Process Injection - Part III
Hello All,
Finally I have got one contributor (Renos) who has added process hollowing technique to the Process Injection tool which I wrote for learning about various Process Injection techniques and to enhance my knowledge about C# and Windows API.
In this post I will cover about the Process Hollowing technique. The tool can be found on my github repo.
What is Process Hollowing ?
Process hollowing occurs when a process is created in a suspended state and the executable section of the legitimate process in the memory is unmapped and replaced with malicious executable (Shellcode in our case). This technique allows an attacker to disguise his malware as a legitimate process and execute malicious code. As a result, attacker may evade defenses and endpoint detection.
In this Process Hollowing technique 10 Windows API are used.
Process Hollowing is a technique used by malware authors for evading the endpoint detection. The malware initially spawns a legitimate looking process which is used as a container for executing malicious code. The main idea is to create a executable section in the said legitimate process which in turn execute the malicious code. The advantage of this technique is that when tracing back to the malicious code will lead the analysis to the legitimate process.
Below are the steps followed while adding the Process Hollowing technique in the tool.
Step 1:- Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
Step 2 :- Once the process is created in suspended state we will create a new executable section. It wont be bind to any process. This can be done by using ZwCreateSection function.
Step 3 :- We need to locate the base address of the target process. This can be done by querying the target process using ZwQueryInformationProcess function. We can find the address of the process environment block (PEB) and then use ReadProcessMemory function to read the PEB. Once the PEB is read ReadProcessMemory function is used once again to locate the entry point from the buffer.
Step 4 :- We need to bind the section to the target process in order to copy the shellcode in it. To achieve this we need to map the section into current process. This can be done by using ZwMapViewOfSection function and passing handle of the current process by using GetCurrentProcess function.
Step 5 :- Now we will copy each byte of the shellcode into the mapped section which is created in Step 2.
Step 6 :- Once the shellcode is copied we can proceed to map the section into the target process. This can be done by using ZwMapViewOfSection function and passing handle of the target process.
Step 7 :- Once the section is mapped we will locate and construct the patch for the target process so that it can our malicious shellcode instead of the original application code.
Step 8 :- Once the patch is constructed we will use WriteProcessMemory to write the constructed patch into the target process entry point.
Step 9 :- After writing the constructed patch to the target process entry point we need to resume the thread. This can be achieve by using ResumeThread function.
Demo
In this demo I have used MSFVenom to generate the shellcode. You can use Donut for generating the shellcode or use any tool of your choice.
To perform process hollowing you need to user /t:3 parameter.
Generate the shellcode using MSFVenom and use the same for executing process hollowing technique.
MSFVenom Command - msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -b "\x00" -f c
ProcessInjection Command - /ppath:"C:\Windows\System32\notepad.exe" /path:"C:\Users\User\Desktop\c.txt" /f:c /t:3
/ppath :- This parameter is used to specify the process path which needs to be created in suspended state.
Finally I have got one contributor (Renos) who has added process hollowing technique to the Process Injection tool which I wrote for learning about various Process Injection techniques and to enhance my knowledge about C# and Windows API.
In this post I will cover about the Process Hollowing technique. The tool can be found on my github repo.
What is Process Hollowing ?
Process hollowing occurs when a process is created in a suspended state and the executable section of the legitimate process in the memory is unmapped and replaced with malicious executable (Shellcode in our case). This technique allows an attacker to disguise his malware as a legitimate process and execute malicious code. As a result, attacker may evade defenses and endpoint detection.
In this Process Hollowing technique 10 Windows API are used.
- ZwCreateSection - The ZwCreateSection function creates a section object that represents a section of memory that can be shared. A process can use a section object to share parts of its memory address space (memory sections) with other processes.
- ZwMapViewOfSection - The ZwMapViewOfSection function maps a view of a section into the virtual address space of a subject process.
- ZwQueryInformationProcess - The ZwQueryInformationProcess retrieves information about the specified process.
- ZwUnmapViewOfSection - The ZwUnmapViewOfSection function unmaps a view of a section from the virtual address space of a subject process.
- GetCurrentProcess - The GetCurrentProcess retrieves a pseudo handle for the current process.
- GetSystemInfo - The GetSystemInfo function retrieves information about the current system.
- ReadProcessMemory - The ReadProcessMemory function reads data from an area of memory in a specified process.
- WriteProcessMemory - The WriteProcessMemory function writes data to an area of memory in a specified process.
- ResumeThread - The ResumeThread function decrements the thread's suspend count. When the suspend count is decremented to zero, the execution of the thread is resumed.
- CreateProcess - The CreateProcess function creates a new process and its primary thread. The new process runs in the security context of the calling process.
Process Hollowing is a technique used by malware authors for evading the endpoint detection. The malware initially spawns a legitimate looking process which is used as a container for executing malicious code. The main idea is to create a executable section in the said legitimate process which in turn execute the malicious code. The advantage of this technique is that when tracing back to the malicious code will lead the analysis to the legitimate process.
Below are the steps followed while adding the Process Hollowing technique in the tool.
Step 1:- Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
Step 2 :- Once the process is created in suspended state we will create a new executable section. It wont be bind to any process. This can be done by using ZwCreateSection function.
Step 3 :- We need to locate the base address of the target process. This can be done by querying the target process using ZwQueryInformationProcess function. We can find the address of the process environment block (PEB) and then use ReadProcessMemory function to read the PEB. Once the PEB is read ReadProcessMemory function is used once again to locate the entry point from the buffer.
Step 4 :- We need to bind the section to the target process in order to copy the shellcode in it. To achieve this we need to map the section into current process. This can be done by using ZwMapViewOfSection function and passing handle of the current process by using GetCurrentProcess function.
Step 5 :- Now we will copy each byte of the shellcode into the mapped section which is created in Step 2.
Step 6 :- Once the shellcode is copied we can proceed to map the section into the target process. This can be done by using ZwMapViewOfSection function and passing handle of the target process.
Step 7 :- Once the section is mapped we will locate and construct the patch for the target process so that it can our malicious shellcode instead of the original application code.
Step 8 :- Once the patch is constructed we will use WriteProcessMemory to write the constructed patch into the target process entry point.
Step 9 :- After writing the constructed patch to the target process entry point we need to resume the thread. This can be achieve by using ResumeThread function.
Demo
In this demo I have used MSFVenom to generate the shellcode. You can use Donut for generating the shellcode or use any tool of your choice.
To perform process hollowing you need to user /t:3 parameter.
Generate the shellcode using MSFVenom and use the same for executing process hollowing technique.
MSFVenom Command - msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -b "\x00" -f c
ProcessInjection Command - /ppath:"C:\Windows\System32\notepad.exe" /path:"C:\Users\User\Desktop\c.txt" /f:c /t:3
/ppath :- This parameter is used to specify the process path which needs to be created in suspended state.
Detection
Monitor Windows API calls that unmap process memory, such as ZwUnmapViewOfSection and those that can be used to modify memory within another process such as WriteProcessMemory. Also monitor process especially under (c:\Windows\System32\* or c:\Windows\SysWOW64\*) for abnormal behavior such as opening network connections.
References
Monitor Windows API calls that unmap process memory, such as ZwUnmapViewOfSection and those that can be used to modify memory within another process such as WriteProcessMemory. Also monitor process especially under (c:\Windows\System32\* or c:\Windows\SysWOW64\*) for abnormal behavior such as opening network connections.
References
https://github.com/rasta-mouse/TikiTorch/blob/master/TikiLoader/Hollower.cs
https://gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
https://github.com/ambray/ProcessHollowing
https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf
https://github.com/m0n0ph1/Process-Hollowing
https://attack.mitre.org/techniques/T1093/
Thanks for reading the post.
Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏
https://gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75
https://github.com/ambray/ProcessHollowing
https://www.blackhat.com/docs/asia-17/materials/asia-17-KA-What-Malware-Authors-Don't-Want-You-To-Know-Evasive-Hollow-Process-Injection-wp.pdf
https://github.com/m0n0ph1/Process-Hollowing
https://attack.mitre.org/techniques/T1093/
Thanks for reading the post.
Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏
Comments
Post a Comment