đź’‰

Process Injection

Injection Methods

  1. Self Injection
    1. The malware allocates regions of memory within its own memory space and unpacks (deobfuscates/decrypts) the payload there
  1. Remote Process Injection
    1. The malware spawns a new process and injects the payload in that memory region

Remote Process Injection Methods

DLL Injection

  • Executes a malicious DLL inside a remote process
  • A DLL is a shared library that process use to call existing functions
  • By manipulating the order of loading of DLLs, the attacker can make a process load a DLL with malicious functions
APIs used
OpenProcess() VirtualAllocEx() WriteProcessMemory() LoadLibraryA() GetProcAddress() CreateRemoteThread() WaitForSingleObject()
Sample of how this works: the binary calls CreateToolhelp32Snapshot which returns a list of running processes
In one of the process, it opens the process and calls VirtualAllocEx to allocate a memory region within the process, and calls WriteProcessMemory and LoadLibraryA to load the malicious DLL. Finally it calls CreateRemoteThread to create a separate thread with the loaded malicious DLL
notion image
notion image
notion image

Reflected DLL

Injecting a DLL without ever touching the disk. This is different from the traditional DLL shown above where the malware has to write the malicious DLL to disk first before injecting it to a remote process.

PE Injection

  • Executes a binary/shellcode inside a remote process
  1. Allocates memory within a legitimate process
  1. Writes the malicious code in the allocated memory
  1. Executes code by calling CreateRemoteThread()
APIs used
OpenProcess() VirtualAllocEx() WriteProcessMemory() VirtualProtectEx() CreateRemoteThread() CreateProcessInternalW() WaitForSingleObject() NtWriteVirtualMemory() NtWriteVirtualMemory(ProcessHandle, DestBuffer, SrcBuffer, NumberOfBytesToWrite, NumberOfBytesWritten);
We see CreateProcessInternalW() creating a process mstsc.exe
notion image
Then we see NtWriteVirtualMemory(), but the size it’s writing is tiny, so it’s likely not the payload (0x20)
notion image
In another hit of NtWriteVirtualMemory(), we see it writing a larger size payload, which is likely the injection to the process. It writing a payload of size 0x7924 to memory address 0x8006C
notion image
We follow dump in 0x64A7C8 to view the source of what it’s writing, and click Follow in Diassembler to view the instructions of the payload
notion image
Look out for calls NtWriteVirtualMemory calls that write a jmp instruction to the target binary. It could mean that it’s messing with the entry point
Follow DWORD in current dump and we see an E9 which is a jmp. It’s writing this code to address 0x388530.
notion image
notion image
In the attached process, we attach to the newly spawned process and hit ctrl-g to go to address 0x388530 and set a breakpoint there
After the parent process calls resume thread, we should break on the child processes “real” entry point
notion image

Process Hollowing

  • Executes a process and then suspends it and overwrites the memory with malicious code and resumes
APIs used
CreateProcessA() # look for arguemnt to put it in a suspended state NtUnmapViewOfSection() VirtualAllocEx() ReadProcessMemory() WriteProcessMemory() VirtualProtectEx() GetThreadContext() SetThreadContext() ResumeThread()
The parameter 4 in CreateProcessA indicates that it’s creating a processes in a suspended state. This is an indicator of Process Hollowing
notion image
In the code below which does Process Hollowing:
  • Gets the processes context by running GetThreadContext on line 79
  • Unmap whatever is in the process by calling NtUnmapViewOfSection on line 97
  • Allocates a new region of memory within the process by calling VirtualAllocEx on line 106
  • Writes the payload into the allocated region of memory by calling WriteProcessMemory on line 119
  • Set the new context of the thread by calling SetThreadContext on line 243
  • Performs more writing of code to the allocated memory
  • Changes the RWX permissions by calling VirtualProtectEx on line 306
  • Resumes the thread by calling ResumeThread on line 317
notion image
notion image
notion image
notion image

Process Doppelganging

  • Opens a target executable for writing (on disk)
  • Overwrites the target executable with malicious content (on disk)
  • A section is created using the overwritten target executable (in memory)
  • The overwritten target executable is rolled back to its original state( on disk)
  • The section in memory is executed (in memory)
APIs used
NtCreateTransaction() CreateFileTransacted() WriteFile() NtCreateSection() NtRollbackTransaction() NtCreateProcessEx() NtCreateThreadEx()

EarlyBird/APC Injection

  1. Allocates memory within a process
  1. Writes shellcode to the allocated memory
  1. Calls QueueUserAPC() to point to the shellcode
  1. Shellcode executes when the process thread enters alertable state
APIs used
OpenProcess() VirtualAllocEx() WriteProcessMemory() CreateToolhelp32Snapshot() Thread32First() Thread32Next() OpenThread() QueueUserAPC()

API Hooking

  • Executes a target process
  • Allocates region of memory inside the target process
  • Writes malicious code to the allocated region
  • Executes code through the target process
notion image
APIs used
CreateProcessA() ZwAllocateVirtualMemory() ZwProtectVirtualMemory() ZwWriteVirtualMemory()

Propagate Injection

  1. Executes a process
  1. Allocates region in memory in the process for shell code
  1. Write shell code in the allocated memory region.
  1. Calls SetPropA() to modify the callback for UxSubclassInfo
  1. When the malware calls SendMessageA, WM_NOTIFY and WM_PAINT is sent to the target window, which causes the shellcode to execute
APIs used
OpenProcess() VirtualAllocEx() WriteProcessMemory FindWindowEx() GetDlgItem() GetProp() ReadProcessMemory() SetProp()