Code Injection in Windows


Published on

Code Injection in Windows by Raashid Bhat @ null Pune Meet, September 2011

Published in: Technology, Education
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Code Injection in Windows

  1. 1. Code Injection on Windows<br />RaashidBhat<br />Kashmir<br />Student Computer Security<br />2nd year BE <br />!<br />
  2. 2. Agenda<br />Why Inject Code?<br />Ways to Inject Code<br />Questions?<br />
  3. 3. Why inject Code?<br />Trivially bypass anti-virus software<br />To be stealthy <br />Malware makes the heavy use of injection<br />Stealing credentials (Post Form grabbers, HTML injection etc. .etc.)<br />Etc. etc. <br />
  4. 4. Portable Executable(PE) Format<br />File format for Windows executable<br />Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug)<br />Imports and Exports by EXE file are stored in idata and rdata sections<br />Texe 1.2 by Raashid Bhatt(PE Dumper)<br />Briefly Documented in <winnt.h><br />
  5. 5. Code injection Technique #1 <br /> # PE File Infection<br />
  6. 6. PE File Infection<br />Overwrite the .code section ( or any section convenient for infection )<br />Change the Entry Point of the Executable<br />Save the registers , ESP, EBP etc<br />Return to original EP by Either <br />Push EP ; Ret<br />Or JMP EP<br />
  7. 7. The bad News?<br />Calling functions egLoadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC)<br />Sections .data,.bss are usually marked as writable and readable <br />
  8. 8. Remedy<br />Use PEB(Process Environment Block) to find kernel32.dll address <br />PEB is located at FS[0x30]<br />Consists heaps, binary information and loaded module information.<br />Further Reading > The Last Stage of Delerium<br />Win32 Assembly Components. <br />;<br />
  9. 9. Non-Executable Sections<br />Sections .data,.bss.idata.edataetc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE<br />Change >><br />PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)<br />
  10. 10. Code injection Technique #2 <br /># IAT Hooking<br />
  11. 11. IAT<br />IAT(import address table) holds information regarding the DLL to be loaded by a PE file<br />Functions are Linked either by a ordinal or by name.<br />Stored in .idatasection of PE file.<br />Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h><br />
  12. 12. IAT hooking <br />Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection)<br />Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll<br />Activated when any function is called in org DLL <br />
  13. 13. Proxy Dll(user32.dll)<br />dllmain(...)<br />int WINAPI MessageBoxA(...){<br /> user32.ldd_MessageBoxA(...);<br /> /* user code */<br />}.<br />Example for user32.dll proxy dll<br />
  14. 14. Code injection Technique #3<br /># Runtime Code Injection <br />
  15. 15. CreateRemoteThread<br />Windows has CreateRemoteThread() API<br />According to MSDN “The CreateRemoteThread function creates a thread that runs in the virtual address space of another process”<br />memory allocation in another process (possible) using VirtualAllocEx() API<br />Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()<br />
  16. 16. 1: DLL Loading <br /> DLL’s can be loaded in another process using CreateRemoteThread<br />. Steps:<br />1: Allocate memory for the DLL name in the remote target process<br />2:Write the DLL name, including full path, to the allocated memory.<br />3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary<br />
  17. 17. pLibRemote= VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM_COMMIT, PAGE_READWRITE );<br />bWriteCheck= WriteProcessMemory(hProc, pLibRemote, (void*)szDllPath, sizeof(szDllPath), NULL ); <br />hThread = CreateRemoteThread( hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA"),pLibRemote,NULL, NULL); <br />Equivalent to LoadlibraryA(“Dll name”);<br />
  18. 18. 2:In memory Execution <br />First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security <br />Implemented in MetasploitPlayload<br />Involves Writing a Exe or dll file in the memory and executing from within <br />Stealthy Execution <br />
  19. 19. 2:In memory Execution Implementing a minimal Portable Executable (PE) file loader. <br />1: Allocate Memory and Copy the file to memory<br />2:Parse the Import Address table of PE File and Perform Fixups<br />3:calculate the new base and Perform relocation (IMPORTANT)<br />4:JUMP to Entry point of The PE File<br />
  20. 20. Image Relocations<br />Certain hardcoded addresses need to be fixed<br />Int x; int *p = &x;(hardcoded into p)<br />PE file Stores Relocation Entries in .reloc section <br />.reloc section stores offsets to the addresses to be fixed <br />
  21. 21. Example of .reloc section<br />0x0001 --- DD (pointer) 0x0013 >><br />0x0010 --- 0xdeadbeef<br />0x0011 --- 0xdeadbeef<br />0x0013 --- 0xdeadbeef<br />..reloc section<br />RELOC TYPE (4BITS) OFFSET(12bits) RVA<br />
  22. 22. Thanks <br />Questions?<br />