Process injection - Malware style

Process Injection Malware style

Who am I

• Security Researcher

• PwC: Consultant

• Former student UGent

• {@ -F-G}/SanderDemeester

Outline

• Windows processes: An introduction

• Dll Injection

• Process replacement

• Questions

Windows PE• It’s a file format!

• It contains information about the executable

• It’s THE windows format for all executables

• DLL

• EXE

• SYS

• Imports - Functions from other libraries

• Exports - Functions that should be called

• NT Headers - used by windows loader

• Sections - .text, .rdata, .data,…

• Relocations - Preferred base address

• Resources - Strings, icons, …

• Much more..

PE - A short demo

What is a process?

• It’s the execution of a program

• One or more threads run in the context of a process

• Thread - Conceptually, an execution unit inside the process

Process as a structure

• Fine.. A process is a thing that runs in the system..

• The OS uses different kernel structures to manage those processes

• Remember, a process believes it has the whole adres space to It’s self..

EPROCESS• Executive component of

windows kernel

• It's a process object for a process

• Kernel use: IO transfer, handle virtual memory

• Drivers: PsGetCurrentProcess()

PEB• Structure in userspace

• Used by operating system code in user-space (ntdll,kernel32)

• Contains information about a running process

• CLI parameters, pointer to heap,image base address

• A pointer to PEB_LDR_DATA

PEB_LDR_DATA• Contains information about

the loaded modules associated with the running process

• Has the anchor for a doubly linked list that contains each loaded module

• LDR_DATA_TABLE_ENTRY

TIB• Stores information about the

current thread

• Can be obtained via the FS or GS registers

• Used to obtain information about the running thread

• Things like the SEH, stack base

• Access to the thread local storage array

PEB,TIB - A short demo

So…What does this mean?

• Different windows components need to interact with the process

• Windows API’s need to provide access to that information

Process in memory

• There is something called virtual memory

• Maps memory addresses into physical addresses, the virtual memory address space

• A collection of contiguous segments

• Each process thinks.. It's all mine

Virtual memory - A short demo

Virtual memory• Mapping virtual memory addresses into physical addresses

• Base relocation: Fixing memory locations at load time.

• Relative virtual addresses or RVA

• Just made the job of the loader easier

• Three types of “addresses”

• Logical addresses: perspective of the running process

• Linear addresses: logical addresses after segment translation

• Physical addresses: linear addresses after page table translation

Outline

• Windows processes: An introduction

• Dll Injection

• Process replacement

• Questions

Injection.. Why?

• We would like to hide the fact that we are running code

• Makes deployment a lot easier

• Bypass certain security filters

DLL Injection• Force a different process to load a DLL at runtime

• Use the windows API

• The OS automatically calls the DLLMain function

• DLL inherits the same rights as the target process

• Everything the malicious code does will appear to come from the injected process

DLL Injection - Why?

• Everything the malicious code does will appear to come from the injected process

• It inherits all the permissions of the process

• Read from that process virtual memory

DLL Injection - Demo

DLL injection steps

• The loader obtains a handle to the victim process

• Most often uses CreateToolhelp32snapshot, Process32First and Process32Next

• Obtain the Process ID

• Obtain the handle to the process

DLL injection steps• Make room to create a new thread

• Allocate enough memory in the victims process for the DLL name

• Write only the name to the virtual memory of our victim

• Obtain a module handle to LoadLibraryA

DLL injection steps• The CreateRemoteThread is used to open and execute

a thread in the victims process

• The CreateRemoteThread is passed three parameters

• hProcess - process handle

• lpStartAddress - starting point of the code for our new thread, in our case. LoadLibraryA

• lpParameter - argument for the new thread

DLL Injection - code constructs

Outline

• Windows processes: An introduction

• Dll Injection

• Process replacement

• Questions

Process replacement - Why?

• Disguise malware as a legit process

• Can not crash the host process and risk being discovered

• Same permissions as the replaced process

Process replacement

• Processes are just bytes in memory

• Overwrite the memory space of our victim process

• Disguises our code as a legitimate process

• Inherit all the permissions of the replaced process

Process replacement - How would we do it?

• Create a process in a suspended state

• Replace all the code and memory in the process with our code

• Run the process

• Easy!

Process replacement -A short demo

What do we need?• We need a different “process” to replace the existing

one?

• A way to “stop” a legitimate process that is running?

• A lot of information on the legitimate process

• Ways to write into the virtual memory of a different process?

• A brain that works

Windows resources• A program contains “resources”

• Contains raw images, bitmaps and dialog boxes

• But it can contain what we want?

• Steganography? Anyone?

• Lets put a PE in it!

Resource hacker - A short demo

• Create a new process in a SUSPENDED_STATE

Process replacement steps

• Obtain our PE file stored in the resource section

• Create a new windows process in the suspended state

• Access the “thread context” of the suspended progress thread.

• The EBX register of newly created process contains a pointer to the PEB structure

Process replacement steps• The PEB structure contains a lot of information

about the process, including the image base address.

• Using an “undocumented" API call NtUnmapViewOfSection we can remove the code from memory

• Windows Native System Services routine - use a function pointer to get to it.

• We need to place our malicious PE file into memory

• Obtain the image base address and the size of our program

• Call VirtualAllocEx and pass it the handle of our suspended thread and set the permissions of the allocated memory to PAGE_EXECUTE_READWRITE

• So far so good

• Start parsing the PE file to obtain pointers to the different section

• SizeOfHeaders is at some offset in the PE header

• NumberOfSections is at some offset in the PE header

• Copy the PE header to the exact same place in the virtual adres space as the suspended process

• Read the IMAGE_HEADER_SECTION and perform some pointer calculations

• Keep going..

• Using the structures

• IMAGE_SECTION_HEADERS.SizeOfRawData

• IMAGE_SECTION_HEADERS.PointerToRawData

• IMAGE_SECTION_HEADER.VirtualAddress

• We perform pointer calculations to copy the data over

Are we done yet?• The windows loader has done most of the work

• We need to tell the loader where it should jump to

• Patch the original program entry point with the one from our PE file

• After loading, lpContext->_eax contains our OEP

• Call SetThreadContext to update the thread context

• Start of suspended process

Process replacement - code constructs

Is this still the same process?

• How do you define a process?

• As far as windows is concerned, it’s what It's loaded into memory

• Using the API to observe the process, it is the original process

Can we detect this?

• We can monitor for a sequence of strange API calls?

• We can compare the code sections of the running process with the ones stored on the filesystem

• We can define rules on how a program should behave and compare

What other techniques do we have?

• Direct injection

• Local and remote hook injection

• Detour hijacking

• APC injection from user space and kernel space

• I’m sure, many more.

BSidesLV 2015

• Injection on Steroids: Code-less code injection and 0-day techniques..

• State-of-the-art

(*(*FNPTR)(LPVOID,*char))

(QUESTIONS,”?”)