Process injection - Malware style

Process Injection
Malware style

Who am I
• Security Researcher
• PwC: Consultant
• Former student UGent
• {@ -F-G}/SanderDemeester

Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions

Windows PE
• It’s a file format!
• It contains information about the executable
• It’s THE windows format for all executables
• DLL
• EXE
• SYS

• Imports - Functions from other libraries
• Exports - Functions that should be called
• NT Headers - used by windows loader
• Sections - .text, .rdata, .data,…
• Relocations - Preferred base address
• Resources - Strings, icons, …
• Much more..

What is a process?
• It’s the execution of a program
• One or more threads run in the context of a process
• Thread - Conceptually, an execution unit inside the
process

Process as a structure
• Fine.. A process is a thing that runs in the system..
• The OS uses different kernel structures to manage
those processes
• Remember, a process believes it has the whole
adres space to It’s self..

Process injection - Malware style

EPROCESS
• Executive component of
windows kernel
• It's a process object for
a process
• Kernel use: IO transfer,
handle virtual memory
• Drivers:
PsGetCurrentProcess()

PEB
• Structure in userspace
• Used by operating system
code in user-space
(ntdll,kernel32)
• Contains information about a
running process
• CLI parameters, pointer to
heap,image base address
• A pointer to PEB_LDR_DATA

PEB_LDR_DATA
• Contains information about
the loaded modules
associated with the running
process
• Has the anchor for a doubly
linked list that contains each
loaded module
• LDR_DATA_TABLE_ENTRY

TIB
• Stores information about the
current thread
• Can be obtained via the FS or
GS registers
• Used to obtain information
about the running thread
• Things like the SEH, stack
base
• Access to the thread local
storage array

So…What does this mean?
• Different windows components need to interact with
the process
• Windows API’s need to provide access to that
information

Process in memory
• There is something called virtual memory
• Maps memory addresses into physical addresses,
the virtual memory address space
• A collection of contiguous segments
• Each process thinks.. It's all mine

Virtual memory
• Mapping virtual memory addresses into physical addresses
• Base relocation: Fixing memory locations at load time.
• Relative virtual addresses or RVA
• Just made the job of the loader easier
• Three types of “addresses”
• Logical addresses: perspective of the running process
• Linear addresses: logical addresses after segment translation
• Physical addresses: linear addresses after page table translation

Injection.. Why?
• We would like to hide the fact that we are running
code
• Makes deployment a lot easier
• Bypass certain security filters

DLL Injection
• Force a different process to load a DLL at runtime
• Use the windows API
• The OS automatically calls the DLLMain function
• DLL inherits the same rights as the target process
• Everything the malicious code does will appear to
come from the injected process

DLL Injection - Why?
• Everything the malicious code does will appear to
come from the injected process
• It inherits all the permissions of the process
• Read from that process virtual memory

DLL injection steps
• The loader obtains a handle to the victim process
• Most often uses CreateToolhelp32snapshot,
Process32First and Process32Next
• Obtain the Process ID
• Obtain the handle to the process

DLL injection steps
• Make room to create a new thread
• Allocate enough memory in the victims process for
the DLL name
• Write only the name to the virtual memory of our
victim
• Obtain a module handle to LoadLibraryA

DLL injection steps
• The CreateRemoteThread is used to open and execute
a thread in the victims process
• The CreateRemoteThread is passed three parameters
• hProcess - process handle
• lpStartAddress - starting point of the code for our
new thread, in our case. LoadLibraryA
• lpParameter - argument for the new thread

DLL Injection - code
constructs

Process replacement - Why?
• Disguise malware as a legit process
• Can not crash the host process and risk being
discovered
• Same permissions as the replaced process

Process replacement
• Processes are just bytes in memory
• Overwrite the memory space of our victim
process
• Disguises our code as a legitimate process
• Inherit all the permissions of the replaced process

Process replacement - How
would we do it?
• Create a process in a suspended state
• Replace all the code and memory in the process
with our code
• Run the process
• Easy!

Process replacement -
A short demo

What do we need?
• We need a different “process” to replace the existing
one?
• A way to “stop” a legitimate process that is running?
• A lot of information on the legitimate process
• Ways to write into the virtual memory of a different
process?
• A brain that works

Windows resources
• A program contains “resources”
• Contains raw images, bitmaps and dialog boxes
• But it can contain what we want?
• Steganography? Anyone?
• Lets put a PE in it!

Resource hacker - A
short demo

• Create a new process in a SUSPENDED_STATE

Process replacement steps
• Obtain our PE file stored in the resource section
• Create a new windows process in the suspended
state
• Access the “thread context” of the suspended
progress thread.
• The EBX register of newly created process contains
a pointer to the PEB structure

Process replacement steps
• The PEB structure contains a lot of information
about the process, including the image base
address.
• Using an “undocumented" API call
NtUnmapViewOfSection we can remove the code
from memory
• Windows Native System Services routine - use a
function pointer to get to it.

• We need to place our malicious PE file into memory
• Obtain the image base address and the size of our
program
• Call VirtualAllocEx and pass it the handle of our
suspended thread and set the permissions of the
allocated memory to PAGE_EXECUTE_READWRITE

• So far so good
• Start parsing the PE file to obtain pointers to the different
section
• SizeOfHeaders is at some offset in the PE header
• NumberOfSections is at some offset in the PE header
• Copy the PE header to the exact same place in the virtual
adres space as the suspended process
• Read the IMAGE_HEADER_SECTION and perform some
pointer calculations

• Keep going..
• Using the structures
• IMAGE_SECTION_HEADERS.SizeOfRawData
• IMAGE_SECTION_HEADERS.PointerToRawData
• IMAGE_SECTION_HEADER.VirtualAddress
• We perform pointer calculations to copy the data
over

Are we done yet?
• The windows loader has done most of the work
• We need to tell the loader where it should jump to
• Patch the original program entry point with the one
from our PE file
• After loading, lpContext->_eax contains our OEP
• Call SetThreadContext to update the thread context
• Start of suspended process

Process replacement -
code constructs

Is this still the same
process?
• How do you define a process?
• As far as windows is concerned, it’s what It's loaded
into memory
• Using the API to observe the process, it is the
original process

Can we detect this?
• We can monitor for a sequence of strange API
calls?
• We can compare the code sections of the running
process with the ones stored on the filesystem
• We can define rules on how a program should
behave and compare

What other techniques do
we have?
• Direct injection
• Local and remote hook injection
• Detour hijacking
• APC injection from user space and kernel space
• I’m sure, many more.

BSidesLV 2015
• Injection on Steroids: Code-less code injection and
0-day techniques..
• State-of-the-art

(*(*FNPTR)
(LPVOID,*char))
(QUESTIONS,”?”)

Process injection - Malware style

More Related Content

What's hot (20)

Similar to Process injection - Malware style (20)

Recently uploaded (20)

Process injection - Malware style