Code Injection in Windows
Upcoming SlideShare
Loading in...5

Code Injection in Windows



Code Injection in Windows by Raashid Bhat @ null Pune Meet, September 2011

Code Injection in Windows by Raashid Bhat @ null Pune Meet, September 2011



Total Views
Views on SlideShare
Embed Views



1 Embed 436 436



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Code Injection in Windows Code Injection in Windows Presentation Transcript

  • Code Injection on Windows
    Student Computer Security
    2nd year BE!
  • Agenda
    Why Inject Code?
    Ways to Inject Code
  • Why inject Code?
    Trivially bypass anti-virus software
    To be stealthy
    Malware makes the heavy use of injection
    Stealing credentials (Post Form grabbers, HTML injection etc. .etc.)
    Etc. etc.
  • Portable Executable(PE) Format
    File format for Windows executable
    Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug)
    Imports and Exports by EXE file are stored in idata and rdata sections
    Texe 1.2 by Raashid Bhatt(PE Dumper)
    Briefly Documented in <winnt.h>
  • Code injection Technique #1
    # PE File Infection
  • PE File Infection
    Overwrite the .code section ( or any section convenient for infection )
    Change the Entry Point of the Executable
    Save the registers , ESP, EBP etc
    Return to original EP by Either
    Push EP ; Ret
    Or JMP EP
  • The bad News?
    Calling functions egLoadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC)
    Sections .data,.bss are usually marked as writable and readable
  • Remedy
    Use PEB(Process Environment Block) to find kernel32.dll address
    PEB is located at FS[0x30]
    Consists heaps, binary information and loaded module information.
    Further Reading > The Last Stage of Delerium
    Win32 Assembly Components.;
  • Non-Executable Sections
    Sections .data,.bss.idata.edataetc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE
    Change >>
    PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)
  • Code injection Technique #2
    # IAT Hooking
  • IAT
    IAT(import address table) holds information regarding the DLL to be loaded by a PE file
    Functions are Linked either by a ordinal or by name.
    Stored in .idatasection of PE file.
    Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h>
  • IAT hooking
    Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection)
    Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll
    Activated when any function is called in org DLL
  • Proxy Dll(user32.dll)
    int WINAPI MessageBoxA(...){
    /* user code */
    Example for user32.dll proxy dll
  • Code injection Technique #3
    # Runtime Code Injection
  • CreateRemoteThread
    Windows has CreateRemoteThread() API
    According to MSDN “The CreateRemoteThread function creates a thread that runs in the virtual address space of another process”
    memory allocation in another process (possible) using VirtualAllocEx() API
    Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()
  • 1: DLL Loading
    DLL’s can be loaded in another process using CreateRemoteThread
    . Steps:
    1: Allocate memory for the DLL name in the remote target process
    2:Write the DLL name, including full path, to the allocated memory.
    3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary
  • pLibRemote= VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM_COMMIT, PAGE_READWRITE );
    bWriteCheck= WriteProcessMemory(hProc, pLibRemote, (void*)szDllPath, sizeof(szDllPath), NULL );
    hThread = CreateRemoteThread( hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA"),pLibRemote,NULL, NULL);
    Equivalent to LoadlibraryA(“Dll name”);
  • 2:In memory Execution
    First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security
    Implemented in MetasploitPlayload
    Involves Writing a Exe or dll file in the memory and executing from within
    Stealthy Execution
  • 2:In memory Execution Implementing a minimal Portable Executable (PE) file loader.
    1: Allocate Memory and Copy the file to memory
    2:Parse the Import Address table of PE File and Perform Fixups
    3:calculate the new base and Perform relocation (IMPORTANT)
    4:JUMP to Entry point of The PE File
  • Image Relocations
    Certain hardcoded addresses need to be fixed
    Int x; int *p = &x;(hardcoded into p)
    PE file Stores Relocation Entries in .reloc section
    .reloc section stores offsets to the addresses to be fixed
  • Example of .reloc section
    0x0001 --- DD (pointer) 0x0013 >>
    0x0010 --- 0xdeadbeef
    0x0011 --- 0xdeadbeef
    0x0013 --- 0xdeadbeef
    ..reloc section
  • Thanks