process injection - malware style
TRANSCRIPT
![Page 1: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/1.jpg)
Process Injection Malware style
![Page 2: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/2.jpg)
Who am I
• Security Researcher
• PwC: Consultant
• Former student UGent
• {@ -F-G}/SanderDemeester
![Page 3: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/3.jpg)
Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions
![Page 4: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/4.jpg)
Windows PE• It’s a file format!
• It contains information about the executable
• It’s THE windows format for all executables
• DLL
• EXE
• SYS
![Page 5: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/5.jpg)
• Imports - Functions from other libraries
• Exports - Functions that should be called
• NT Headers - used by windows loader
• Sections - .text, .rdata, .data,…
• Relocations - Preferred base address
• Resources - Strings, icons, …
• Much more..
![Page 6: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/6.jpg)
PE - A short demo
![Page 7: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/7.jpg)
What is a process?
• It’s the execution of a program
• One or more threads run in the context of a process
• Thread - Conceptually, an execution unit inside the process
![Page 8: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/8.jpg)
Process as a structure
• Fine.. A process is a thing that runs in the system..
• The OS uses different kernel structures to manage those processes
• Remember, a process believes it has the whole adres space to It’s self..
![Page 9: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/9.jpg)
![Page 10: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/10.jpg)
EPROCESS• Executive component of
windows kernel
• It's a process object for a process
• Kernel use: IO transfer, handle virtual memory
• Drivers: PsGetCurrentProcess()
![Page 11: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/11.jpg)
PEB• Structure in userspace
• Used by operating system code in user-space (ntdll,kernel32)
• Contains information about a running process
• CLI parameters, pointer to heap,image base address
• A pointer to PEB_LDR_DATA
![Page 12: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/12.jpg)
PEB_LDR_DATA• Contains information about
the loaded modules associated with the running process
• Has the anchor for a doubly linked list that contains each loaded module
• LDR_DATA_TABLE_ENTRY
![Page 13: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/13.jpg)
TIB• Stores information about the
current thread
• Can be obtained via the FS or GS registers
• Used to obtain information about the running thread
• Things like the SEH, stack base
• Access to the thread local storage array
![Page 14: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/14.jpg)
PEB,TIB - A short demo
![Page 15: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/15.jpg)
So…What does this mean?
• Different windows components need to interact with the process
• Windows API’s need to provide access to that information
![Page 16: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/16.jpg)
Process in memory
• There is something called virtual memory
• Maps memory addresses into physical addresses, the virtual memory address space
• A collection of contiguous segments
• Each process thinks.. It's all mine
![Page 17: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/17.jpg)
![Page 18: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/18.jpg)
Virtual memory - A short demo
![Page 19: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/19.jpg)
Virtual memory• Mapping virtual memory addresses into physical addresses
• Base relocation: Fixing memory locations at load time.
• Relative virtual addresses or RVA
• Just made the job of the loader easier
• Three types of “addresses”
• Logical addresses: perspective of the running process
• Linear addresses: logical addresses after segment translation
• Physical addresses: linear addresses after page table translation
![Page 20: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/20.jpg)
Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions
![Page 21: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/21.jpg)
Injection.. Why?
• We would like to hide the fact that we are running code
• Makes deployment a lot easier
• Bypass certain security filters
![Page 22: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/22.jpg)
DLL Injection• Force a different process to load a DLL at runtime
• Use the windows API
• The OS automatically calls the DLLMain function
• DLL inherits the same rights as the target process
• Everything the malicious code does will appear to come from the injected process
![Page 23: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/23.jpg)
DLL Injection - Why?
• Everything the malicious code does will appear to come from the injected process
• It inherits all the permissions of the process
• Read from that process virtual memory
![Page 24: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/24.jpg)
![Page 25: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/25.jpg)
DLL Injection - Demo
![Page 26: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/26.jpg)
DLL injection steps
• The loader obtains a handle to the victim process
• Most often uses CreateToolhelp32snapshot, Process32First and Process32Next
• Obtain the Process ID
• Obtain the handle to the process
![Page 27: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/27.jpg)
DLL injection steps• Make room to create a new thread
• Allocate enough memory in the victims process for the DLL name
• Write only the name to the virtual memory of our victim
• Obtain a module handle to LoadLibraryA
![Page 28: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/28.jpg)
DLL injection steps• The CreateRemoteThread is used to open and execute
a thread in the victims process
• The CreateRemoteThread is passed three parameters
• hProcess - process handle
• lpStartAddress - starting point of the code for our new thread, in our case. LoadLibraryA
• lpParameter - argument for the new thread
![Page 29: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/29.jpg)
DLL Injection - code constructs
![Page 30: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/30.jpg)
Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions
![Page 31: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/31.jpg)
Process replacement - Why?
• Disguise malware as a legit process
• Can not crash the host process and risk being discovered
• Same permissions as the replaced process
![Page 32: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/32.jpg)
Process replacement
• Processes are just bytes in memory
• Overwrite the memory space of our victim process
• Disguises our code as a legitimate process
• Inherit all the permissions of the replaced process
![Page 33: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/33.jpg)
Process replacement - How would we do it?
• Create a process in a suspended state
• Replace all the code and memory in the process with our code
• Run the process
• Easy!
![Page 34: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/34.jpg)
Process replacement -A short demo
![Page 35: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/35.jpg)
What do we need?• We need a different “process” to replace the existing
one?
• A way to “stop” a legitimate process that is running?
• A lot of information on the legitimate process
• Ways to write into the virtual memory of a different process?
• A brain that works
![Page 36: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/36.jpg)
Windows resources• A program contains “resources”
• Contains raw images, bitmaps and dialog boxes
• But it can contain what we want?
• Steganography? Anyone?
• Lets put a PE in it!
![Page 37: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/37.jpg)
Resource hacker - A short demo
![Page 38: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/38.jpg)
• Create a new process in a SUSPENDED_STATE
![Page 39: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/39.jpg)
Process replacement steps
• Obtain our PE file stored in the resource section
• Create a new windows process in the suspended state
• Access the “thread context” of the suspended progress thread.
• The EBX register of newly created process contains a pointer to the PEB structure
![Page 40: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/40.jpg)
Process replacement steps• The PEB structure contains a lot of information
about the process, including the image base address.
• Using an “undocumented" API call NtUnmapViewOfSection we can remove the code from memory
• Windows Native System Services routine - use a function pointer to get to it.
![Page 41: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/41.jpg)
• We need to place our malicious PE file into memory
• Obtain the image base address and the size of our program
• Call VirtualAllocEx and pass it the handle of our suspended thread and set the permissions of the allocated memory to PAGE_EXECUTE_READWRITE
![Page 42: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/42.jpg)
• So far so good
• Start parsing the PE file to obtain pointers to the different section
• SizeOfHeaders is at some offset in the PE header
• NumberOfSections is at some offset in the PE header
• Copy the PE header to the exact same place in the virtual adres space as the suspended process
• Read the IMAGE_HEADER_SECTION and perform some pointer calculations
![Page 43: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/43.jpg)
• Keep going..
• Using the structures
• IMAGE_SECTION_HEADERS.SizeOfRawData
• IMAGE_SECTION_HEADERS.PointerToRawData
• IMAGE_SECTION_HEADER.VirtualAddress
• We perform pointer calculations to copy the data over
![Page 44: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/44.jpg)
Are we done yet?• The windows loader has done most of the work
• We need to tell the loader where it should jump to
• Patch the original program entry point with the one from our PE file
• After loading, lpContext->_eax contains our OEP
• Call SetThreadContext to update the thread context
• Start of suspended process
![Page 45: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/45.jpg)
Process replacement - code constructs
![Page 46: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/46.jpg)
Is this still the same process?
• How do you define a process?
• As far as windows is concerned, it’s what It's loaded into memory
• Using the API to observe the process, it is the original process
![Page 47: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/47.jpg)
Can we detect this?
• We can monitor for a sequence of strange API calls?
• We can compare the code sections of the running process with the ones stored on the filesystem
• We can define rules on how a program should behave and compare
![Page 48: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/48.jpg)
What other techniques do we have?
• Direct injection
• Local and remote hook injection
• Detour hijacking
• APC injection from user space and kernel space
• I’m sure, many more.
![Page 49: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/49.jpg)
BSidesLV 2015
• Injection on Steroids: Code-less code injection and 0-day techniques..
• State-of-the-art
![Page 50: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/50.jpg)
(*(*FNPTR)(LPVOID,*char))
(QUESTIONS,”?”)
![Page 51: Process injection - Malware style](https://reader033.vdocument.in/reader033/viewer/2022060205/55a1f1ab1a28ab48788b45d9/html5/thumbnails/51.jpg)