Process Injection - Part V

Written by on
Hello All,

Wondering where is the part IV of the process injection blog post series ?
The part IV of this series was written by Renos on Parent PID Spoofing technique. Parent PID Spoofing technique is useful for evading detection.

In this post I will cover about Asynchronous Procedure Calls (APC) Queue Process Injection technique. Parent PID Spoofing can also be used with APC Queue Process Injection. The tool can be found on my github repo.

What is Asynchronous Procedure Calls (APC) ?

This is best described by Microsoft in their documentation. Below is the short brief about APC from the Microsoft Docs.

An asynchronous procedure call (APC) is a function that executes asynchronously in the context of a particular thread. When an APC is queued to a thread, the system issues a software interrupt. The next time the thread is scheduled, it will run the APC function. An APC generated by the system is called a kernel-mode APC. An APC generated by an application is called a user-mode APC. A thread must be in an alertable state to run a user-mode APC.

Each thread has its own APC queue. An application queues an APC to a thread by calling the QueueUserAPC function. The calling thread specifies the address of an APC function in the call to QueueUserAPC. The queuing of an APC is a request for the thread to call the APC function.

When a user-mode APC is queued, the thread to which it is queued is not directed to call the APC function unless it is in an alertable state. The thread enters into alertable state when it calls any of the below mentioned functions.
  • SleepEx - Suspends the current thread until the specified condition is met. Execution resumes when one of the following occurs:
    • An I/O completion callback function is called.
    • An asynchronous procedure call (APC) is queued to the thread.
    • The time-out interval elapses.
  • MsgWaitForMultipleObjectsEx - Waits until one or all of the specified objects are in the signaled state, an I/O completion routine or asynchronous procedure call (APC) is queued to the thread, or the time-out interval elapses. The array of objects can include input event objects, which you specify using the dwWakeMask parameter.
  • WaitForMultipleObjectsEx - Waits until one or all of the specified objects are in the signaled state, an I/O completion routine or asynchronous procedure call (APC) is queued to the thread, or the time-out interval elapses.
  • WaitForSingleObjectEx - Waits until the specified object is in the signaled state, an I/O completion routine or asynchronous procedure call (APC) is queued to the thread, or the time-out interval elapses.
In this APC Queue Process Injection technique 7 Windows API are used:
  • CreateProcess - The CreateProcess function creates a new process and its primary thread. The new process runs in the security context of the calling process.
  • OpenProcess - The OpenProcess function returns a handle of an existing process object.
  • VirtualAllocEX - The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
  • WriteProcessMemory - The WriteProcessMemory function writes data to an area of memory in a specified process.
  • OpenThread - The OpenThread function returns a handle of an existing thread object.
  • QueueUserAPC - The QueueUserAPC function adds a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread.
  • ResumeThread - The ResumeThread function decrements the thread's suspend count. When the suspend count is decremented to zero, the execution of the thread is resumed.
Overview of APC Queue Process Injection

APC Queue Process Injection is a technique used by malware authors for being stealthy as it allows execution of malicious code before the entry point of the main thread of a process. 

Below are the steps followed while adding the APC Queue Process Injection technique in the tool.
  • Step 1:- Create a new target process in suspended state. This can be achieve by passing Create_Suspended value in dwCreationFlags parameter of CreateProcess Windows API.
  • Step 2:- Once the process is created obtain the handle of the target process using OpenProcess Windows API.
  • Step 3:- Allocate the memory space for our shellcode in the target process using VirtualAllocEX Windows API.
  • Step 4:- Write the shellcode in the allocated memory space using WriteProcessMemory Windows API.
  • Step 5:- Obtain the handle of the primary thread from the target process using OpenThread Windows API.
  • Step 6:- After obtaining the handle of the thread from the target process we will add a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread using QueueUserAPC Windows API which will point to the memory address of our shellcode.
  • Step 7:- To trigger our shellcode we will resume the suspended thread using ResumeThread Windows API.
Demo

In this demo I have used MSFVenom to generate the shellcode. You can use Donut for generating the shellcode or use any tool of your choice. For the demo purpose I will generate the shellcode in hex format.

APC Queue Process Injection

 Required Parameters:
  • /ppath:- Specify the path of the process which will be created in suspended state.
  • /path:- Specify the path of the shellcode file.
  • /f:- Specify the format of the shellcode that was generated.
  • /t:- Specify the technique id 
Generate the shellcode using MSFVenom.

msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -b ""\x00"" -f hex


Execute the APC Queue Process Injection technique

ProcessInjection.exe /ppath:"C:\Windows\explorer.exe" /path:"C:\Users\user\Desktop\hex.txt" /f:hex /t:7


Parent PID Spoofing with APC Queue Process Injection

ProcessInjection.exe /ppath:"C:\Windows\System32\notepad.exe" /path:"C:\Users\user\Desktop\hex.txt" /parentproc:explorer /f:hex /t:8


Detection

Monitor process which are created in suspended state. Monitor Windows API calls like OpenThread, QueueUserAPC and those that can be used to modify memory within another process such as WriteProcessMemory. Also monitor process especially under (c:\Windows\System32\* or c:\Windows\SysWOW64\*) for abnormal behavior such as opening network connections.

References

https://ired.team/offensive-security/code-injection-process-injection/apc-queue-code-injection
https://modexp.wordpress.com/2019/08/27/process-injection-apc/
https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All.pdf
https://attack.mitre.org/techniques/T1055/

Thanks for reading the post.

Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏

Comments

Post a Comment

Popular posts from this blog

Process Injection - Part I

Written by on
Image
Hello All, After publishing the post about Dumping Process Memory with Custom C# Code my friend Himanshu suggested me to write a tool & a blog post about Process Injection for learning and he referenced his post about Code Injection which covers the concept about the vanilla process injection technique. It was quite interesting to learn and understand the core concepts about Process Injection techniques and as a learning path to code in c# leveraging Windows API I started writing the tool for Process Injection. What is Process Injection ? Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. Why Process Injection ?
Read more

Introduction to Callidus

Written by on
Image
Hello All, Performing Red Team assessments are becoming challenging day by day. In mature environments we see a lot of custom tool development and new techniques are getting discovered by the community to overcome various challenges. While thinking about such challenges, I came up with the idea of creating a tool that can leverage legitimate services for establishing command & control communication channel which is likely to be whitelisted or are less monitored due to the nature of services used by the corporate environments. This is not a new technique, we have already seen similar projects that were developed to leverage legitimate services for command & control. Communication channels such as Slackor for Slack C2, DaaC2 for Discord C2 or  Domain Fronting techniques etc. In this post I will introduce you to a tool called "Callidus" which I created to learn & to improve my knowledge about developing custom toolset in C# and learning how to leverage
Read more

Exploring the Dark Side of Package Files and Storage Account Abuse

Written by on
Image
 Hello All, In this blog, we dive into the dark side of package files and Storage Account abuse within the Azure Function App service. We explore how package files can be leveraged to enhance the functionality of the Functions Apps, shedding light on the potential abuse of package files. By examining the connection between the Function App and Storage Account, we uncover how attackers can abuse the Storage Account's connection string to gain unauthorized access to the Function Apps. We will provide step-by-step insights into replacing binary files and deploying custom code, enabling attackers to take control of the Function App.  The research was jointly done by  Raunak and myself . What are Function Apps? Function Apps (Lambda in AWS) are serverless computing services provided by Azure Cloud. They allow developers to build and deploy small, functions that can be triggered by events such as simple HTTP request. Function Apps provide an environment for executing our code without th
Read more