#+title: Malware Injection
Table of Contents
1. Seminar
- Class: Malware Analysis and Incident Forencsis
- Topic: Code Injection
- Presenter: Silvio La Porta
2. Could you please run my code?
The difference between Reverse Engineer and Malware reverse engineer is that the first one try to understand how every bit of the product to reverse works; when reversing a malware, there’s the need to understand why some actions are performed, it not enough to just know the single parts of the problem, but it is fundamental to understand the reasons behind the action of the malware.
MZ stands for Mark Zibonsky, the creator of the PE format. THe bytes after the pointer to the PE there is a sequence of bytes that is assembly code that prints the phrase this program cannot be run in DOS mode and then moves a costant in AX and quit with exit code 1.
That’s because when executing a PE can’t be executed on a particular sistem it will callback to native mode.
2.1. Injection techniques
Injection techniques are used to run the payload under a legal process, and to make it less noticeable to spot. Focus on x64 code, executed on W10 and that can be applied with no elevation of privileges.
2.2. Who’s Watching
Control Flow Guard is a protection system created to avoid exploitation, it is implemented in compile time (transparent for the programmer), it verifies, via a guardcheckicall will use a bitmap to check the allowed jumps. It is enforced at runtime via ntdll. During PE Hollowing or process hollowing, the overwrite the text area triggering CFG.
The Dynamic Code Prevention will avoid to allocate memory with execution flag.
The code integrity guard will check that only the DLL signed with microsoft certifiacte will be loaded.
Extension Point Disable Policy, disable all the extensions that can load other DLLs in the process memory.
2.3. How the loader works
The loader is the piace of code that loads a binary in memory and made it running. The loader itself is implemented in both Kernel31.dll and ntdll. Simplifing the loader allocates and populates all the structures in kernel space, creates a virtual address space for the new process, map the PE from disk to memory, try to load the image to the preferred base address, for each section it maps it at address RVAsection plus BaseAddress, then it sets its attributes and then it performs relocation. if it was not possible to map the PE to its preferred address (during injection it is common to perform relocation)
Then the loader chacks the IAT, locate each DLL and map into process address space, first match is used (it is recursive).
2.3.1. Relocation
There are four possible types:
- Absolute: no effect
- High: relocate by the high 16 bytes
- Low: relocate the low 16 bytes
- HighLow: relocate all
2.4. DLL Injection
The idea is that the malware process will allocate space in the target process and put a path of DLL on the disk and make a thrread that will run the dll inside the victim. When importing something with GetProcAddress a type def is needed,
2.5. PE Injection
The idea is htat the malware will try to create a new section on the victim and run it. Injection can be divided in three main steps: allocate, copy, run. InjectAllTheThing on github.
2.6. Reflective DLL Injection
In this case, the malware process will inject a DLL that has an export called ReflectiveLoader(), and then inside there is pure shellcode that will resolve some APIs and will allocate another buffer inside the victim process copying itself there, and call DLLMain() that is the malware entry point. All the section will be R/W/X,
GetProcAddress and LoadLibrary needed to process the imports of the payload.