By:
November 09, 2012
Introduction
Code injection is a process of injecting executable code in a running process or static executable. Executable code in web applications can be injected by exploiting them with XSS (cross site scripting), LFI (local file inclusion), or remote file inclusion vulnerabilities (RFI). On the other hand, code can be injected in an executable using the following methods:
1: Code injection using CreateRemoteThread API.
2: PE file infection.
Code injection is mainly used when we exploit a vulnerability leading to process flow hijacking, when we supply executable code as a buffer called a shellcode.
Code injection techniques are mainly used to achieve stealth in memory execution, create trojan horses, process migration in post-exploitation (as seen in Metasploit), and for dynamic binary instrumentation and profiling.
I will use a diagram to illustrate code injection in a running process. This diagram illustrates the injection of code in a foreign process, having process id as X. We are able to inject our code in that process without leaving any traces.
In the C code given below, we will use createRemoteThread api to inject a dll (dynamic link library) into a running process.
Then perform the following steps:
1: Firstly we get the dll name and the process pid (PID)
2: Open the process of specified process id (pID)
3: Allocate some memory in the remote process by using VirtualAllocEx
4: Store the name of the dll to be injected in that allocated memory
5: Retrieve the address of LoadLibraryA in kernel32.dll
6: Create a remote thread at LoadLibrary location in kernnel32.dll and pass dll name as an argument to the thread.
At this point, the thread actually starts at LoadLibraryA in kernel32.dll, with the parameter as the dll name:
LoadLibrary(“dll name”);
which loads the specified DLL in the address space of the foreign process. Let’s now create a sample Dll named as sample.dll and we will inject it in the process with notepad.exe:
This sample code pops out a messsage box saying “Hello world!” when the dll is injected in the remote process.
Using the following command we will be able to determine the process id of notepad.exe:
tasklist | find “notepad.exe”
which gives us the following output:
notepad.exe 1028 Console 1 6,612 K
So from that we are able to determine the process id of notepad.exe; for now it is 1028. Now we will execute our program with parameter as PID of notepad.exe to inject x.dll in the address space of notepad.exe:
the process in a debugger, then checking out the dll’s loaded by the process. In this case we will use immunity debugger.
But the disadvantage of this technique is the dll injected is visible in the address space of the executable, and in fact it’s not a stealthy way of injecting code. Moreover the dll to be injected has to be present on the local path of the victim.
To achieve a stealthy code injection, we will use a Metasploit shell code as a thread function.
Portable Executable File Infection
An executable file under Windows is known as a portable executable. Portable executable (PE) is the file format for an executable under Windows operating systems. A portable executable file consists of headers and sections. Sections are are memory regions which may be either code, data or other important data structures, for example import address table, export address table or relocate table.
These special sections consist certain information for an executable to run. For example, import address table (IAT) consists of information regarding the dll and functions used from those particular dll’s. In the same way, the export address table consists of information related to the function exported by the executable, which is in case of dll’s.
The figure given below is a typical layout of the portable executable format:
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file sample.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
2 number of sections
0 time date stamp Thu Jan 01 05:30:00 1970
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
30F characteristics
Relocations stripped
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
Debug information stripped
OPTIONAL HEADER VALUES
10B magic # (PE32)
6.00 linker version
0 size of code
0 size of initialized data
0 size of uninitialized data
1040 entry point (00401040)
1000 base of code
2000 base of data
400000 image base (00400000 to 00402FFF)
1000 section alignment
200 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
3000 size of image
200 size of headers
0 checksum
3 subsystem (Windows CUI)
0 DLL characteristics
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
2180 [ 28] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
21A8 [ 14] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
D8 virtual size
1000 virtual address (00401000 to 004010D7)
200 size of raw data
200 file pointer to raw data (00000200 to 000003FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
and so on. You can see in the above output given, Dumpbin provides the information about the PE (portable executable) in a similar way as Texe.
Now here we only interested in certain fields in a portable executable file, like base of code, no of section.
In this type of code injection technique, we will try to infect an already existing portable executable file.
This technique makes use of the junk bytes allocated by the compiler at the end of the code section to make it align to a certain boundary, and later on changes the AddressOfEntryPoint of the PE to offset the injected code.
Source:
Introduction
Code injection is a process of injecting executable code in a running process or static executable. Executable code in web applications can be injected by exploiting them with XSS (cross site scripting), LFI (local file inclusion), or remote file inclusion vulnerabilities (RFI). On the other hand, code can be injected in an executable using the following methods:
1: Code injection using CreateRemoteThread API.
2: PE file infection.
Code injection is mainly used when we exploit a vulnerability leading to process flow hijacking, when we supply executable code as a buffer called a shellcode.
Code injection techniques are mainly used to achieve stealth in memory execution, create trojan horses, process migration in post-exploitation (as seen in Metasploit), and for dynamic binary instrumentation and profiling.
I will use a diagram to illustrate code injection in a running process. This diagram illustrates the injection of code in a foreign process, having process id as X. We are able to inject our code in that process without leaving any traces.
In the C code given below, we will use createRemoteThread api to inject a dll (dynamic link library) into a running process.
Then perform the following steps:
1: Firstly we get the dll name and the process pid (PID)
2: Open the process of specified process id (pID)
3: Allocate some memory in the remote process by using VirtualAllocEx
4: Store the name of the dll to be injected in that allocated memory
5: Retrieve the address of LoadLibraryA in kernel32.dll
6: Create a remote thread at LoadLibrary location in kernnel32.dll and pass dll name as an argument to the thread.
At this point, the thread actually starts at LoadLibraryA in kernel32.dll, with the parameter as the dll name:
LoadLibrary(“dll name”);
which loads the specified DLL in the address space of the foreign process. Let’s now create a sample Dll named as sample.dll and we will inject it in the process with notepad.exe:
This sample code pops out a messsage box saying “Hello world!” when the dll is injected in the remote process.
Using the following command we will be able to determine the process id of notepad.exe:
tasklist | find “notepad.exe”
which gives us the following output:
notepad.exe 1028 Console 1 6,612 K
So from that we are able to determine the process id of notepad.exe; for now it is 1028. Now we will execute our program with parameter as PID of notepad.exe to inject x.dll in the address space of notepad.exe:
the process in a debugger, then checking out the dll’s loaded by the process. In this case we will use immunity debugger.
But the disadvantage of this technique is the dll injected is visible in the address space of the executable, and in fact it’s not a stealthy way of injecting code. Moreover the dll to be injected has to be present on the local path of the victim.
To achieve a stealthy code injection, we will use a Metasploit shell code as a thread function.
Portable Executable File Infection
An executable file under Windows is known as a portable executable. Portable executable (PE) is the file format for an executable under Windows operating systems. A portable executable file consists of headers and sections. Sections are are memory regions which may be either code, data or other important data structures, for example import address table, export address table or relocate table.
These special sections consist certain information for an executable to run. For example, import address table (IAT) consists of information regarding the dll and functions used from those particular dll’s. In the same way, the export address table consists of information related to the function exported by the executable, which is in case of dll’s.
The figure given below is a typical layout of the portable executable format:
Microsoft (R) COFF/PE Dumper Version 10.00.30319.01
Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file sample.exe
PE signature found
File Type: EXECUTABLE IMAGE
FILE HEADER VALUES
14C machine (x86)
2 number of sections
0 time date stamp Thu Jan 01 05:30:00 1970
0 file pointer to symbol table
0 number of symbols
E0 size of optional header
30F characteristics
Relocations stripped
Executable
Line numbers stripped
Symbols stripped
32 bit word machine
Debug information stripped
OPTIONAL HEADER VALUES
10B magic # (PE32)
6.00 linker version
0 size of code
0 size of initialized data
0 size of uninitialized data
1040 entry point (00401040)
1000 base of code
2000 base of data
400000 image base (00400000 to 00402FFF)
1000 section alignment
200 file alignment
4.00 operating system version
0.00 image version
4.00 subsystem version
0 Win32 version
3000 size of image
200 size of headers
0 checksum
3 subsystem (Windows CUI)
0 DLL characteristics
100000 size of stack reserve
1000 size of stack commit
100000 size of heap reserve
1000 size of heap commit
0 loader flags
10 number of directories
0 [ 0] RVA [size] of Export Directory
2180 [ 28] RVA [size] of Import Directory
0 [ 0] RVA [size] of Resource Directory
0 [ 0] RVA [size] of Exception Directory
0 [ 0] RVA [size] of Certificates Directory
0 [ 0] RVA [size] of Base Relocation Directory
0 [ 0] RVA [size] of Debug Directory
0 [ 0] RVA [size] of Architecture Directory
0 [ 0] RVA [size] of Global Pointer Directory
0 [ 0] RVA [size] of Thread Storage Directory
0 [ 0] RVA [size] of Load Configuration Directory
0 [ 0] RVA [size] of Bound Import Directory
21A8 [ 14] RVA [size] of Import Address Table Directory
0 [ 0] RVA [size] of Delay Import Directory
0 [ 0] RVA [size] of COM Descriptor Directory
0 [ 0] RVA [size] of Reserved Directory
SECTION HEADER #1
.text name
D8 virtual size
1000 virtual address (00401000 to 004010D7)
200 size of raw data
200 file pointer to raw data (00000200 to 000003FF)
0 file pointer to relocation table
0 file pointer to line numbers
0 number of relocations
0 number of line numbers
60000020 flags
Code
Execute Read
and so on. You can see in the above output given, Dumpbin provides the information about the PE (portable executable) in a similar way as Texe.
Now here we only interested in certain fields in a portable executable file, like base of code, no of section.
In this type of code injection technique, we will try to infect an already existing portable executable file.
This technique makes use of the junk bytes allocated by the compiler at the end of the code section to make it align to a certain boundary, and later on changes the AddressOfEntryPoint of the PE to offset the injected code.
Source:
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding