code injection in windows
DESCRIPTION
Code Injection in Windows by Raashid Bhat @ null Pune Meet, September 2011TRANSCRIPT
Code Injection on Windows
Raashid BhatKashmir
Student Computer Security2nd year BE
http://Twitter.com/raashidbhatt!
Agenda
• Why Inject Code?
• Ways to Inject Code
• Questions?
Why inject Code?
• Trivially bypass anti-virus software
• To be stealthy
• Malware makes the heavy use of injection
• Stealing credentials (Post Form grabbers, HTML injection etc. .etc.)
• Etc. etc.
Portable Executable(PE) Format
• File format for Windows executable
• Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug)
• Imports and Exports by EXE file are stored in idata and rdata sections
• Texe 1.2 by Raashid Bhatt(PE Dumper) http://texe.codeplex.com
• Briefly Documented in <winnt.h>
Code injection Technique #1
# PE File Infection
PE File Infection• Overwrite the .code section ( or any section convenient for
infection )
• Change the Entry Point of the Executable
• Save the registers , ESP, EBP etc
• Return to original EP by Either
• Push EP ; Ret
• Or JMP EP
The bad News?
• Calling functions eg Loadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC)
• Sections .data,.bss are usually marked as writable and readable
Remedy
• Use PEB(Process Environment Block) to find kernel32.dll address
• PEB is located at FS[0x30]• Consists heaps, binary information and loaded
module information.• Further Reading > The Last Stage of Delerium • Win32 Assembly Components. • http://www.lsd-pl.net/documents/winasm-1.0.1.pdf;
Non-Executable Sections
• Sections .data,.bss.idata.edata etc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE
• Change >>
• PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)
Code injection Technique #2
# IAT Hooking
IAT
• IAT(import address table) holds information regarding the DLL to be loaded by a PE file
• Functions are Linked either by a ordinal or by name.
• Stored in .idata section of PE file.
• Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h>
IAT hooking
• Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection)
• Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll
• Activated when any function is called in org DLL
Proxy Dll(user32.dll)
• dllmain(...)
• int WINAPI MessageBoxA(...){• user32.ldd_MessageBoxA(...);• /* user code */• }.• Example for user32.dll proxy dll
Code injection Technique #3
# Runtime Code Injection
CreateRemoteThread
• Windows has CreateRemoteThread() API• According to MSDN “The CreateRemoteThread
function creates a thread that runs in the virtual address space of another process”
• memory allocation in another process (possible) using VirtualAllocEx() API
• Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()
1: DLL Loading
DLL’s can be loaded in another process using CreateRemoteThread
. Steps:1: Allocate memory for the DLL name in the remote target process
2:Write the DLL name, including full path, to the allocated memory.
3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary
pLibRemote = VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM_COMMIT, PAGE_READWRITE );
bWriteCheck = WriteProcessMemory(hProc, pLibRemote, (void*)szDllPath, sizeof(szDllPath), NULL );
hThread = CreateRemoteThread( hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA"),pLibRemote,NULL, NULL);
Equivalent to LoadlibraryA(“Dll name”);
2:In memory Execution
• First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security
• Implemented in Metasploit Playload
• Involves Writing a Exe or dll file in the memory and executing from within
• Stealthy Execution
2:In memory Execution Implementing a minimal Portable Executable (PE) file loader.
• 1: Allocate Memory and Copy the file to memory
• 2:Parse the Import Address table of PE File and Perform Fixups
• 3:calculate the new base and Perform relocation (IMPORTANT)
• 4:JUMP to Entry point of The PE File
Image Relocations
• Certain hardcoded addresses need to be fixed
• Int x; int *p = &x;(hardcoded into p)
• PE file Stores Relocation Entries in .reloc section
• .reloc section stores offsets to the addresses to be fixed
Example of .reloc section
• 0x0001 --- DD (pointer) 0x0013 >>• 0x0010 --- 0xdeadbeef• 0x0011 --- 0xdeadbeef• 0x0013 --- 0xdeadbeef• ..reloc section
• RELOC TYPE (4BITS) OFFSET(12bits) RVA
• Thanks
• Questions?