Wednesday, 13 November 2013

Security: Process Injection & detouring

Hi,

I will be posting on how to inject into foreign processes then place a detour on specific API's, our example being MessageBoxA however this technique can be adapted to any API detour with slight change. Some useful API calls to detour would be:
- NtOpenProcess
- NtTerminateProcess
- NtQueryDirectoryFile
- NtQuerySystemInformation 

more exotic API's include:

- TurboDispatchJumpAddressStart
- KiFastSystemCall
- X86SwitchTo64BitMode
- Wow64SystemServiceEx
- CpuSimulate

As you may guess, there is again both malicious and positive purposes. It is always beneficial to understand these things, especially in case these task raise up.

The injection is modified slightly from the Mozilla Firefox post which was posted last month. I could have placed a detour directly on the API address using few easy workarounds however I simply created a entire thread which places the detour, just to show it as a Proof-Of-Concept code to newbie security analysts & security developers.

The code follows:

  • Open the process with flag set to PROCESS_ALL_ACCESS however this can be reduced to bare minimum
  • Create and fill a _CODE structure ready to be added as a parameter to our injected thread
  • Then allocate all the space needed for the processes which include - Thread, Parameter
  • Create the remote thread
The explanation above shows the procedure to inject code into foreign process but the thread performs something more or less the most important part of the program:
  • Use the _CODE structure then store the appropriate members in specific typedefs to be called
  • Calls MessageBoxA with parameters being set to those given from the _CODE structure
  • Finally patches MessageBoxA to redirect the control to a callback 
  • Additionally the thread also patches the callback to ensure the callback returns the control back to original 
Now I will elaborate on the job of the callback:
  • The callback reinstates the lost bytes of the original instructions 
  • Jumps back to original MessageBoxA  
  • Returns 
You would get a good idea on how it works, however for those who still have no clue here is the download:

Until Next Time,

2 comments: