Post

Injection WinAPI

Posted Updated
Preview Image
By os1ris
4 min read
Injection WinAPI

This is a note to easily set a breakpoint in the future.

Classic Process Injection

inject the legitimate process

  • Obtain handle to a target process
    • CreateToolHelp32Snapshot
    • OpenProcess
    • NtQuerySystemInformation
  • Allocate new memory region at target process
    • VirtualAllocEx
    • NtAllocateVirtualMemory
  • Write payload into newly allocated memory
    • WriteProcessMemory
    • NtWriteVirtualMemory
  • Create new remote thread
    • CreateRemoteThread
    • NtCreateThreadEx

API calls

Kernel32.dll:

  • CreateToolHelp32Snapshot
  • Process32First
  • Process32Next
  • Thread32First
  • Thread32Next
  • OpenProcess
  • WriteProcessMemory
  • VirtualProtectEx
  • Open Thread

Ntdll.dll:

  • NtQuerySystemInformation
  • NtAllocateVirtualMemory
  • NtWriteVirtualMemory

APC Code Injection

earlybird

Legitimate Process - Sleep(..,true)

  • Find the process to inject our payload
    • CreateToolHelp32Snapshot
    • NtQuerySystemInformation
  • Find all the threads in that process
    • Thread32First
    • Thread32Next
  • Allocate memory in that process
    • VirtualAllocEx
    • NtAllocateVirtual Memory
  • Write the payload into that allocated memory
    • WriteProcessMemory
    • NtWriteVirtualMemory
  • Put the APC function in the queue for all threads
    • QueueUserAPC
    • NtQueueUserAPC
  • APC function here points to our shellcode

Section Mapping

  • Create a new section with full RWX page protection
    • NtCreateSection
  • Map a view of section to local process (injector) with RW page protection
    • NtMapViewOfSection
  • Map a view of section to target process with RX page protection
    • NtMapViewOfSection
  • Write a payload to a view mapped to a local process
    • memcpy
  • Create a remote thread with a base address of view mapped to remote process
    • CreateRemoteThread
    • NtCreateThreadEx
    • RtlCreateUserThread

Module Stomping

  • Open a target process and get handle to the target process
    • OpenProcess
    • NtOpenProcess
  • Load the target module in the target process
    • VirtualAllocEx
    • WriteProcessMemory
    • CreateRemoteThread
  • Write the payload at the entrypoint address of the loaded module
    • WriteProcessMemory
  • Create a thread to execute the payload
    • CreateRemoteThread

API

  • Kernel32.dll:
    OpenProcess, ReadProcessMemory, WriteProcessMemory, VirtualAllocEx, VirtualProtectEx, CreateRemote Thread
  • Psapi.dll:
    EnumProcess Modules, GetModuleFileNameEx
  • Ntdll.dll:
    NtAllocateVirtualMemory

Process Hollowing

  • Create target process in suspended mode
    • CreateProcessA
  • Get Image Base Address of the target process
    • NtQueryInformationProcess
    • ReadProcess Memory
  • Hollow/Unmap target image
    • ZwUnmapViewOfSection
  • Allocate new memory in target process for the payload
    • VirtualAllocEx
  • Copy all the payload section to the allocated memory in target process
    • WriteProcessMemory
  • Get Context of target process
    • GetThreadContext
  • Set the entrypoint of payload in respective context
    • EAX for x86
    • RCX for x64
  • Apply the Context of target process
    • SetThreadContext
  • Resume main thread of target process
    • ResumeThread

API

  • Kernel32.dll:
    CreateProcessA, ReadProcess Memory, WriteProcess Memory, Get ThreadContext, Set ThreadContext, Resume Thread
  • Ntdll.dll:
    NtQueryInformation Process, NtUnmap View Of Section/ZwUnmap View Of Section

Process Doppleganging

Steps of Doppelganging can be broken down into 4 steps:

  1. Transact: process a legitimate file into the NTFS transaction and then overwrite it with a malicious payload file
  2. CreateTransaction,
  3. CreateFileTransactedA
  4. Load: Create a memory section from the payload and load the malicious code
  5. NtCreateSection
  6. Rollback: Rollback the transaction i.e., removing malicious code so that no data left on the disk
  7. RollbackTransaction
  8. Animate: Bringing Doppelganging to life. Create a process from the previously created memory section (step 2). The memory section contains malicious code and never written to the disk.
  9. NtCreateProcessEx
  10. NtCreateThreadEx

API

  • KtmW32.dll:
    Create Transaction, Rollback Transaction
  • Kernel32.dll:
    Create File TransactedA, Write File
  • Ntdll.dll:
    NtCreate Section, NtCreateProcessEx, NtCreate ThreadEx

Transacted Hollowing

  • Create NTFS transaction object
    • CreateTransaction
  • Open/Create target file for transaction
    • CreateFileTransactedA
  • Create an image section from transacted file
    • NtCreateSection
  • Rollback the transaction
    • RollbackTransaction
  • Create a new target process in suspended mode
    • CreateProcessA
  • Map an image section into the target process
    • NtMapViewOfSection
  • Update entrypoint in target process with payload entrypoint
    • GetThreadContext
    • SetThreadContext
  • Update image base address at target process PEB with newly mapped image base address
    • NtQueryInformationProcess
    • WriteProcessMemory
  • Resume the thread
    • NtResumeThread

API

  • Kernel32.dll:
    CreateFile TransactedW, Write File, CreateProcess W, Resume Thread, Get ThreadContext, Set ThreadContext, Resume Thread
  • Ntdll.dll:
    NtQueryInformationProcess, NtCreate Transaction, NtCreateSection, NtRollback Transaction, NtMap View Of Section

Process Herpaderping

  • Create a temp/decoy file
    • CreateFileA
  • Write payload into that file (do not close the temp file handle after writing payload into it)
    • WriteFile
  • Create an image section from that file
    • NtCreateSection
  • Create a process using the newly created section
    • NtCreateProcessEx
  • Modify the temp file
    • SetFilePointer
    • WriteFile
  • Setup process parameters
    • RtICreateProcessParametersEx
  • Create new thread
    • NtCreateThreadEx
  • Close temp file handle
    • Close Handle

API

  • Kernel32.dll:
    CreateFileW, Write File, SetFilePointer, CloseHandle
  • Ntdll.dll:
    NtOpenFile, NtSetInformationFile, NtCreate Section, NtCreateProcessEx, NtCreateProcess ParametersEx, NtCreate ThreadEx

Process Ghosting

  • Open/Create new dummy file
    • CreateFileA
  • Put the file into delete-pending state using API NtSetinformationFile
    • FileDispositionInformation information class is used here
  • Write payload buffer into delete-pending file
    • WriteFile
  • Create an image section with the delete-pending file
    • NtCreateSection
  • Close delete-pending file handle
    • CloseHandle
  • Create a process with newly created image section using API NtCreateProcessEx
  • Update/fix process parameters
    • RtlCreateProcessParametersEx
  • Create a new thread
    • NtCreateThreadEx

API

  • Kernel32.dll:
    WriteFile, CloseHandle
  • Ntdll.dll:
    NtOpenFile, NtSetInformationFile, NtCreateSection, NtCreateProcessEx, NtCreateProcessParametersEx, NtCreate ThreadEx
Reverse, Malware Analysis
Reverse Malware Analysis
This post is licensed under CC BY 4.0 by the author.