The document provides an overview of process injection techniques, specifically focusing on DLL injection and process replacement within the Windows operating system. It explains how these methods enable malware to execute code invisibly by manipulating the memory and behavior of legitimate processes. Key concepts covered include the structure of Windows processes, the mechanics of DLL injection, and the steps involved in process replacement, highlighting the potential risks and detection methods associated with these techniques.

1. Process Injection
Malware style

2. Who am I
• Security Researcher
• PwC: Consultant
• Former student UGent
• {@ -F-G}/SanderDemeester

3. Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions

4. Windows PE
• It’s a file format!
• It contains information about the executable
• It’s THE windows format for all executables
• DLL
• EXE
• SYS

5. • Imports - Functions from other libraries
• Exports - Functions that should be called
• NT Headers - used by windows loader
• Sections - .text, .rdata, .data,…
• Relocations - Preferred base address
• Resources - Strings, icons, …
• Much more..

6. PE - A short demo

7. What is a process?
• It’s the execution of a program
• One or more threads run in the context of a process
• Thread - Conceptually, an execution unit inside the
process

8. Process as a structure
• Fine.. A process is a thing that runs in the system..
• The OS uses different kernel structures to manage
those processes
• Remember, a process believes it has the whole
adres space to It’s self..

10. EPROCESS
• Executive component of
windows kernel
• It's a process object for
a process
• Kernel use: IO transfer,
handle virtual memory
• Drivers:
PsGetCurrentProcess()

11. PEB
• Structure in userspace
• Used by operating system
code in user-space
(ntdll,kernel32)
• Contains information about a
running process
• CLI parameters, pointer to
heap,image base address
• A pointer to PEB_LDR_DATA

12. PEB_LDR_DATA
• Contains information about
the loaded modules
associated with the running
process
• Has the anchor for a doubly
linked list that contains each
loaded module
• LDR_DATA_TABLE_ENTRY

13. TIB
• Stores information about the
current thread
• Can be obtained via the FS or
GS registers
• Used to obtain information
about the running thread
• Things like the SEH, stack
base
• Access to the thread local
storage array

14. PEB,TIB - A short
demo

15. So…What does this mean?
• Different windows components need to interact with
the process
• Windows API’s need to provide access to that
information

16. Process in memory
• There is something called virtual memory
• Maps memory addresses into physical addresses,
the virtual memory address space
• A collection of contiguous segments
• Each process thinks.. It's all mine

18. Virtual memory - A
short demo

19. Virtual memory
• Mapping virtual memory addresses into physical addresses
• Base relocation: Fixing memory locations at load time.
• Relative virtual addresses or RVA
• Just made the job of the loader easier
• Three types of “addresses”
• Logical addresses: perspective of the running process
• Linear addresses: logical addresses after segment translation
• Physical addresses: linear addresses after page table translation

20. Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions

21. Injection.. Why?
• We would like to hide the fact that we are running
code
• Makes deployment a lot easier
• Bypass certain security filters

22. DLL Injection
• Force a different process to load a DLL at runtime
• Use the windows API
• The OS automatically calls the DLLMain function
• DLL inherits the same rights as the target process
• Everything the malicious code does will appear to
come from the injected process

23. DLL Injection - Why?
• Everything the malicious code does will appear to
come from the injected process
• It inherits all the permissions of the process
• Read from that process virtual memory

25. DLL Injection - Demo

26. DLL injection steps
• The loader obtains a handle to the victim process
• Most often uses CreateToolhelp32snapshot,
Process32First and Process32Next
• Obtain the Process ID
• Obtain the handle to the process

27. DLL injection steps
• Make room to create a new thread
• Allocate enough memory in the victims process for
the DLL name
• Write only the name to the virtual memory of our
victim
• Obtain a module handle to LoadLibraryA

28. DLL injection steps
• The CreateRemoteThread is used to open and execute
a thread in the victims process
• The CreateRemoteThread is passed three parameters
• hProcess - process handle
• lpStartAddress - starting point of the code for our
new thread, in our case. LoadLibraryA
• lpParameter - argument for the new thread

29. DLL Injection - code
constructs

30. Outline
• Windows processes: An introduction
• Dll Injection
• Process replacement
• Questions

31. Process replacement - Why?
• Disguise malware as a legit process
• Can not crash the host process and risk being
discovered
• Same permissions as the replaced process

32. Process replacement
• Processes are just bytes in memory
• Overwrite the memory space of our victim
process
• Disguises our code as a legitimate process
• Inherit all the permissions of the replaced process

33. Process replacement - How
would we do it?
• Create a process in a suspended state
• Replace all the code and memory in the process
with our code
• Run the process
• Easy!

34. Process replacement -
A short demo

35. What do we need?
• We need a different “process” to replace the existing
one?
• A way to “stop” a legitimate process that is running?
• A lot of information on the legitimate process
• Ways to write into the virtual memory of a different
process?
• A brain that works

36. Windows resources
• A program contains “resources”
• Contains raw images, bitmaps and dialog boxes
• But it can contain what we want?
• Steganography? Anyone?
• Lets put a PE in it!

37. Resource hacker - A
short demo

38. • Create a new process in a SUSPENDED_STATE

39. Process replacement steps
• Obtain our PE file stored in the resource section
• Create a new windows process in the suspended
state
• Access the “thread context” of the suspended
progress thread.
• The EBX register of newly created process contains
a pointer to the PEB structure

40. Process replacement steps
• The PEB structure contains a lot of information
about the process, including the image base
address.
• Using an “undocumented" API call
NtUnmapViewOfSection we can remove the code
from memory
• Windows Native System Services routine - use a
function pointer to get to it.

41. • We need to place our malicious PE file into memory
• Obtain the image base address and the size of our
program
• Call VirtualAllocEx and pass it the handle of our
suspended thread and set the permissions of the
allocated memory to PAGE_EXECUTE_READWRITE

42. • So far so good
• Start parsing the PE file to obtain pointers to the different
section
• SizeOfHeaders is at some offset in the PE header
• NumberOfSections is at some offset in the PE header
• Copy the PE header to the exact same place in the virtual
adres space as the suspended process
• Read the IMAGE_HEADER_SECTION and perform some
pointer calculations

43. • Keep going..
• Using the structures
• IMAGE_SECTION_HEADERS.SizeOfRawData
• IMAGE_SECTION_HEADERS.PointerToRawData
• IMAGE_SECTION_HEADER.VirtualAddress
• We perform pointer calculations to copy the data
over

44. Are we done yet?
• The windows loader has done most of the work
• We need to tell the loader where it should jump to
• Patch the original program entry point with the one
from our PE file
• After loading, lpContext->_eax contains our OEP
• Call SetThreadContext to update the thread context
• Start of suspended process

45. Process replacement -
code constructs

46. Is this still the same
process?
• How do you define a process?
• As far as windows is concerned, it’s what It's loaded
into memory
• Using the API to observe the process, it is the
original process

47. Can we detect this?
• We can monitor for a sequence of strange API
calls?
• We can compare the code sections of the running
process with the ones stored on the filesystem
• We can define rules on how a program should
behave and compare

48. What other techniques do
we have?
• Direct injection
• Local and remote hook injection
• Detour hijacking
• APC injection from user space and kernel space
• I’m sure, many more.

49. BSidesLV 2015
• Injection on Steroids: Code-less code injection and
0-day techniques..
• State-of-the-art

50. (*(*FNPTR)
(LPVOID,*char))
(QUESTIONS,”?”)