Code Injection in Windows

Code Injection on Windows
RaashidBhat
Kashmir
Student Computer Security
2nd year BE
http://Twitter.com/raashidbhatt!

Agenda
Why Inject Code?
Ways to Inject Code
Questions?

Why inject Code?
Trivially bypass anti-virus software
To be stealthy
Malware makes the heavy use of injection
Stealing credentials (Post Form grabbers, HTML injection etc. .etc.)
Etc. etc.

Portable Executable(PE) Format
File format for Windows executable
Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug)
Imports and Exports by EXE file are stored in idata and rdata sections
Texe 1.2 by Raashid Bhatt(PE Dumper) http://texe.codeplex.com
Briefly Documented in <winnt.h>

Code injection Technique #1
# PE File Infection

PE File Infection
Overwrite the .code section ( or any section convenient for infection )
Change the Entry Point of the Executable
Save the registers , ESP, EBP etc
Return to original EP by Either
Push EP ; Ret
Or JMP EP

The bad News?
Calling functions egLoadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC)
Sections .data,.bss are usually marked as writable and readable

Remedy
Use PEB(Process Environment Block) to find kernel32.dll address
PEB is located at FS[0x30]
Consists heaps, binary information and loaded module information.
Further Reading > The Last Stage of Delerium
Win32 Assembly Components.
http://www.lsd-pl.net/documents/winasm-1.0.1.pdf;

Non-Executable Sections
Sections .data,.bss.idata.edataetc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE
Change >>
PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)

# IAT Hooking

IAT
IAT(import address table) holds information regarding the DLL to be loaded by a PE file
Functions are Linked either by a ordinal or by name.
Stored in .idatasection of PE file.
Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h>

IAT hooking
Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection)
Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll
Activated when any function is called in org DLL

Proxy Dll(user32.dll)
dllmain(...)
int WINAPI MessageBoxA(...){
user32.ldd_MessageBoxA(...);
/* user code */
}.
Example for user32.dll proxy dll

# Runtime Code Injection

CreateRemoteThread
Windows has CreateRemoteThread() API
According to MSDN “The CreateRemoteThread function creates a thread that runs in the virtual address space of another process”
memory allocation in another process (possible) using VirtualAllocEx() API
Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()

1: DLL Loading
DLL’s can be loaded in another process using CreateRemoteThread
. Steps:
1: Allocate memory for the DLL name in the remote target process
2:Write the DLL name, including full path, to the allocated memory.
3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary

pLibRemote= VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM_COMMIT, PAGE_READWRITE );
bWriteCheck= WriteProcessMemory(hProc, pLibRemote, (void*)szDllPath, sizeof(szDllPath), NULL );
hThread = CreateRemoteThread( hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA"),pLibRemote,NULL, NULL);
Equivalent to LoadlibraryA(“Dll name”);

2:In memory Execution
First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security
Implemented in MetasploitPlayload
Involves Writing a Exe or dll file in the memory and executing from within
Stealthy Execution

2:In memory Execution Implementing a minimal Portable Executable (PE) file loader.
1: Allocate Memory and Copy the file to memory
2:Parse the Import Address table of PE File and Perform Fixups
3:calculate the new base and Perform relocation (IMPORTANT)
4:JUMP to Entry point of The PE File

Image Relocations
Certain hardcoded addresses need to be fixed
Int x; int *p = &x;(hardcoded into p)
PE file Stores Relocation Entries in .reloc section
.reloc section stores offsets to the addresses to be fixed

Example of .reloc section
0x0001 --- DD (pointer) 0x0013 >>
0x0010 --- 0xdeadbeef
..reloc section
RELOC TYPE (4BITS) OFFSET(12bits) RVA

Thanks
Questions?

Code Injection in Windows

by n|u - The Open Security Community on Sep 21, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 409

Statistics

Code Injection in Windows — Presentation Transcript