Index > Malware > 2021-02-11: Process Replacement

2021-02-11: Process Replacement

A quick review

Process Injection can happen via:

DLL Injection
- Tell the target process to load an evil DLL
- Generally easier
- More common
- When the DLL is loaded, the OS automatically calls the DLLMain function
Direct Injection
- Inject the malware directly into the memory of the target
- Very hard

Process Replacement

Malware authors could crash the target process if they try direct injection. There is less risk of crash if the target process is completely replaced.

The target process should be something that very few things depend on. Otherwise, things could go wrong when the malware takes away functionality.

SVChost.exe is a great target, as it contains a bunch of independent things. A new svchost likely won’t be noticed.

Where DLL injection puts malware into an existing process, process replacement starts a new process containing evil code.

New process is created in a suspended state
- flag CREATE_SUSPENDED (0x4)
Process is overwritten
Process is allowed to get going

// Start a new process in suspended state
CreateProcess(..., "svchost.exe", ..., CREATE_SUSPEND, ...)

// Clear the entire process memory - no artifacts!
// Once it's clear, we can write over it.
zUnmapViewOfSection(...);

// Allocate space, equal to the size of *this* binary
// What does ImageBase do?
VirtualAllocEx(..., ImageBase, sizeOfImage, ...);

// What does this do?
// Why do we need to do this?
WriteProcessMemory(..., headers, ...);

// Copy over our own sections
for (i=0; i<sections; i++){
	WriteProcessMemory(section);
}

// Sets the starting point of the new process to the beginning
// Of its fresh new contents
SetThreadContext();

// Go run free, new process!
ResumeThread();

0x4d 0x5a => “MZ”, at the start of windows executable binaries

“PEView” is a static analysis tool that will lay out all the sections of a binary.

Next class, we’ll finish up this section and jump right into lab 2.

Index > Malware > 2021-02-11: Process Replacement