SlideShare ist ein Scribd-Unternehmen logo

Code Injection in Windows

Als PPTX, PDF herunterladen
n|u - The Open Security Community
n|u - The Open Security Community

Code Injection in Windows by Raashid Bhat @ null Pune Meet, September 2011

TechnologieBildung
1 von 22
Code Injection on Windows RaashidBhat Kashmir Student Computer Security 2nd year BE http://Twitter.com/raashidbhatt!
Agenda Why Inject Code? Ways to Inject Code Questions?
Why inject Code? Trivially bypass anti-virus software To be stealthy Malware makes the heavy use of injection Stealing credentials (Post Form grabbers, HTML injection etc. .etc.) Etc. etc.
Portable Executable(PE) Format File format for Windows executable Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug) Imports and Exports by EXE file are stored in idata and rdata sections Texe 1.2 by Raashid Bhatt(PE Dumper) http://texe.codeplex.com Briefly Documented in <winnt.h>
Code injection Technique #1 # PE File Infection
PE File Infection Overwrite the .code section ( or any section convenient for infection ) Change the Entry Point of the Executable Save the registers , ESP, EBP etc Return to original EP by Either Push EP ; Ret Or JMP EP
The bad News? Calling functions egLoadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC) Sections .data,.bss are usually marked as writable and readable
Remedy Use PEB(Process Environment Block) to find kernel32.dll address PEB is located at FS[0x30] Consists heaps, binary information and loaded module information. Further Reading > The Last Stage of Delerium Win32 Assembly Components. http://www.lsd-pl.net/documents/winasm-1.0.1.pdf;
Non-Executable Sections Sections .data,.bss.idata.edataetc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE Change >> PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)
Code injection Technique #2 # IAT Hooking
IAT IAT(import address table) holds information regarding the DLL to be loaded by a PE file Functions are Linked either by a ordinal or by name. Stored in .idatasection of PE file. Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h>
IAT hooking Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection) Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll Activated when any function is called in org DLL
Proxy Dll(user32.dll) dllmain(...) int WINAPI MessageBoxA(...){ user32.ldd_MessageBoxA(...); /* user code */ }. Example for user32.dll proxy dll
Code injection Technique #3 # Runtime Code Injection
CreateRemoteThread Windows has CreateRemoteThread() API According to MSDN “The CreateRemoteThread function creates a thread that runs in the virtual address space of another process” memory allocation in another process (possible) using VirtualAllocEx() API Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()
1: DLL Loading DLL’s can be loaded in another process using CreateRemoteThread . Steps: 1: Allocate memory for the DLL name in the remote target process 2:Write the DLL name, including full path, to the allocated memory. 3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary
pLibRemote= VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM_COMMIT, PAGE_READWRITE ); bWriteCheck= WriteProcessMemory(hProc, pLibRemote, (void*)szDllPath, sizeof(szDllPath), NULL ); hThread = CreateRemoteThread( hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA"),pLibRemote,NULL, NULL); Equivalent to LoadlibraryA(“Dll name”);
2:In memory Execution First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security Implemented in MetasploitPlayload Involves Writing a Exe or dll file in the memory and executing from within Stealthy Execution
2:In memory Execution Implementing a minimal Portable Executable (PE) file loader. 1: Allocate Memory and Copy the file to memory 2:Parse the Import Address table of PE File and Perform Fixups 3:calculate the new base and Perform relocation (IMPORTANT) 4:JUMP to Entry point of The PE File
Image Relocations Certain hardcoded addresses need to be fixed Int x; int *p = &x;(hardcoded into p) PE file Stores Relocation Entries in .reloc section .reloc section stores offsets to the addresses to be fixed
Example of .reloc section 0x0001 --- DD (pointer) 0x0013 >> 0x0010 --- 0xdeadbeef 0x0011 --- 0xdeadbeef 0x0013 --- 0xdeadbeef ..reloc section RELOC TYPE (4BITS) OFFSET(12bits) RVA
Thanks Questions?

Empfohlen

Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 

Empfohlen

Malware forensics
Malware forensicsMalware forensics
Malware forensicsSameera Amjad
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
Security risk management
Security risk managementSecurity risk management
Security risk managementG Prachi
 
Secure SDLC Framework
Secure SDLC FrameworkSecure SDLC Framework
Secure SDLC FrameworkRishi Kant
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Computer Security
Computer SecurityComputer Security
Computer SecurityAkNirojan
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithmstrilokchandra prakash
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
Malware analysis
Malware analysisMalware analysis
Malware analysisPrakashchand Suthar
 
Software security
Software securitySoftware security
Software securityRoman Oliynykov
 
Application Security
Application SecurityApplication Security
Application SecurityReggie Niccolo Santos
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric CryptographyUTD Computer Security Group
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 

Weitere ähnliche Inhalte

Was ist angesagt?

Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Managementasherad
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Edureka!
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingMarco Morana
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101Jannis Kirschner
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementNada G.Youssef
 
Computer Security
Computer SecurityComputer Security
Computer SecurityAkNirojan
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk ManagementSam Bowne
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationTriCorps Technologies
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_applicationUmut IŞIK
 

Was ist angesagt? (20)

Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
Penetration Testing Tutorial | Penetration Testing Tools | Cyber Security Tra...
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Encryption algorithms
Encryption algorithmsEncryption algorithms
Encryption algorithms
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case study
 
Malware analysis
Malware analysisMalware analysis
Malware analysis
 
Software security
Software securitySoftware security
Software security
 
Application Security
Application SecurityApplication Security
Application Security
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
 
Bulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Threat modelling with_sample_application
Threat modelling with_sample_applicationThreat modelling with_sample_application
Threat modelling with_sample_application
 

Andere mochten auch

Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Pythoninfodox
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tacticssecurityxploded
 
IPS Product Comparison of Cisco 4255 & TippingPoint 5000E
IPS Product Comparison of Cisco 4255 & TippingPoint 5000EIPS Product Comparison of Cisco 4255 & TippingPoint 5000E
IPS Product Comparison of Cisco 4255 & TippingPoint 5000Eallengalvan
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system pptSheetal Verma
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system gaurav koriya
 

Andere mochten auch (11)

Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniques
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
Packers
PackersPackers
Packers
 
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive TacticsHollow Process Injection - Reversing and Investigating Malware Evasive Tactics
Hollow Process Injection - Reversing and Investigating Malware Evasive Tactics
 
IPS Product Comparison of Cisco 4255 & TippingPoint 5000E
IPS Product Comparison of Cisco 4255 & TippingPoint 5000EIPS Product Comparison of Cisco 4255 & TippingPoint 5000E
IPS Product Comparison of Cisco 4255 & TippingPoint 5000E
 
Hollow process injection
Hollow process injectionHollow process injection
Hollow process injection
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 
Intrusion Prevention System
Intrusion Prevention SystemIntrusion Prevention System
Intrusion Prevention System
 
Intrusion detection system ppt
Intrusion detection system pptIntrusion detection system ppt
Intrusion detection system ppt
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
 

Ähnlich wie Code Injection in Windows

Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Vladimir Kochetkov
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable DefCamp
 
bh-europe-01-clowes
bh-europe-01-clowesbh-europe-01-clowes
bh-europe-01-clowesguest3e5046
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법GangSeok Lee
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical fileAnkit Dixit
 
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...Soya Aoyama
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Rémi Jullian
 
Defcamp 2013 - SSL Ripper
Defcamp 2013 - SSL RipperDefcamp 2013 - SSL Ripper
Defcamp 2013 - SSL RipperDefCamp
 
Attributes & .NET components
Attributes & .NET componentsAttributes & .NET components
Attributes & .NET componentsBình Trọng Án
 
Virtual platform
Virtual platformVirtual platform
Virtual platformsean chen
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON
 

Ähnlich wie Code Injection in Windows (20)

Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
Srgoc dotnet
Srgoc dotnetSrgoc dotnet
Srgoc dotnet
 
Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible! Hack an ASP .NET website? Hard, but possible!
Hack an ASP .NET website? Hard, but possible!
 
Formatul Portable Executable
Formatul Portable Executable Formatul Portable Executable
Formatul Portable Executable
 
bh-europe-01-clowes
bh-europe-01-clowesbh-europe-01-clowes
bh-europe-01-clowes
 
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
[2009 CodeEngn Conference 03] koheung - 윈도우 커널 악성코드에 대한 분석 및 방법
 
System programmin practical file
System programmin practical fileSystem programmin practical file
System programmin practical file
 
Backdoor coding
Backdoor codingBackdoor coding
Backdoor coding
 
CGI.ppt
CGI.pptCGI.ppt
CGI.ppt
 
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
2019: A Local Hacking Odyssey - MITM attack against password manager @ BSides...
 
Mach-O Internals
Mach-O InternalsMach-O Internals
Mach-O Internals
 
Project Jugaad
Project JugaadProject Jugaad
Project Jugaad
 
Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)Formbook - In-depth malware analysis (Botconf 2018)
Formbook - In-depth malware analysis (Botconf 2018)
 
Defcamp 2013 - SSL Ripper
Defcamp 2013 - SSL RipperDefcamp 2013 - SSL Ripper
Defcamp 2013 - SSL Ripper
 
Book
BookBook
Book
 
Attributes & .NET components
Attributes & .NET componentsAttributes & .NET components
Attributes & .NET components
 
Virtual platform
Virtual platformVirtual platform
Virtual platform
 
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazy
 
44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy44CON London 2015 - How to drive a malware analyst crazy
44CON London 2015 - How to drive a malware analyst crazy
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 

Kürzlich hochgeladen (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 

Code Injection in Windows

  • 1. Code Injection on Windows RaashidBhat Kashmir Student Computer Security 2nd year BE http://Twitter.com/raashidbhatt!
  • 2. Agenda Why Inject Code? Ways to Inject Code Questions?
  • 3. Why inject Code? Trivially bypass anti-virus software To be stealthy Malware makes the heavy use of injection Stealing credentials (Post Form grabbers, HTML injection etc. .etc.) Etc. etc.
  • 4. Portable Executable(PE) Format File format for Windows executable Consists of Section having characteristics examples (.text, .bss,.data,.reloc , .debug) Imports and Exports by EXE file are stored in idata and rdata sections Texe 1.2 by Raashid Bhatt(PE Dumper) http://texe.codeplex.com Briefly Documented in <winnt.h>
  • 5. Code injection Technique #1 # PE File Infection
  • 6. PE File Infection Overwrite the .code section ( or any section convenient for infection ) Change the Entry Point of the Executable Save the registers , ESP, EBP etc Return to original EP by Either Push EP ; Ret Or JMP EP
  • 7. The bad News? Calling functions egLoadlibrary() , GetprocAddress() in kernel32.dll when ASLR(address space layout randomization) is enabled. (/Fixed:NO MSVC) Sections .data,.bss are usually marked as writable and readable
  • 8. Remedy Use PEB(Process Environment Block) to find kernel32.dll address PEB is located at FS[0x30] Consists heaps, binary information and loaded module information. Further Reading > The Last Stage of Delerium Win32 Assembly Components. http://www.lsd-pl.net/documents/winasm-1.0.1.pdf;
  • 9. Non-Executable Sections Sections .data,.bss.idata.edataetc are not executable as they are marked 0xC0000040 INITIALIZED_DATA|READ|WRITE Change >> PIMAGE_SECTION_HEADER-> Characteristics = IMAGE_SCN_CNT_CODE (documented in Winnt.h)
  • 10. Code injection Technique #2 # IAT Hooking
  • 11. IAT IAT(import address table) holds information regarding the DLL to be loaded by a PE file Functions are Linked either by a ordinal or by name. Stored in .idatasection of PE file. Define in struct _IMAGE_IMPORT_DESCRIPTOR <winnt.h>
  • 12. IAT hooking Used by botnets for Credential stealing (POST Form Grabbers, 0n-fly html Injection) Can be achieved by changing the name of the Dll inside the import address table(IAT) table to proxy Dll Activated when any function is called in org DLL
  • 13. Proxy Dll(user32.dll) dllmain(...) int WINAPI MessageBoxA(...){ user32.ldd_MessageBoxA(...); /* user code */ }. Example for user32.dll proxy dll
  • 14. Code injection Technique #3 # Runtime Code Injection
  • 15. CreateRemoteThread Windows has CreateRemoteThread() API According to MSDN “The CreateRemoteThread function creates a thread that runs in the virtual address space of another process” memory allocation in another process (possible) using VirtualAllocEx() API Foreign process memory read and write using WriteProcessMemory() & ReadProcessMemory()
  • 16. 1: DLL Loading DLL’s can be loaded in another process using CreateRemoteThread . Steps: 1: Allocate memory for the DLL name in the remote target process 2:Write the DLL name, including full path, to the allocated memory. 3:Mapping our DLL to the remote process via CreateRemoteThread & LoadLibrary
  • 17. pLibRemote= VirtualAllocEx(hProc, NULL, sizeof(szDllPath), MEM_COMMIT, PAGE_READWRITE ); bWriteCheck= WriteProcessMemory(hProc, pLibRemote, (void*)szDllPath, sizeof(szDllPath), NULL ); hThread = CreateRemoteThread( hProc,NULL,NULL,(LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32,"LoadLibraryA"),pLibRemote,NULL, NULL); Equivalent to LoadlibraryA(“Dll name”);
  • 18. 2:In memory Execution First Documented as “Reflective DLL Injection By Stephen Fewer” Harmony Security Implemented in MetasploitPlayload Involves Writing a Exe or dll file in the memory and executing from within Stealthy Execution
  • 19. 2:In memory Execution Implementing a minimal Portable Executable (PE) file loader. 1: Allocate Memory and Copy the file to memory 2:Parse the Import Address table of PE File and Perform Fixups 3:calculate the new base and Perform relocation (IMPORTANT) 4:JUMP to Entry point of The PE File
  • 20. Image Relocations Certain hardcoded addresses need to be fixed Int x; int *p = &x;(hardcoded into p) PE file Stores Relocation Entries in .reloc section .reloc section stores offsets to the addresses to be fixed
  • 21. Example of .reloc section 0x0001 --- DD (pointer) 0x0013 >> 0x0010 --- 0xdeadbeef 0x0011 --- 0xdeadbeef 0x0013 --- 0xdeadbeef ..reloc section RELOC TYPE (4BITS) OFFSET(12bits) RVA
  • 22. Thanks Questions?