Process injection is a widespread defense evasion technique employed often within malware and fileless adversary tradecraft, and entails running custom code within the address space of another process. Process injection improves stealth, and some techniques also achieve persistence. Although there are numerous process injection techniques, in this blog I present ten techniques seen in the wild that run malware code on behalf of another process. I additionally provide screenshots for many of these techniques to facilitate reverse engineering and malware analysis, assisting detection and defense against these common techniques.
進程注入是一種廣泛使用的躲避檢測的技術,通常用於惡意軟件或者無文件技術。其需要在另一個進程的地址空間內運行特制代碼,進程注入改善了不可見性,同時一些技術也實現了持久性。盡管目前有許多進程注入技術,但在這篇文章中,我將會介紹十種在野發現的,在另一個程序的地址空間執行惡意代碼的進程注入技術,並提供這些技術應用的截圖,以便於逆向工程和惡意軟件分析,然后協助檢測並防御這些進程注入技術。
1. CLASSIC DLL INJECTION VIA CREATEREMOTETHREAD AND LOADLIBRARY
This technique is one of the most common techniques used to inject malware into another process. The malware writes the path to its malicious dynamic-link library (DLL) in the virtual address space of another process, and ensures the remote process loads it by creating a remote thread in the target process.
該技術是用於將惡意軟件代碼注入另一個進程最常用技術之一,惡意軟件作者將惡意的動態鏈接庫(DLL)的路徑寫入另一個進程的虛擬地址空間,並通過在目標進程中創建一個遠程線程來確保目標進程加載它。
The malware first needs to target a process for injection (e.g. svchost.exe). This is usually done by searching through processes by calling a trio of Application Program Interfaces (APIs): CreateToolhelp32Snapshot, Process32First, and Process32Next. CreateToolhelp32Snapshot is an API used for enumerating heap or module states of a specified process or all processes, and it returns a snapshot. Process32First retrieves information about the first process in the snapshot, and then Process32Next is used in a loop to iterate through them. After finding the target process, the malware gets the handle of the target process by calling OpenProcess.
惡意軟件首先需要選擇被注入的目標進程(例如svchost.exe),這通常可以通過調用三個應用編程接口(API)搜索進程來完成:CreateToolhelp32Snapshot,Process32First和Process32Next。CreateToolhelp32Snapshot是用於枚舉指定進程或所有進程的堆或模塊狀態的API,其會返回一個快照。Process32First會檢索有關快照中第一個進程的信息,然后通過循環Process32Next來迭代。找到目標進程后,惡意軟件通過調用OpenProcess獲取目標進程的句柄。
As shown in Figure 1, the malware calls VirtualAllocEx to have a space to write the path to its DLL. The malware then calls WriteProcessMemory to write the path in the allocated memory. Finally, to have the code executed in another process, the malware calls APIs such as CreateRemoteThread, NtCreateThreadEx, or RtlCreateUserThread. The latter two are undocumented. However, the general idea is to pass the address of LoadLibrary to one of these APIs so that a remote process has to execute the DLL on behalf of the malware.
如圖一所示,惡意軟件調用VirtualAllocEx來獲得寫入其DLL路徑的空間。然后惡意軟件調用WriteProcessMemory在已分配的內存中寫入路徑。最后,為了讓代碼在另一個進程中執行,惡意軟件作者會調用API,例如CreateRemoteThread,NtCreateThreadEx或RtlCreateUserThread。后兩個並未存在應用記錄,但是一般的想法就是將LoadLibrary的地址傳遞給其中一個API,以便遠程進程不得不代表惡意軟件執行DLL。
CreateRemoteThread is tracked and flagged by many security products. Further, it requires a malicious DLL on disk which could be detected. Considering that attackers are most commonly injecting code to evade defenses, sophisticated attackers probably will not use this approach. The screenshot below displays a malware named Rebhip performing this technique.
很多殺毒軟件都會追蹤和標記CreateRemoteThread,此外,注入也需要磁盤上存在惡意DLL。但這是可以被檢測到的。考慮到攻擊者最常通過注入代碼以逃避檢測,所以一些老練的攻擊者可能並不會使用這種方法。下面的截圖展示了一個叫Rebhip的惡意軟件應用了此技術。
Figure 1: Rebhip worm performing a typical DLL injection
2. PORTABLE EXECUTABLE INJECTION (PE INJECTION)
Instead of passing the address of the LoadLibrary, malware can copy its malicious code into an existing open process and cause it to execute (either via a small shellcode, or by calling CreateRemoteThread). One advantage of PE injection over the LoadLibrary technique is that the malware does not have to drop a malicious DLL on the disk. Similar to the first technique, the malware allocates memory in a host process (e.g. VirtualAllocEx), and instead of writing a “DLL path” it writes its malicious code by calling WriteProcessMemory. However, the obstacle with this approach is the change of the base address of the copied image. When a malware injects its PE into another process it will have a new base address which is unpredictable, requiring it to dynamically recompute the fixed addresses of its PE. To overcome this, the malware needs to find its relocation table address in the host process, and resolve the absolute addresses of the copied image by looping through its relocation descriptors.
這種技術斌沒有傳遞LoadLibrary的地址,而是將其惡意代碼復制到已存在的開放進程並執行(通過shellcode或調用CreateRemoteThread)。PE注入相對於LoadLibrary注入的一個優點是惡意軟件不必在磁盤上放一個惡意DLL。與第一種技術類似,惡意軟件在宿主進程中分配到內存,其並沒有編寫“DLL路徑”,而是通過調用WriteProcessMemory來編寫其惡意代碼。然而,這種方法的一個缺陷是目標基址的改變,當惡意軟件將其PE注入到另一個進程時,其會有一個新的不可預測的基址,這就要求其動態地重新計算PE的地址。為了解決這個問題,惡意軟件需要在宿主進程中找到其重定位表地址,並通過循環其重定位描述符來解析絕對地址。
This technique is similar to other techniques, such as reflective DLL injection and memory module, since they do not drop any files to the disk. However, memory module and reflective DLL injection approaches are even stealthier. They do not rely on any extra Windows APIs (e.g., CreateRemoteThread or LoadLibrary), because they load and execute themselves in the memory. Reflective DLL injection works by creating a DLL that maps itself into memory when executed, instead of relying on the Window’s loader. Memory Module is similar to Reflective DLL injection except the injector or loader is responsible for mapping the target DLL into memory instead of the DLL mapping itself. In a previous blog post, these two in memory approaches were discussed extensively.
此技術類似於其他技術,例如反射式DLL,因為它們不會將任何文件放在磁盤,但是,反射式DLL注入方法甚至會更加隱蔽。它們不依賴於任何額外的Windows API(例如CreateRemoteThread或LoadLibrary),因為它們在內存中加載和執行自己。反射式DLL注入通過創建一個DLL來實現,該DLL在執行時將自身映射到內存,而不是依賴於Windows的loader。
When analyzing PE injection, it is very common to see loops (usually two “for” loops, one nested in the other), before a call to CreateRemoteThread. This technique is quite popular among crypters (softwares that encrypt and obfuscate malware). In Figure 2, the sample unit test is taking advantage of this technique. The code has two nested loops to adjust its relocation table that can be seen before the calls to WriteProcessMemory and CreateRemoteThread. The “and 0x0fff” instruction is also another good indicator, showing that the first 12 bits are used to get the offset into the virtual address of the containing relocation block. Now that the malware has recomputed all the necessary addresses, all it needs to do is pass its starting address to CreateRemoteThread and have it executed.
在分析PE注入時,調用CreateRemoteThread之前通常會看到循環(通常是兩個“for”循環,一個嵌套在另一個中)這種技術在crypter(加密和混淆惡意軟件的軟件)中非常流行。在圖二中,樣本的單元測試中正在利用這種技術。代碼有兩個嵌套循環來調整其重定位表,可以在調用WriteProcessMemory和CreateRemoteThread之前看到它。“AND 0x0fff”指令是另一個好指示,表明前12位用於獲取包含重定位塊的虛擬地址的偏移量。既然惡意軟件已經重新計算了所有必要的地址,那么它需要做的只是將其起始地址傳遞給CreateRemoteThread並讓它執行。
Figure 2: Example structure of the loops for PE injection prior to calls to CreateRemoteThread
3. PROCESS HOLLOWING (A.K.A PROCESS REPLACEMENT AND RUNPE)
Instead of injecting code into a host program (e.g., DLL injection), malware can perform a technique known as process hollowing. Process hollowing occurs when a malware unmaps (hollows out) the legitimate code from memory of the target process, and overwrites the memory space of the target process (e.g., svchost.exe) with a malicious executable.
惡意軟件可以不用將代碼注入宿主程序,而是利用Process Hollowing技術。當惡意軟件從目標進程中取消映射,並使用惡意可執行文件覆蓋目標進程的內存空間時,會發生Process Hollowing。
The malware first creates a new process to host the malicious code in suspended mode. As shown in Figure 3, this is done by calling CreateProcess and setting the Process Creation Flag to CREATE_SUSPENDED (0x00000004). The primary thread of the new process is created in a suspended state, and does not run until the ResumeThread function is called. Next, the malware needs to swap out the contents of the legitimate file with its malicious payload. This is done by unmapping the memory of the target process by calling either ZwUnmapViewOfSection or NtUnmapViewOfSection. These two APIs basically release all memory pointed to by a section. Now that the memory is unmapped, the loader performs VirtualAllocEx to allocate new memory for the malware, and uses WriteProcessMemory to write each of the malware’s sections to the target process space. The malware calls SetThreadContext to point the entrypoint to a new code section that it has written. At the end, the malware resumes the suspended thread by calling ResumeThread to take the process out of suspended state.
惡意軟件首先會創建一個新進程,以掛起模式托管惡意代碼,如圖三所示,這是通過調用CreateProcess並將Process Creation Flag設置為CREATE_SUSPENDED(0x00000004)來完成的。新進程的主線程是在掛起狀態下創建的,並且在調用ResumeThread函數之前不會執行。接下來,惡意軟件需要使用惡意載荷交換合法文件的內容,這是通過調用ZwUnmapViewOfSection或NtUnmapViewOfSection來取消映射目標進程的內存完成的。這兩個API基本上釋放了一個區的所有內存。現在內存處於未映射狀態,loader執行VirtualAllocEx為惡意軟件分配新內存,並使用WriteProcessMemory將每個惡意軟件的部分寫入目標進程空間。而惡意軟件通過調用SetThreadContext將入口點指向它已編寫的新代碼段。最后,惡意軟件通過調用ResumeThread恢復掛起的線程,使進程退出掛起狀態。
Figure 3: Ransom.Cryak performing process hollowing
4. THREAD EXECUTION HIJACKING (A.K.A SUSPEND, INJECT, AND RESUME (SIR))
This technique has some similarities to the process hollowing technique previously discussed. In thread execution hijacking, malware targets an existing thread of a process and avoids any noisy process or thread creations operations. Therefore, during analysis you will probably see calls to CreateToolhelp32Snapshot and Thread32First followed by OpenThread.
該技術與先前討論的Process Hollowing技術有一些相似之處。在線程執行劫持中,惡意軟件以進程的現有線程為目標,並避免任何其他的進程或線程創建操作。因此,在分析期間,你可能會看到對CreateToolhelp32Snapshot和Thread32First的調用,然后是OpenThread。
After getting a handle to the target thread, the malware puts the thread into suspended mode by calling SuspendThread to perform its injection. The malware calls VirtualAllocEx and WriteProcessMemory to allocate memory and perform the code injection. The code can contain shellcode, the path to the malicious DLL, and the address of LoadLibrary.
獲取目標線程的句柄后,惡意軟件通過調用SuspandThread來掛起這個線程,然后調用VirtualAllocEx和WriteProcessMemory來分配內存並執行代碼注入。代碼可以包含shellcode,惡意DLL的路徑以及LoadLibrary的地址。
Figure 4 illustrates a generic trojan using this technique. In order to hijack the execution of the thread, the malware modifies the EIP register (a register that contains the address of the next instruction) of the targeted thread by calling SetThreadContext. Afterwards, malware resumes the thread to execute the shellcode that it has written to the host process. From the attacker’s perspective, the SIR approach can be problematic because suspending and resuming a thread in the middle of a system call can cause the system to crash. To avoid this, a more sophisticated malware would resume and retry later if the EIP register is within the range of NTDLL.dll.
圖4展示了使用這種技術的通用木馬。為了劫持線程的執行,惡意軟件通過調用SetThreadContext來修改目標線程的EIP寄存器(包含下一條指令的地址的寄存器)。之后,惡意軟件恢復線程來執行它已寫入主機進程的shellcode。從攻擊者的角度來看,SIR方法可能會出問題,因為在系統調用過程中掛起和恢復線程會導致系統崩潰。為了避免這種情況,如果EIP寄存器在NTDLL.dll范圍內,復雜一點的惡意軟件會稍后重新嘗試。
Figure 4: A generic trojan is performing thread execution hijacking
5. HOOK INJECTION VIA SETWINDOWSHOOKEX
Hooking is a technique used to intercept function calls. Malware can leverage hooking functionality to have their malicious DLL loaded upon an event getting triggered in a specific thread. This is usually done by calling SetWindowsHookEx to install a hook routine into the hook chain. The SetWindowsHookEx function takes four arguments. The first argument is the type of event. The events reflect the range of hook types, and vary from pressing keys on the keyboard (WH_KEYBOARD) to inputs to the mouse (WH_MOUSE), CBT, etc. The second argument is a pointer to the function the malware wants to invoke upon the event execution.The third argument is a module that contains the function. Thus, it is very common to see calls to LoadLibrary and GetProcAddress before calling SetWindowsHookEx. The last argument to this function is the thread with which the hook procedure is to be associated. If this value is set to zero all threads perform the action when the event is triggered. However, malware usually targets one thread for less noise, thus it is also possible to see calls CreateToolhelp32Snapshot and Thread32Next before SetWindowsHookEx to find and target a single thread. Once the DLL is injected, the malware executes its malicious code on behalf of the process that its threadId was passed to SetWindowsHookEx function. In Figure 5, Locky Ransomware implements this technique.
HOOK是一種攔截函數調用的技術,惡意軟件可以利用HOOK的功能在特定線程中觸發事件時加載其惡意DLL。這通常通過調用SetWindowsHookEx將hook routine安裝到HOOK鏈中來完成。SetWindowsHookEx函數有四個參數。第一個參數是事件的類型。事件反映了HOOK類型的范圍,從鍵盤上的按鍵(WH_KEYBOARD)到鼠標輸入(WH_MOUSE),CBT等等。第二個參數是指向惡意軟件想要在事件上調用的函數的指針。第三個參數是包含該函數的模塊。因此,在調用SetWindowsHookEx之前,通常會看到對LoadLibrary和GetProcAddress的調用。此函數的最后一個參數是與HOOK過程相關聯的線程。如果此值設置為零,則所有線程都會在觸發事件時執行操作。但是,惡意軟件通常針對一個線程以降低噪聲,因此在SetWindowsHookEx之前也可以看到調用CreateToolhelp32Snapshot和Thread32Next來查找和定位單個線程。注入DLL后,惡意軟件代表其threadId傳遞給SetWindowsHookEx函數的進程執行其惡意代碼。在圖5中,Locky Ransomware實現了這種技術。
*Figure 5:* Locky Ransomware using hook injection
6. INJECTION AND PERSISTENCE VIA REGISTRY MODIFICATION (E.G. APPINIT_DLLS, APPCERTDLLS, IFEO)
Appinit_DLL, AppCertDlls, and IFEO (Image File Execution Options) are all registry keys that malware uses for both injection and persistence. The entries are located at the following locations:
Appinit_DLL,AppCertDlls和IFEO(映像文件執行選項)都是惡意軟件用於注入和持久性的注冊表項。條目位於以下位置:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls HKLM\Software\Microsoft\Windows NT\currentversion\image file execution options
AppInit_DLLs
Malware can insert the location of their malicious library under the Appinit_Dlls registry key to have another process load their library. Every library under this registry key is loaded into every process that loads User32.dll. User32.dll is a very common library used for storing graphical elements such as dialog boxes. Thus, when a malware modifies this subkey, the majority of processes will load the malicious library. Figure 6 demonstrates the trojan Ginwui relying on this approach for injection and persistence. It simply opens the Appinit_Dlls registry key by calling RegCreateKeyEx, and modifies its values by calling RegSetValueEx.
惡意軟件可以在Appinit_Dlls注冊表項下插入其惡意庫的位置,以使另一個進程加載其庫。此注冊表項下的每個庫都會加載到每個加載User32.dll的進程中。User32.dll是一個非常常見的庫,用於存儲對話框等圖形元素。因此,當惡意軟件修改此子鍵時,大多數進程將加載惡意庫。圖6展示了Ginwui依賴這種注入和持久性方法的木馬。它只是通過調用RegCreateKeyEx打開Appinit_Dlls注冊表項,並通過調用RegSetValueEx來修改其值。
Figure 6: Ginwui modifying the AppIniti_DLLs registry key
AppCertDlls
This approach is very similar to the AppInit_DLLs approach, except that DLLs under this registry key are loaded into every process that calls the Win32 API functions CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateProcessWithTokenW, and WinExec.
此方法與AppInit_DLLs方法非常相似,只是此注冊表項下的DLL被加載到調用Win32 API函數CreateProcess,CreateProcessAsUser,CreateProcessWithLogonW,CreateProcessWithTokenW和WinExec的每個進程中。
Image File Execution Options (IFEO)
IFEO is typically used for debugging purposes. Developers can set the “Debugger Value” under this registry key to attach a program to another executable for debugging. Therefore, whenever the executable is launched the program that is attached to it will be launched. To use this feature you can simply give the path to the debugger, and attach it to the executable that you want to analyze. Malware can modify this registry key to inject itself into the target executable. In Figure 7, Diztakun trojan implements this technique by modifying the debugger value of Task Manager.
IFEO通常用於調試目的。開發人員可以在此注冊表項下設置“調試器值”,以將程序附加到另一個可執行文件以進行調試。因此,每當啟動可執行文件時,會啟動附加到它的程序。要使用此功能,你只需提供調試器的路徑,並將其附加到要分析的可執行文件。惡意軟件可以修改此注冊表項以將其自身注入目標可執行文件。在圖7中,Diztakun木馬通過修改任務管理器的調試器值來實現此技術。
Figure 7: Diztakun trojan modifying IFEO registry key
7. APC INJECTION AND ATOMBOMBING
Malware can take advantage of Asynchronous Procedure Calls (APC) to force another thread to execute their custom code by attaching it to the APC Queue of the target thread. Each thread has a queue of APCs which are waiting for execution upon the target thread entering alterable state. A thread enters an alertable state if it calls SleepEx, SignalObjectAndWait, MsgWaitForMultipleObjectsEx, WaitForMultipleObjectsEx, or WaitForSingleObjectEx functions. The malware usually looks for any thread that is in an alterable state, and then calls OpenThread and QueueUserAPC to queue an APC to a thread. QueueUserAPC takes three arguments: 1) a handle to the target thread; 2) a pointer to the function that the malware wants to run; 3) and the parameter that is passed to the function pointer. In Figure 8, Amanahe malware first calls OpenThread to acquire a handle of another thread, and then calls QueueUserAPC with LoadLibraryA as the function pointer to inject its malicious DLL into another thread.
惡意軟件可以利用異步過程調用(APC)通過將其附加到目標線程的APC隊列來強制另一個線程執行其特制代碼。每個線程都有一個APC隊列,它們等待目標線程進入可變狀態時執行。如果線程調用SleepEx,SignalObjectAndWait,MsgWaitForMultipleObjectsEx,WaitForMultipleObjectsEx或WaitForSingleObjectEx函數,則線程進入可更改狀態。惡意軟件通常會查找處於可更改狀態的任何線程,然后調用OpenThread和QueueUserAPC將APC排入線程。 QueueUserAPC有三個參數:目標線程的句柄、指向惡意軟件想要運行的功能的指針、傳遞給函數指針的參數;在圖8中,Amanahe惡意軟件首先調用OpenThread來獲取另一個線程的句柄,然后通過LoadLibraryA調用QueueUserAPC作為函數指針,將其惡意DLL注入另一個線程。
AtomBombing is a technique that was first introduced by enSilo research, and then used in Dridex V4. As we discussed in detail in a previous post, the technique also relies on APC injection. However, it uses atom tables for writing into memory of another process.
AtomBombing是一項由enSilo研究首次引入的技術,然后用於Dridex V4。 正如我們在前一篇文章中詳細討論的那樣,該技術也依賴於APC注入。 但是,它使用原子表寫入另一個進程的內存。
Figure 8: Almanahe performing APC injection
8. EXTRA WINDOW MEMORY INJECTION (EWMI) VIA SETWINDOWLONG
EWMI relies on injecting into Explorer tray window’s extra window memory, and has been used a few times among malware families such as Gapz and PowerLoader. When registering a window class, an application can specify a number of additional bytes of memory, called extra window memory (EWM). However, there is not much room in EWM. To circumvent this limitation, the malware writes code into a shared section of explorer.exe, and uses SetWindowLong and SendNotifyMessage to have a function pointer to point to the shellcode, and then execute it.
EWMI依賴於注入資源管理器托盤窗口的額外窗口內存,並且已經在Gapz和PowerLoader等惡意軟件系列中應用過幾次。注冊窗口類時,應用程序可以指定一些額外的內存字節,稱為額外窗口內存(EWM)。但是,EWM的空間不大。為了規避此限制,惡意軟件將代碼寫入explorer.exe的共享部分,並使用SetWindowLong和SendNotifyMessage使用指向shellcode的函數指針,然后執行它。
The malware has two options when it comes to writing into a shared section. It can either create a shared section and have it mapped both to itself and to another process (e.g., explorer.exe), or it can simply open a shared section that already exists. The former has the overhead of allocating heap space and calling NTMapViewOfSection in addition to a few other API calls, so the latter approach is used more often. After malware writes its shellcode in a shared section, it uses GetWindowLong and SetWindowLong to access and modify the extra window memory of “Shell_TrayWnd”. GetWindowLong is an API used to retrieve the 32-bit value at the specified offset into the extra window memory of a window class object, and SetWindowLong is used to change values at the specified offset. By doing this, the malware can simply change the offset of a function pointer in the window class, and point it to the shellcode written to the shared section.
在寫入共享部分時,惡意軟件有兩種選擇。它既可以創建共享空間,也可以將其映射到自身和另一個進程(例如explorer.exe),也可以只打開已存在的共享空間。除了一些其他API調用之外,前者還有分配堆空間和調用NTMapViewOfSection的開銷,因此后一種方法更常用。在惡意軟件將其shellcode寫入共享部分后,它使用GetWindowLong和SetWindowLong來訪問和修改“Shell_TrayWnd”的額外窗口內存。GetWindowLong是一個API,用於將指定偏移量的32位值檢索到窗口類對象的額外窗口內存中,SetWindowLong用於更改指定偏移量的值。這樣一來,惡意軟件可以簡單地更改窗口類中的函數指針的偏移量,並將其指向寫入共享部分的shellcode。
Like most other techniques mentioned above, the malware needs to trigger the code that it has written. In previously discussed techniques, malware achieved this by calling APIs such as CreateRemoteThread, QueueUserAPC, or SetThreadContext. With this approach, the malware instead triggers the injected code by calling SendNotifyMessage. Upon execution of SendNotifyMessage, Shell_TrayWnd receives and transfers control to the address pointed to by the value previously set by SetWindowLong. In Figure 9, a malware named PowerLoader uses this technique.
與上面提到的大多數其他技術一樣,惡意軟件需要觸發它特制的代碼。在先前討論的技術中,惡意軟件通過調用諸如CreateRemoteThread,QueueUserAPC或SetThreadContext之類的API來實現此目的。使用此方法,惡意軟件會通過調用SendNotifyMessage來觸發注入的代碼。執行SendNotifyMessage后,Shell_TrayWnd接收控制並將控制轉移到之前由SetWindowLong設置的值指向的地址。在圖9中,名為PowerLoader的惡意軟件使用此技術。
Figure 9: PowerLoader injecting into extra window memory of shell tray window
9. INJECTION USING SHIMS
Microsoft provides Shims to developers mainly for backward compatibility. Shims allow developers to apply fixes to their programs without the need of rewriting code. By leveraging shims, developers can tell the operating system how to handle their application. Shims are essentially a way of hooking into APIs and targeting specific executables. Malware can take advantage of shims to target an executable for both persistence and injection. Windows runs the Shim Engine when it loads a binary to check for shimming databases in order to apply the appropriate fixes.
Microsoft向開發人員提供SHIMS主要是為了向后兼容。SHIMS允許開發人員將修補程序應用於他們的程序,而無需重寫代碼。通過利用SHIMS,開發人員可以告訴操作系統如何處理應用程序。SHIMS本質上是一種掛鈎API並定位特定可執行文件的方法。惡意軟件可以利用SHIMS來定位持久性和注入的可執行文件。Windows在加載二進制文件時運行Shim Engine以檢查SHIMS數據庫以應用適當的修復程序。
There are many fixes that can be applied, but malware’s favorites are the ones that are somewhat security related (e.g., DisableNX, DisableSEH, InjectDLL, etc). To install a shimming database, malware can deploy various approaches. For example, one common approach is to simply execute sdbinst.exe, and point it to the malicious sdb file. In Figure 10, an adware, “Search Protect by Conduit”, uses a shim for persistence and injection. It performs an “InjectDLL” shim into Google Chrome to load vc32loader.dll. There are a few existing tools for analyzing sdb files, but for the analysis of the sdb listed below, I used python-sdb.
現在有許多方法應用修復程序,但惡意軟件的最愛是與安全相關的(例如,DisableNX,DisableSEH,InjectDLL等)。要安裝填充數據庫,惡意軟件可以部署各種方法。例如,一種常見的方法是簡單地執行sdbinst.exe,並將其指向惡意sdb文件。在圖10中,廣告軟件“按導管搜索保護”使用墊片進行持久性和注入。它在Google Chrome中執行“InjectDLL”填充程序以加載vc32loader.dll。有一些用於分析sdb文件的現有工具,但是為了分析下面列出的sdb,我使用了python-sdb。
Figure 10: SDB used by Search Protect for injection purposes
10. IAT HOOKING AND INLINE HOOKING (A.K.A USERLAND ROOTKITS)
IAT hooking and inline hooking are generally known as userland rootkits. IAT hooking is a technique that malware uses to change the import address table. When a legitimate application calls an API located in a DLL, the replaced function is executed instead of the original one. In contrast, with inline hooking, malware modifies the API function itself. In Figure 11, the malware FinFisher, performs IAT hooking by modifying where the CreateWindowEx points.
IAT hooking和inline hooking通常稱為userland rootkit。IAT hooking是惡意軟件用於更改導入地址表的技術。當合法應用程序調用位於DLL中的API時,其會執行替換的函數,而不是原始函數。相反,使用inline hooking,惡意軟件則會修改API函數本身。在圖11中,惡意軟件FinFisher通過修改CreateWindowEx指向的位置來執行IAT hooking。
Figure 11: FinFisher performing IAT hooking by changing where CreateWindowEx points to
CONCLUSION
In this post, I covered ten different techniques that malware uses to hide its activity in another process. In general, malware either directly injects its shellcode into another process or it forces another process to load its malicious library. In Table 1, I have classified the various techniques and provided samples to serve as a reference for observing each injection technique covered in this post. The figures included throughout the post will help the researcher recognize the various techniques when reversing malware.
在這篇文章中,我介紹了惡意軟件用於在另一個進程中隱藏其活動的十種不同技術。通常,惡意軟件會直接將其shellcode注入另一個進程,或者強制另一個進程加載其惡意庫。在表1中,我對各種技術進行了分類,並提供了樣本作為閱讀本文所涵蓋的每種注入技術的參考。
