As computer systems become more sophisticated, process injection techniques also evolve. These techniques are notorious for their use by "malicious software" to hide code execution and avoid detection. In this presentation we dive deep into the Windows runtime and we demonstrate these techniques. Besides, we also learn how to code construction and design patterns that relate to perform hidden code can recognize.
4. Windows PE
• It’s a file format!
• It contains information about the executable
• It’s THE windows format for all executables
• DLL
• EXE
• SYS
5. • Imports - Functions from other libraries
• Exports - Functions that should be called
• NT Headers - used by windows loader
• Sections - .text, .rdata, .data,…
• Relocations - Preferred base address
• Resources - Strings, icons, …
• Much more..
7. What is a process?
• It’s the execution of a program
• One or more threads run in the context of a process
• Thread - Conceptually, an execution unit inside the
process
8. Process as a structure
• Fine.. A process is a thing that runs in the system..
• The OS uses different kernel structures to manage
those processes
• Remember, a process believes it has the whole
adres space to It’s self..
9.
10. EPROCESS
• Executive component of
windows kernel
• It's a process object for
a process
• Kernel use: IO transfer,
handle virtual memory
• Drivers:
PsGetCurrentProcess()
11. PEB
• Structure in userspace
• Used by operating system
code in user-space
(ntdll,kernel32)
• Contains information about a
running process
• CLI parameters, pointer to
heap,image base address
• A pointer to PEB_LDR_DATA
12. PEB_LDR_DATA
• Contains information about
the loaded modules
associated with the running
process
• Has the anchor for a doubly
linked list that contains each
loaded module
• LDR_DATA_TABLE_ENTRY
13. TIB
• Stores information about the
current thread
• Can be obtained via the FS or
GS registers
• Used to obtain information
about the running thread
• Things like the SEH, stack
base
• Access to the thread local
storage array
15. So…What does this mean?
• Different windows components need to interact with
the process
• Windows API’s need to provide access to that
information
16. Process in memory
• There is something called virtual memory
• Maps memory addresses into physical addresses,
the virtual memory address space
• A collection of contiguous segments
• Each process thinks.. It's all mine
19. Virtual memory
• Mapping virtual memory addresses into physical addresses
• Base relocation: Fixing memory locations at load time.
• Relative virtual addresses or RVA
• Just made the job of the loader easier
• Three types of “addresses”
• Logical addresses: perspective of the running process
• Linear addresses: logical addresses after segment translation
• Physical addresses: linear addresses after page table translation
21. Injection.. Why?
• We would like to hide the fact that we are running
code
• Makes deployment a lot easier
• Bypass certain security filters
22. DLL Injection
• Force a different process to load a DLL at runtime
• Use the windows API
• The OS automatically calls the DLLMain function
• DLL inherits the same rights as the target process
• Everything the malicious code does will appear to
come from the injected process
23. DLL Injection - Why?
• Everything the malicious code does will appear to
come from the injected process
• It inherits all the permissions of the process
• Read from that process virtual memory
26. DLL injection steps
• The loader obtains a handle to the victim process
• Most often uses CreateToolhelp32snapshot,
Process32First and Process32Next
• Obtain the Process ID
• Obtain the handle to the process
27. DLL injection steps
• Make room to create a new thread
• Allocate enough memory in the victims process for
the DLL name
• Write only the name to the virtual memory of our
victim
• Obtain a module handle to LoadLibraryA
28. DLL injection steps
• The CreateRemoteThread is used to open and execute
a thread in the victims process
• The CreateRemoteThread is passed three parameters
• hProcess - process handle
• lpStartAddress - starting point of the code for our
new thread, in our case. LoadLibraryA
• lpParameter - argument for the new thread
31. Process replacement - Why?
• Disguise malware as a legit process
• Can not crash the host process and risk being
discovered
• Same permissions as the replaced process
32. Process replacement
• Processes are just bytes in memory
• Overwrite the memory space of our victim
process
• Disguises our code as a legitimate process
• Inherit all the permissions of the replaced process
33. Process replacement - How
would we do it?
• Create a process in a suspended state
• Replace all the code and memory in the process
with our code
• Run the process
• Easy!
35. What do we need?
• We need a different “process” to replace the existing
one?
• A way to “stop” a legitimate process that is running?
• A lot of information on the legitimate process
• Ways to write into the virtual memory of a different
process?
• A brain that works
36. Windows resources
• A program contains “resources”
• Contains raw images, bitmaps and dialog boxes
• But it can contain what we want?
• Steganography? Anyone?
• Lets put a PE in it!
39. Process replacement steps
• Obtain our PE file stored in the resource section
• Create a new windows process in the suspended
state
• Access the “thread context” of the suspended
progress thread.
• The EBX register of newly created process contains
a pointer to the PEB structure
40. Process replacement steps
• The PEB structure contains a lot of information
about the process, including the image base
address.
• Using an “undocumented" API call
NtUnmapViewOfSection we can remove the code
from memory
• Windows Native System Services routine - use a
function pointer to get to it.
41. • We need to place our malicious PE file into memory
• Obtain the image base address and the size of our
program
• Call VirtualAllocEx and pass it the handle of our
suspended thread and set the permissions of the
allocated memory to PAGE_EXECUTE_READWRITE
42. • So far so good
• Start parsing the PE file to obtain pointers to the different
section
• SizeOfHeaders is at some offset in the PE header
• NumberOfSections is at some offset in the PE header
• Copy the PE header to the exact same place in the virtual
adres space as the suspended process
• Read the IMAGE_HEADER_SECTION and perform some
pointer calculations
43. • Keep going..
• Using the structures
• IMAGE_SECTION_HEADERS.SizeOfRawData
• IMAGE_SECTION_HEADERS.PointerToRawData
• IMAGE_SECTION_HEADER.VirtualAddress
• We perform pointer calculations to copy the data
over
44. Are we done yet?
• The windows loader has done most of the work
• We need to tell the loader where it should jump to
• Patch the original program entry point with the one
from our PE file
• After loading, lpContext->_eax contains our OEP
• Call SetThreadContext to update the thread context
• Start of suspended process
46. Is this still the same
process?
• How do you define a process?
• As far as windows is concerned, it’s what It's loaded
into memory
• Using the API to observe the process, it is the
original process
47. Can we detect this?
• We can monitor for a sequence of strange API
calls?
• We can compare the code sections of the running
process with the ones stored on the filesystem
• We can define rules on how a program should
behave and compare
48. What other techniques do
we have?
• Direct injection
• Local and remote hook injection
• Detour hijacking
• APC injection from user space and kernel space
• I’m sure, many more.
49. BSidesLV 2015
• Injection on Steroids: Code-less code injection and
0-day techniques..
• State-of-the-art