Upload Dll of Antiviruses and Forensic Github

Note: all the code examples tin be institute on my Github profile under visual-studio-projects accessible here: https://github.com/proteansec .

In this tutorial, we'll talk about how to inject a custom DLL into the process's address space by using the CreateRemoteThread function call. The CreateRemoteThread function creates a thread in the virtual address space of an arbitrary procedure. Let'south take a look at the parameters we must pass to the functions, which nosotros can run across on the picture below (the flick was taken from [1]):

It'south immediately clear that we must pass a value in the first six parameters, but the function writes some value into the last parameter. Permit's describe the parameters a petty bit more [1]:

• hProcess: handle to the procedure where we'll create a new thread
• lpThreadAttributes: a pointer to the SECURITY_ATTRIBUTES construction, which specifies the security attributes of the new thread: if Aught, the thread volition have default security attributes and the handle cannot be inherited by the child process
• dwStackSize: initial size of the stack
• lpStartAddress: a arrow to the LPTHREAD_START_ROUTINE, which is a function that volition be executed by the new thread. It's needless to say that the function must exists in the remote process.
• lpParameter: a pointer to a variable to exist passed to the thread function
• dwCreationFlags : a value that controls the creation of the thread
• lpThreadId: a pointer to a variable that receives the thread ID

If the function succeeds, the returned value is a handle to the new thread. Otherwise, the function returns Goose egg.

Nosotros've just seen that the CreateRemoteThread function can be used to kickoff a new thread in the address space of some process.

Now it's time to present the whole process we'll be using to inject a DLL into the procedure' address space. To get a clear indication of what we're going to practice, take a await at the motion-picture show below, where the process we'll be injecting a DLL into is marked with purple color and has a name victim.exe. But, in that location are ii other pieces of the puzzle nosotros need to clarify. First, we need to establish that if nosotros desire to inject a DLL into some procedure, we must first take the DLL we would similar to inject. The DLL is presented with the dark-green color and has a proper name inject.dll. But we must also have a program that will do the injection of the DLL into the victim's address space. That program is presented in blue and has a proper name program.exe.

The plan.exe must call the presented functions sequentially in lodge to be able to inject a DLL into the victim'south address space. First, it must call OpenProcess to get a handle to the victim'due south process. Afterwards it must call GetProcAddress function to get the address of the LoadLibraryA function inside the kernel32.dll library; hither nosotros can run any office nosotros like, but it must be present in a DLL, which is already loaded in the process'southward address space. We know that every program uses kernel32.dll library, so the best style to inject a DLL into the process'due south address infinite is looking for the LoadLibraryA role and calling that. In order for our DLL to be loaded, we must pass a DLL path to the LoadLibraryA role, simply the proper noun needs to exist stored somewhere inside the processes address space. Apparently, it's highly unlikely for the path to our DLL to already be present somewhere in the process's address space, which is why we need the side by side two functions: VirtualAllocEx and WriteProcessMemory. The kickoff office allocates a new memory range inside the process's address space. The size of that retentiveness region needs to exist only every bit big to fit the proper name of the DLL within it; unremarkably the size is rounded upwards to occupy at least ane page. The WriteProcessMemory is the function that actually writes the path of our DLL to the victim'due south address infinite. At last, the CreateRemoteThread is called that calls the LoadLibraryA function inside the victim's accost space to inject a DLL into it.

Creating the inject.dll

The start step when injecting the DLL into some process'south address space is creating the DLL itself. Nosotros won't go into the details on how to do that, since it'south pretty much self-explanatory. We need to start a new project inside Visual Studio and select DLL when creating it. Later that, we can modify the dllmain.c source code into something that looks like the post-obit:

[cpp]
#include "stdafx.h"
#include <stdio.h>
#include <windows.h>

INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved) {
/* open file */
FILE *file;
fopen_s(&file, "C:temp.txt", "a+");

switch(Reason) {
case DLL_PROCESS_ATTACH:
fprintf(file, "DLL attach part called.n");
break;
case DLL_PROCESS_DETACH:
fprintf(file, "DLL detach function chosen.n");
break;
case DLL_THREAD_ATTACH:
fprintf(file, "DLL thread attach office called.n");
suspension;
case DLL_THREAD_DETACH:
fprintf(file, "DLL thread detach function called.northward");
break;
}

/* close file */
fclose(file);

return TRUE;
}
[/cpp]

We tin see that we have a pretty uncomplicated DLL. The DllMain() function is called when the DLL is loaded into the process's address space. Upon that, one of the four letters is written to the C:temp.txt file based on the reason why the role was called.

Creating the plan.exe

In this section of the commodity, we'll take a look at all the functions we'll be using when injecting a DLL into the process'south accost infinite. Let'southward first nowadays a complete source code of the program we'll exist using, which can exist seen below:

[cpp]
#include "stdafx.h"
#include <Windows.h>
#include <stdio.h>

int _tmain(int argc, _TCHAR* argv[]) {
char* buffer = "C:driversdllinject.dll";

/*
* Get process handle passing in the process ID.
*/
int procID = 1056;
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, Imitation, procID);
if(process == Nothing) {
printf("Error: the specified process couldn't be establish.n");
}

/*
* Become address of the LoadLibrary function.
*/
LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
if(addr == Cipher) {
printf("Error: the LoadLibraryA function was non plant inside kernel32.dll library.due north");
}

/*
* Allocate new memory region inside the procedure's accost space.
*/
LPVOID arg = (LPVOID)VirtualAllocEx(process, NULL, strlen(buffer), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if(arg == Null) {
printf("Error: the memory could not be allocated inside the chosen process.north");
}

/*
* Write the argument to LoadLibraryA to the process'southward newly allocated retention region.
*/
int n = WriteProcessMemory(procedure, arg, buffer, strlen(buffer), NULL);
if(n == 0) {
printf("Error: there was no bytes written to the process'due south address space.n");
}

/*
* Inject our DLL into the procedure's address infinite.
*/
HANDLE threadID = CreateRemoteThread(process, Naught, 0, (LPTHREAD_START_ROUTINE)addr, arg, Null, NULL);
if(threadID == Zippo) {
printf("Error: the remote thread could not be created.n");
}
else {
printf("Success: the remote thread was successfully created.north");
}

/*
* Close the handle to the process, becuase we've already injected the DLL.
*/
CloseHandle(process);
getchar();

return 0;
}
[/cpp]

At present we'll explicate diverse functions in the plan and then nosotros tin understand what the program actually does. Commencement, let'south accept a look at the OpenProcess role, which syntax can be seen below [2]:

We can see that we must laissez passer three parameters to the functions, where the parameters are the following:

• dwDesiredAccess: specifies the access to the process object, which is checked against the security descriptor for the process in question. We can see all the admission rights on the following URL accost: http://msdn.microsoft.com/en-u.s.a./library/windows/desktop/ms684880(v=vs.85).aspx. In our case we'll be using PROCESS_ALL_ACCESS, which gives u.s. all possible access rights.
• bInheritHandle: specifies whether or not the processes created by this process will inherit the handle. Nosotros don't need that in our example, which is why nosotros'll employ FALSE.
• dwProcessId: specifies the procedure ID we want to open.

If the function succeeds it returns a value to the open up handle to the specified process, otherwise it returns NULL.

The side by side functions nosotros need to await at are GetModuleHandle and GetProcAddress. We won't depict those functions, since they are so well known and were described in many of my tutorials. Let's just nowadays the exact line, which nosotros'll apply:

[cpp]
LPVOID addr = (LPVOID)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "LoadLibraryA");
[/cpp]

That line basically stores the address of the LoadLibraryA role within kernel32.dll library into a variable addr.

The next function is VirtualAllocEx, into which we demand to have a closer wait. Let's present the syntax of the role, which can exist seen below [iii]:

The function takes 5 parameters [3]:

• hProcess: a handle to the procedure in which the virtual space volition exist allocated.
• lpAddress: a arrow to the starting address of the memory region that we desire to allocate. If we pass a NULL value every bit this parameter, the function will make up one's mind the accost by itself.
• dwSize: the size of the region of the retentiveness that nosotros want to classify.
• flAllocationType: the type of retentivity location, where nosotros tin cull from the following values:
  • MEM_COMMIT
  • MEM_RESERVE
  • MEM_RESET
  • MEM_RESET_UNDO
• flProtect: memory protection for the memory region to exist allocated.

If the function succeeds it returns the base of operations address of the allocated retentivity region, otherwise it returns Cypher.

The next function is WriteProcessMemory, which syntax can exist seen below [four]:

The parameters passed to the function are the following:

• hProcess: a handle to the procedure memory to exist modified.
• lpBaseAddress: a pointer to the address in called process where the information is written.
• lpBuffer: a arrow to the address that contains the data to exist written to the process'south address space.
• nSize: the number of bytes to write to the specified process.
• lpNumberOfBytesWritten: a pointer to the value where the number of written bytes will exist stored past the function. We can specify a Goose egg value in which example the parameter will be ignored.

If the function succeeds, it returns a non-zero number, otherwise it returns zero.

Seeing everything in activity

Here we'll come across whether our injection plan works. Kickoff, get-go OllyDbg and load putty.exe program. Upon starting, the putty.exe will load the modules presented on the film below:

After that, we demand to check the PID of the putty.exe process, which we can see in the Task Manager equally seen in the film below:

The PID of the putty.exe is 2720. This is also the PID we must put into the code of our previously presented program. Nosotros must change the code to look similar this:

Notice that we changed the procID variable to 2720, which is the PID of the process. If this is not correct, then our programme will try to inject the DLL into some other procedure, which might not exist. In such example, the program will nearly certainly fail. When changing the PID of the plan, we must recompile our program and run it. The programme will inject the DLL into the putty.exe procedure and brandish the following if everything is done successfully:

If we check the loaded modules after that, we tin run into that the dllinject.dll module was successfully loaded into the process'southward accost space, which we can see beneath:

Afterward that, we also need to check whether advisable messages have been written to the C:temp.txt. We tin can see the contents of that file on the picture below:

Everything looks ok and the DLL was successfully injected into the putty's address infinite.

Conclusion

Nosotros've seen how we tin inject a DLL into the process's address space with using the CreateRemoteThread part. The attacker can utilise this method to claw sure function the procedure's IAT import tabular array to gather useful information nigh the process/user.

Sources

[ane] CreateRemoteThread function

[two] OpenProcess part

[3] VirtualAllocEx office

[4] WriteProcessMemory function

[5] A More than Complete DLL Injection Solution Using CreateRemoteThread,

henryonst1980.blogspot.com

Source: https://resources.infosecinstitute.com/topic/using-createremotethread-for-dll-injection-on-windows/

Share this post