3. Why inject Code? Trivially bypass anti-virus software To be stealthy Malware makes the heavy use of injection Stealing credentials (Post Form grabbers, HTML injection etc. .etc.) Etc. etc.
4. Portable Executable(PE) Format File format for Windows executable Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug) Imports and Exports by EXE file are stored in idata and rdata sections Texe 1.2 by Raashid Bhatt(PE Dumper) http://texe.codeplex.com Briefly Documented in <winnt.h>
6. PE File Infection Overwrite the .code section ( or any section convenient for infection ) Change the Entry Point of the Executable Save the registers , ESP, EBP etc Return to original EP by Either Push EP ; Ret Or JMP EP
7. The bad News? Calling functions egLoadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC) Sections .data,.bss are usually marked as writable and readable
8. Remedy Use PEB(Process Environment Block) to find kernel32.dll address PEB is located at FS[0x30] Consists heaps, binary information and loaded module information. Further Reading > The Last Stage of Delerium Win32 Assembly Components. http://www.lsd-pl.net/documents/winasm-1.0.1.pdf;
9. Non-Executable Sections Sections .data,.bss.idata.edataetc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE Change >> PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)
11. IAT IAT(import address table) holds information regarding the DLL to be loaded by a PE file Functions are Linked either by a ordinal or by name. Stored in .idatasection of PE file. Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h>
12. IAT hooking Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection) Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll Activated when any function is called in org DLL
13. Proxy Dll(user32.dll) dllmain(...) int WINAPI MessageBoxA(...){ user32.ldd_MessageBoxA(...); /* user code */ }. Example for user32.dll proxy dll
15. CreateRemoteThread Windows has CreateRemoteThread() API According to MSDN “The CreateRemoteThread function creates a thread that runs in the virtual address space of another process” memory allocation in another process (possible) using VirtualAllocEx() API Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()
16. 1: DLL Loading DLL’s can be loaded in another process using CreateRemoteThread . Steps: 1: Allocate memory for the DLL name in the remote target process 2:Write the DLL name, including full path, to the allocated memory. 3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary
18. 2:In memory Execution First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security Implemented in MetasploitPlayload Involves Writing a Exe or dll file in the memory and executing from within Stealthy Execution
19. 2:In memory Execution Implementing a minimal Portable Executable (PE) file loader. 1: Allocate Memory and Copy the file to memory 2:Parse the Import Address table of PE File and Perform Fixups 3:calculate the new base and Perform relocation (IMPORTANT) 4:JUMP to Entry point of The PE File
20. Image Relocations Certain hardcoded addresses need to be fixed Int x; int *p = &x;(hardcoded into p) PE file Stores Relocation Entries in .reloc section .reloc section stores offsets to the addresses to be fixed
21. Example of .reloc section 0x0001 --- DD (pointer) 0x0013 >> 0x0010 --- 0xdeadbeef 0x0011 --- 0xdeadbeef 0x0013 --- 0xdeadbeef ..reloc section RELOC TYPE (4BITS) OFFSET(12bits) RVA