeef• 0x0013 --- 0xdeadbeef• ..reloc section
• RELOC TYPE (4BITS) OFFSET(12bits) RVA
![Page 22: Code Injection in Windows](https://reader036.vdocument.in/reader036/viewer/2022081507/555c44dad8b42a0b038b50fb/html5/thumbnails/22.jpg)
• Thanks
• Questions?