Upload
sander-demeester
View
698
Download
0
Tags:
Embed Size (px)
Citation preview
Process Injection Malware style
Who am I
• Security Researcher
• PwC: Consultant
• Former student UGent
• {@ -F-G}/SanderDemeester
Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions
Windows PE• It’s a file format!
• It contains information about the executable
• It’s THE windows format for all executables
• DLL
• EXE
• SYS
• Imports - Functions from other libraries
• Exports - Functions that should be called
• NT Headers - used by windows loader
• Sections - .text, .rdata, .data,…
• Relocations - Preferred base address
• Resources - Strings, icons, …
• Much more..
PE - A short demo
What is a process?
• It’s the execution of a program
• One or more threads run in the context of a process
• Thread - Conceptually, an execution unit inside the process
Process as a structure
• Fine.. A process is a thing that runs in the system..
• The OS uses different kernel structures to manage those processes
• Remember, a process believes it has the whole adres space to It’s self..
EPROCESS• Executive component of
windows kernel
• It's a process object for a process
• Kernel use: IO transfer, handle virtual memory
• Drivers: PsGetCurrentProcess()
PEB• Structure in userspace
• Used by operating system code in user-space (ntdll,kernel32)
• Contains information about a running process
• CLI parameters, pointer to heap,image base address
• A pointer to PEB_LDR_DATA
PEB_LDR_DATA• Contains information about
the loaded modules associated with the running process
• Has the anchor for a doubly linked list that contains each loaded module
• LDR_DATA_TABLE_ENTRY
TIB• Stores information about the
current thread
• Can be obtained via the FS or GS registers
• Used to obtain information about the running thread
• Things like the SEH, stack base
• Access to the thread local storage array
PEB,TIB - A short demo
So…What does this mean?
• Different windows components need to interact with the process
• Windows API’s need to provide access to that information
Process in memory
• There is something called virtual memory
• Maps memory addresses into physical addresses, the virtual memory address space
• A collection of contiguous segments
• Each process thinks.. It's all mine
Virtual memory - A short demo
Virtual memory• Mapping virtual memory addresses into physical addresses
• Base relocation: Fixing memory locations at load time.
• Relative virtual addresses or RVA
• Just made the job of the loader easier
• Three types of “addresses”
• Logical addresses: perspective of the running process
• Linear addresses: logical addresses after segment translation
• Physical addresses: linear addresses after page table translation
Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions
Injection.. Why?
• We would like to hide the fact that we are running code
• Makes deployment a lot easier
• Bypass certain security filters
DLL Injection• Force a different process to load a DLL at runtime
• Use the windows API
• The OS automatically calls the DLLMain function
• DLL inherits the same rights as the target process
• Everything the malicious code does will appear to come from the injected process
DLL Injection - Why?
• Everything the malicious code does will appear to come from the injected process
• It inherits all the permissions of the process
• Read from that process virtual memory
DLL Injection - Demo
DLL injection steps
• The loader obtains a handle to the victim process
• Most often uses CreateToolhelp32snapshot, Process32First and Process32Next
• Obtain the Process ID
• Obtain the handle to the process
DLL injection steps• Make room to create a new thread
• Allocate enough memory in the victims process for the DLL name
• Write only the name to the virtual memory of our victim
• Obtain a module handle to LoadLibraryA
DLL injection steps• The CreateRemoteThread is used to open and execute
a thread in the victims process
• The CreateRemoteThread is passed three parameters
• hProcess - process handle
• lpStartAddress - starting point of the code for our new thread, in our case. LoadLibraryA
• lpParameter - argument for the new thread
DLL Injection - code constructs
Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions
Process replacement - Why?
• Disguise malware as a legit process
• Can not crash the host process and risk being discovered
• Same permissions as the replaced process
Process replacement
• Processes are just bytes in memory
• Overwrite the memory space of our victim process
• Disguises our code as a legitimate process
• Inherit all the permissions of the replaced process
Process replacement - How would we do it?
• Create a process in a suspended state
• Replace all the code and memory in the process with our code
• Run the process
• Easy!
Process replacement -A short demo
What do we need?• We need a different “process” to replace the existing
one?
• A way to “stop” a legitimate process that is running?
• A lot of information on the legitimate process
• Ways to write into the virtual memory of a different process?
• A brain that works
Windows resources• A program contains “resources”
• Contains raw images, bitmaps and dialog boxes
• But it can contain what we want?
• Steganography? Anyone?
• Lets put a PE in it!
Resource hacker - A short demo
• Create a new process in a SUSPENDED_STATE
Process replacement steps
• Obtain our PE file stored in the resource section
• Create a new windows process in the suspended state
• Access the “thread context” of the suspended progress thread.
• The EBX register of newly created process contains a pointer to the PEB structure
Process replacement steps• The PEB structure contains a lot of information
about the process, including the image base address.
• Using an “undocumented" API call NtUnmapViewOfSection we can remove the code from memory
• Windows Native System Services routine - use a function pointer to get to it.
• We need to place our malicious PE file into memory
• Obtain the image base address and the size of our program
• Call VirtualAllocEx and pass it the handle of our suspended thread and set the permissions of the allocated memory to PAGE_EXECUTE_READWRITE
• So far so good
• Start parsing the PE file to obtain pointers to the different section
• SizeOfHeaders is at some offset in the PE header
• NumberOfSections is at some offset in the PE header
• Copy the PE header to the exact same place in the virtual adres space as the suspended process
• Read the IMAGE_HEADER_SECTION and perform some pointer calculations
• Keep going..
• Using the structures
• IMAGE_SECTION_HEADERS.SizeOfRawData
• IMAGE_SECTION_HEADERS.PointerToRawData
• IMAGE_SECTION_HEADER.VirtualAddress
• We perform pointer calculations to copy the data over
Are we done yet?• The windows loader has done most of the work
• We need to tell the loader where it should jump to
• Patch the original program entry point with the one from our PE file
• After loading, lpContext->_eax contains our OEP
• Call SetThreadContext to update the thread context
• Start of suspended process
Process replacement - code constructs
Is this still the same process?
• How do you define a process?
• As far as windows is concerned, it’s what It's loaded into memory
• Using the API to observe the process, it is the original process
Can we detect this?
• We can monitor for a sequence of strange API calls?
• We can compare the code sections of the running process with the ones stored on the filesystem
• We can define rules on how a program should behave and compare
What other techniques do we have?
• Direct injection
• Local and remote hook injection
• Detour hijacking
• APC injection from user space and kernel space
• I’m sure, many more.
BSidesLV 2015
• Injection on Steroids: Code-less code injection and 0-day techniques..
• State-of-the-art
(*(*FNPTR)(LPVOID,*char))
(QUESTIONS,”?”)