Sample of how this works: the binary calls CreateToolhelp32Snapshot which returns a list of running processes
In one of the process, it opens the process and calls VirtualAllocEx to allocate a memory region within the process, and calls WriteProcessMemory and LoadLibraryA to load the malicious DLL. Finally it calls CreateRemoteThread to create a separate thread with the loaded malicious DLL
Reflected DLL
Injecting a DLL without ever touching the disk. This is different from the traditional DLL shown above where the malware has to write the malicious DLL to disk first before injecting it to a remote process.
PE Injection
Executes a binary/shellcode inside a remote process
We see CreateProcessInternalW() creating a process mstsc.exe
Then we see NtWriteVirtualMemory(), but the size it’s writing is tiny, so it’s likely not the payload (0x20)
In another hit of NtWriteVirtualMemory(), we see it writing a larger size payload, which is likely the injection to the process. It writing a payload of size 0x7924 to memory address 0x8006C
We follow dump in 0x64A7C8 to view the source of what it’s writing, and click Follow in Diassembler to view the instructions of the payload
Look out for calls NtWriteVirtualMemory calls that write a jmp instruction to the target binary. It could mean that it’s messing with the entry point
Follow DWORD in current dump and we see an E9 which is a jmp. It’s writing this code to address 0x388530.
In the attached process, we attach to the newly spawned process and hit ctrl-g to go to address 0x388530 and set a breakpoint there
After the parent process calls resume thread, we should break on the child processes “real” entry point
Process Hollowing
Executes a process and then suspends it and overwrites the memory with malicious code and resumes
APIs used
CreateProcessA() # look for arguemnt to put it in a suspended state
NtUnmapViewOfSection()
VirtualAllocEx()
ReadProcessMemory()
WriteProcessMemory()
VirtualProtectEx()
GetThreadContext()
SetThreadContext()
ResumeThread()
The parameter 4 in CreateProcessA indicates that it’s creating a processes in a suspended state. This is an indicator of Process Hollowing
In the code below which does Process Hollowing:
Gets the processes context by running GetThreadContext on line 79
Unmap whatever is in the process by calling NtUnmapViewOfSection on line 97
Allocates a new region of memory within the process by calling VirtualAllocEx on line 106
Writes the payload into the allocated region of memory by calling WriteProcessMemory on line 119
Set the new context of the thread by calling SetThreadContext on line 243
Performs more writing of code to the allocated memory
Changes the RWX permissions by calling VirtualProtectEx on line 306
Resumes the thread by calling ResumeThread on line 317
Process Doppelganging
Opens a target executable for writing (on disk)
Overwrites the target executable with malicious content (on disk)
A section is created using the overwritten target executable (in memory)
The overwritten target executable is rolled back to its original state( on disk)