Trying to drill down to a botNet source and building a control plan,
when it has entered your network its not easy. You have to isolate,plan, and deploy changes sometimes all in the same day with no errors.
Not only do you have to understand the more you wait the less likely of a proper correction to a malware issue,
it also will put you behind for future threats. You must PLAN robust solutions
which use your resources.
As a security professional you are the mystro of the cyber police and you will continue to need to decide on production changes to correct this issue and more then one right after the next.
Being able to make quick decisions in a fast moving environment while choosing wisely and effetely is the name of the game. Security is a community of cyber police who report similar situations and you are the detective to choose and use the best technologies and methods to mediate and correct your work place.
The Art of security...
Below is a great read I found from another blogger!
Please read and check out the reference links at bottom.
Introduction
In this article we will learn about DLL Injection and then using it to perform Inline Hooking in remote process with practical step by step illustrations.
This is the part of our free "Reverse Engineering & Malware Analysis Course".
You can visit our training page here and all the presentations of previous sessions here
In windows each process has its own virtual address space in which it can load and unload any DLL at any time. But that loading and unloading of DLL is initiated by the process itself. Sometimes we may want to load a DLL into a process without the process knowledge.
There are many reasons (legitimate or otherwise) to do it. For example a malware author may want to hide the malicious activity by loading a DLL into a trusted process or may want to bypass security devices while on the other hand a person may want to extend the functionality of the original program. But for both the activities steps are same.
Here we will discuss on various way to Inject our code/DLL into remote process with practical examples. Then we will extend it to hook specific API function in the target process to perform our own tasks.
DLL Injection
If I am not mistaken then approximately 45-50% malwares these days use code injection to carry out the malicious activities. So it is very crucial to understand the concept of DLL injection for amalware analyst.
I will demonstrate the technique using assembly programming language. If your development environment is not ready then i would highly recommend reading my previous article on "Assembly programming basics – A beginner's guide" to get starting with assembly programming language.
There are couple of method by which we can inject DLL into a process. The latest versions of windows enforce session separation so some of the methods may not work on the latest version of windows like windows 7/8.
Couple of Dll Injection Methods:
Window hooks (SetWindowsHookEX)
CreateRemoteThreada
App_Init registry key
ZwCreateThread or NtCreateThreadEx ? Global method (works well on all versions of windows)
Via APC (Asynchronous procedure calls)
In this article I will use CreateRemoteThread [Reference 1] method because it is the simplest approach and explains the overall logic. CreateRemoteThread will not work from windows vista onwards due to Session Separation/Isolation [Reference 4]. In such case you can use similar but undocumented function, NtCreateThread [Reference 2]
In fact it is not the problem with the CreateRemoteThread, it is the CsrClientCallServer method from Ntdll that returns false. If we can patch CsrClientCallServer to return success then we can inject DLL into a process using CreateRemoteThread itself. You can read more about it here.
Here I will focus on CreateRemoteThread on windows XP.
DLL Injection using CreateRemoteThread
There are primarily two situations
Inject DLL into a running process
Create a process and Inject DLL into it.
#2 is more suitable for this article because in later section I will cover hooking as well. While #1 is just the part of #2.Below is the line from MSDN about the CreateRemoteThread API.
Creates a thread that runs in the virtual address space of another process.
So it means CreateRemoteThread can create a thread into another process or we can say that it can execute
a function into another process.
Let's look into its syntax.
HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess, ?-------- 1
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress, ?---------2
__in LPVOID lpParameter, ?---------3
__in DWORD dwCreationFlags, ?---------4
__out LPDWORD lpThreadId
);
Mentioned parameters are critical for our task
#1 – handle to the process in which the thread is to be created.
#2 – A pointer to function or entry point of the thread that is going to be executed
#3 – parameters to the function
#4 – Creation state of the thread
We all know that kernerl32.dll export LoadLibrary API to load DLL at run time and also kernel32.dll is loaded by default into every process. So we can pass LoadLibrary address to #2 and parameter to LoadLibrary in #3. When we pass arguments in this order then CreateRemoteThread will execute LoadLibrary with its parameter in another process and hence loads the DLL into external process.
The only problem here is that parameter to LoadLibrary must be in target process. For example if we use LoadLibrary (#2) with "mydll.dll"(#3) as parameter to Loadlibrary then the name "mydll.dll" must be in our target process.
Fortunately windows provide API to do that as well. We can write into any process usingWriteProcessMemory and can allocate space into another process using VirtualAllocEx API. But Before that we need handle to our process, we can get that using OpenProcess or CreateProcessAPI.
So our order will be:
Use OpenProcess or CreateProcess API to get the handle of our target process
Use VirtualAllocEx to allocate space into our target process
Use WriteProcessMemory to write our DLL name into our target process
Use CreateRemoteThread to inject our DLL into our target process
Above steps are enough to inject our DLL into a process. Although to inject into a system process we first have to set se_debug privilege to our process (means the process that will inject DLL into another process) but for simplicity I am ignoring that part.
If you remember "two situations" from the beginning of this part then we need a bit of more work for #2 i.e
Create a process and Inject DLL into it.
We first have to create a process and after that we will use above steps to inject our DLL into newly created process.
Let's look into CreateProcess syntax:
BOOL WINAPI CreateProcess(
__in_opt LPCTSTR lpApplicationName,
__inout_opt LPTSTR lpCommandLine,
__in_opt LPSECURITY_ATTRIBUTES lpProcessAttributes,
__in_opt LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in BOOL bInheritHandles,
__in DWORD dwCreationFlags, ?-------- 1
__in_opt LPVOID lpEnvironment,
__in_opt LPCTSTR lpCurrentDirectory,
__in LPSTARTUPINFO lpStartupInfo,
__out LPPROCESS_INFORMATION lpProcessInformation
);
Here dwCreationFlags is the important parameter. If you look into its definition on MSDN then you will see that it is used to control the creation of a process. We can set it to "CREATE_SUSPENDED" to create a process into suspended mode.
With CREATE_SUSPENDED flag CreateProcess will create the process and stop the execution of the main thread at the entry point of the thread. To start the process we can use ResumeThread API.
So our steps will be
Create Process in suspended state
Inject DLL into the process using above steps
Resume the process
Here is the complete program which mimics above steps
;Author: Amit Malik
;http://www.SecurityXploded.com
;No error checking
.386
.model flat, stdcall
option casemap:none
include windows.inc
include msvcrt.inc
include kernel32.inc
includelib kernel32.lib
includelib msvcrt.lib
.data
greet db "enter file name: ",0
sgreet db "%s",0
dreet db "enter DLL name: ",0
dgreet db "%s",0
apiname db "LoadLibraryA",0
dllname db "kernel32.dll",0
.data?
processinfo PROCESS_INFORMATION <>
startupinfo STARTUPINFO <>
fname db 20 dup(?)
dname db 20 dup(?)
dllLen dd ?
mAddr dd ?
vpointer dd ?
lpAddr dd ?
.code
start:
invoke crt_printf,addr greet
invoke crt_scanf,addr sgreet,addr fname
invoke crt_printf,addr dreet
invoke crt_scanf,addr dgreet,addr dname
invoke LoadLibrary, addr dllname
ov mAddr,eax
invoke GetProcAddress,mAddr,addr apiname
mov lpAddr,eax
;create process in suspended state
invoke CreateProcess,addr fname,0,0,0,0,CREATE_SUSPENDED,0,0,addr startupinfo,addr processinfo
invoke crt_strlen,addr dname
mov dllLen,eax
; Allocate the space into the newly created process
invoke VirtualAllocEx,processinfo.hProcess,NULL,dllLen,MEM_COMMIT,PAGE_EXECUTE_READWRITE
mov vpointer,eax
; Write DLL name into the allocated space
invoke WriteProcessMemory,processinfo.hProcess,vpointer,addr dname,dllLen,NULL
; Execute the LoadLibrary function using CreateRemoteThread into the previously created process
invoke CreateRemoteThread,processinfo.hProcess,NULL,0,lpAddr,vpointer,0,NULL
invoke Sleep,1000d
; Finally resume the process main thread.
invoke ResumeThread,processinfo.hThread
xor eax,eax
invoke ExitProcess,eax
end start
Select console application in WinAsm and assemble the above code. It should create a process and inject our DLL into it.
For eg: you can create calc.exe process and can inject urlmon.dll into it, by default calc.exe doesn't load urlmon.dll.
Hooking
Here is definition of Hooking from Wikipedia
In computer programming, the term hooking covers a range of techniques used to alter or augment the behaviour of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a "hook"
Hooking is the most powerful technique available in computer software. A person can do almost everything on a system by applying hooks on the right locations.As stated in the definition that in hooking we intercept function calls or messages or events. Because it is taking the advantage of flow of execution so we can apply hooks on multiple locations from original file to system calls.
Primarily Hooks can be divided into two parts
User mode hooks
IAT (Import Address Table) Hooking
Inline Hooking
Call Patching in binary etc..
Kernel Mode hooks
IDT Hooking
SSDT Hooking etc..
In this article I will discuss Inline hooking technique which is one of the more effective hooking techniques.
Inline Hooking
In Inline hooking we overwrite the first 5 byte of the function or API to redirect the flow of execution to our code. The 5 bytes can be JMP, PUSH RET or CALL instruction.
Visually it can be explained by the following figures
Screenshot 1: Normal Call (Without hooking)
Screenshot 2: Call after hooking
As you can see in the above picture that the MessageBox function starting bytes are overwritten by JMP to MyHandler function. In MyHandler function we do our stuff and then transfer the control back to original function i.e MessageBox.
Now let's create a DLL that will hook MessageBox API and display our custom message instead of the real message.
To make a DLL we need following things:
MessageBoxA API address i.e pointer
Our function or code address i.e pointer
We can get MessageBoxA Api address using GetProcAddress.
Here are the steps:
Get MessageBoxA address
Get custom code or function address
Overwrite bytes at #1 with JMP to #2
Modify the parameter of original call
Transfer control back to #1
Here is the complete code deomonstrating Inline Hooking MessageBox function
;Author: Amit Malik
;http://www.SecurityXploded.com
;No error checking
.386
.model flat,stdcall
option casemap:none
include windows.inc
include kernel32.inc
include msvcrt.inc
include user32.inc
includelib kernel32.lib
includelib msvcrt.lib
includelib user32.lib
.data
tszMsg db "Hello from Hooking Function",0
userDll db "user32.dll",0
msgapi db "MessageBoxA",0
.data?
oByte1 dd ?
oByte2 dd ?
userAddr dd ?
msgAddr dd ?
nOldProt dd ?
.code
LibMain proc hInstDLL:DWORD, reason:DWORD, unused:DWORD
.if reason == DLL_PROCESS_ATTACH
invoke LoadLibrary,addr userDll
mov userAddr,eax
; Get MessageBoxA address from user32.dll
invoke GetProcAddress,userAddr,addr msgapi
mov msgAddr, eax
; Set permission to write at the MessageBoxA address
invoke VirtualProtect,msgAddr,20d,PAGE_EXECUTE_READWRITE,OFFSET nOldProt
; Store first 8 byte from the MessageBoxA address
mov eax,msgAddr
mov ebx, dword ptr DS:[eax]
mov oByte1,ebx
mov ebx, dword ptr DS:[eax+4]
mov oByte2,ebx
patchlmessagebox:
; Write JMP MyHandler (pointer) at MessageBoxA address
mov byte ptr DS:[eax],0E9h
; move MyHandler address into ecx
mov ecx,MyHandler
add eax,5
sub ecx,eax
sub eax,4
mov dword ptr ds:[eax],ecx
.elseif reason == DLL_PROCESS_DETACH
.elseif reason == DLL_THREAD_ATTACH
.elseif reason == DLL_THREAD_DETACH
.endif
ret
LibMain endp
MyHandler proc
pusha
xor eax,eax
mov eax,msgAddr
; change the lpText parameter to MessageBoxA with our text
mov dword ptr ss:[esp+028h],offset tszMsg
; Restore the bytes at MessageBoxA address
mov ebx,oByte1
mov dword ptr ds:[eax],ebx
mov ebx,oByte2
mov dword ptr ds:[eax+4],ebx
; Restore all registers
popa
;jump to MessageBoxA address (Transfer control back to MessageBoxA)
jmp msgAddr
MyHandler endp
end LibMain
Select standard DLL under "New Project" tab in WinAsm and paste the above code into the editor area and assemble it.Now we have our DLL that will hook MessageBoxA and change the lpText parameter to our message.
We will inject this DLL into a "Hello world" program that I shown in my previous article "Assembly Programming – A beginner's guide" with the help of our DLL inject program.
The output is shown in the below picture:
Conclusion
Both DLL injection and Hooking are powerful techniques and popularly used by malicious software as well as legitimate software from the years.
But as the saying goes if you have nuclear power then it is entirely depends on you whether you make a nuclear missile or use that power for solving problems.
References
Three ways to inject code into another process
Remote Thread Execution in System Process using NtCreateThreadEx for Vista & Windows7
MSR Detour Project - Hook SDK
Impact of Session 0 Isolation on Injection
Dill injection and Hooking
Comments
Post a Comment