Saturday, November 22, 2008

Code Injector

Two weeks ago i wrote an injector that demonstrates code injection technique.
in the beginning the injector purpose was to backdoor the SQL server process,
i made some changes for make it more flexible.
Code Injector will be presented at korean annual information security convention by Raviv Raz during his demonstration of how web attacks lead to total compromise of the internal LAN via the corporate website.

So what we got here?
The CodeInjector used the same technique as DLL Injection that was showed in the previous post.but this time we won’t release the written bytes because now they are part of the target process and been executing.

Code Injector - executable
Code Injector - source

CodeInjector -pn (process name) -s (shellcode)


Sunday, October 26, 2008

Dll Injection

Hi Everybody,
Welcome to my blog, the next posts will contain information, source code and projects that i found important to share, hope you like it.

Let’s get into the business :)

DLL Injection got many uses, basically it’s a simple way to intercept programs which running in user-mode (ring-3).
malicious software will inject themselves into system processes,
antivirus programs will intercept processes for detecting malicious behavior,
and some kids just will popup a message box in notepad :)

So now i’ll explain you how its works:

When a new process is executed, before jumping to the process entry point, The Windows OS Loader load all modules which described in the Import-Table,
those modules contains necessary functionalities of the process
for example: CreateFile() function in kernel32.dll, gives the ability to access (creating or opening) a file or I\O devices.

One way to inject a module is to rewrite the import table of the executable, and from now on every time the executable will be executed, the Windows OS Loader will load the injected module like the original imported modules of the executable (This method affect processes that are not running yet).

In order to inject a new module into a running process there is another method,
we need to cause the target process to call LoadLibrary() and passing the path of our injected module as a parameter.
Assuming that the target process can access only his memory space leads us to write the path of the injected module into the memory space of the running process.

After writing the injected module path, all we need to do is make the LoadLibrary() function call in the target process, we will use the function CreateRemoteThread() that will call LoadLibrary() (In the target process) and will pass the address of the path we just written in the target process.

I uploaded a Dll-Injector i wrote, it’s a command-line utility that demonstrate “DLL Injection”:

Duender's Dll Injector - Executable
Duender's Dll Injector - Source Files

Want to make your own DLL Injector? This is the functions call you need to do by the following order:
OpenProcess() - Getting a handle of the target process
VirtualAllocEx() - Allocate memory on the target Process for writing the injected module path
WriteProcessMemory() - Write the path of the injected module
CreateRemoteThread() – Call LoadLibrary in the target process with the path of the injected module

See you next time,