Code Injection on Windows

Raashid BhatKashmir

Student Computer Security2nd year BE

http://Twitter.com/raashidbhatt!

Agenda

• Why Inject Code?

• Ways to Inject Code

• Questions?

Why inject Code?

• Trivially bypass anti-virus software

• To be stealthy

• Malware makes the heavy use of injection

• Stealing credentials (Post Form grabbers, HTML injection etc. .etc.)

• Etc. etc.

Portable Executable(PE) Format

• File format for Windows executable

• Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug)

• Imports and Exports by EXE file are stored in idata and rdata sections

• Texe 1.2 by Raashid Bhatt(PE Dumper) http://texe.codeplex.com

• Briefly Documented in <winnt.h>

Code injection Technique #1

# PE File Infection

PE File Infection• Overwrite the .code section ( or any section convenient for

infection )

• Change the Entry Point of the Executable

• Save the registers , ESP, EBP etc

• Return to original EP by Either

• Push EP ; Ret

• Or JMP EP

The bad News?

• Calling functions eg Loadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC)

• Sections .data,.bss are usually marked as writable and readable

Remedy

• Use PEB(Process Environment Block) to find kernel32.dll address

• PEB is located at FS[0x30]• Consists heaps, binary information and loaded

module information.• Further Reading > The Last Stage of Delerium • Win32 Assembly Components. • http://www.lsd-pl.net/documents/winasm-1.0.1.pdf;

Non-Executable Sections

• Sections .data,.bss.idata.edata etc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE

• Change >>

• PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)

Code injection Technique #2

# IAT Hooking

IAT

• IAT(import address table) holds information regarding the DLL to be loaded by a PE file

• Functions are Linked either by a ordinal or by name.

• Stored in .idata section of PE file.

• Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h>

IAT hooking

• Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection)

• Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll

• Activated when any function is called in org DLL

Proxy Dll(user32.dll)

• dllmain(...)

• int WINAPI MessageBoxA(...){• user32.ldd_MessageBoxA(...);• /* user code */• }.• Example for user32.dll proxy dll

Code injection Technique #3

# Runtime Code Injection

CreateRemoteThread

• Windows has CreateRemoteThread() API• According to MSDN “The CreateRemoteThread

function creates a thread that runs in the virtual address space of another process”

• memory allocation in another process (possible) using VirtualAllocEx() API

• Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()

1: DLL Loading

DLL’s can be loaded in another process using CreateRemoteThread

. Steps:1: Allocate memory for the DLL name in the remote target process

2:Write the DLL name, including full path, to the allocated memory.

3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary

pLibRemote = VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM_COMMIT, PAGE_READWRITE );

bWriteCheck = WriteProcessMemory(hProc, pLibRemote, (void*)szDllPath, sizeof(szDllPath), NULL );

hThread = CreateRemoteThread( hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA"),pLibRemote,NULL, NULL);

Equivalent to LoadlibraryA(“Dll name”);

2:In memory Execution

• First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security

• Implemented in Metasploit Playload

• Involves Writing a Exe or dll file in the memory and executing from within

• Stealthy Execution

2:In memory Execution Implementing a minimal Portable Executable (PE) file loader.

• 1: Allocate Memory and Copy the file to memory

• 2:Parse the Import Address table of PE File and Perform Fixups

• 3:calculate the new base and Perform relocation (IMPORTANT)

• 4:JUMP to Entry point of The PE File

Image Relocations

• Certain hardcoded addresses need to be fixed

• Int x; int *p = &x;(hardcoded into p)

• PE file Stores Relocation Entries in .reloc section

• .reloc section stores offsets to the addresses to be fixed

Example of .reloc section

• 0x0001 --- DD (pointer) 0x0013 >>• 0x0010 --- 0xdeadbeef• 0x0011 --- 0xdeadbeef• 0x0013 --- 0xdeadbeef• ..reloc section

• RELOC TYPE (4BITS) OFFSET(12bits) RVA

• Thanks

• Questions?