code dll injection
Skip this Video
Download Presentation
Code/DLL Injection

Loading in 2 Seconds...

play fullscreen
1 / 25

Code/DLL Injection - PowerPoint PPT Presentation

  • Uploaded on

Code/DLL Injection. ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington. Agenda. Background: Processes and DLLs Code Injection Static Injection Dynamic Injection Trojans and Firewall Evasion Defenses. Processes and DLLs (1).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Code/DLL Injection' - aladdin-delaney

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
code dll injection

Code/DLL Injection

ECE4112 – Internetwork Security

Georgia Institute of Technology

By Andrei Bersatti and Brandon Harrington

  • Background: Processes and DLLs
  • Code Injection
    • Static Injection
    • Dynamic Injection
  • Trojans and Firewall Evasion
  • Defenses
processes and dlls 1
Processes and DLLs (1)
  • What are processes?
  • What are DLL files?
    • More on this later
  • Processes are running tasks that are managed by the Operating System. Processes may load DLL files (Dynamic Link Libraries, in Windows).
  • Dynamic Link Libraries are executable code that can only be executed when called by a process.
processes and dlls 2
Processes and DLLs (2)
  • At the Lab:
    • We will have a brief review of Processes.
    • Use Windows Task Managers to Observe Processes.
    • Use Sysinternals Process Explorer (view processes and .dll files loaded by processes).
    • Process Name, Process User, Process Description, Process ID, Process DLL’s.
code injection
Code Injection
  • Code Injection: ‘Injecting’ code (putting executable code within) into another program.
  • Two Kinds:
    • Static Injection: Occurs prior to program execution.
    • Dynamic Injection: Occurs on or after program execution.
  • Original Program/Process + Injected Code = Malicious Program/Process
Code Injection – Static Injection (1)
  • Occurs prior to execution of a program.
  • Example:
    • A program innocent.exe is modified so that prior to executing itself it executes code that has been injected to do some nasty thing.
    • Then the program is delivered to the victim who thinks the program is innocent (a virus? A trojan? A technique!).
code injection static injection 2
Code Injection – Static Injection (2)
  • How is it done?
    • Programs have a memory space.
    • Not all of the memory space is used, some parts of the memory space (usually at the end) is full of NOOPs. This area is known as a “cave.”
    • A cave can be overwritten without corrupting (other than by adding a desired functionality) the victim program.
code injection static injection 3
Code Injection – Static Injection (3)
  • In order to execute the code in the cave, the program has to be able to reach the code.
  • How?
  • Every program has an Entry Point. By changing the first instruction in the Entry Point into a JUMP to our added code, as soon as the program starts our code executes.
  • At the end of our code we add any instructions overwritten by the JUMP and then enter a JUMP back to the 2nd Instruction of the Entry Point.
  • Program execution continues normally.
code injection static injection 4
Code Injection – Static Injection (4)
  • In the Lab:
    • We will use OllyDbg (a debugger or decompiler) to modify the memory space of winmine.exe (Minesweeper) so that it displays a Message Box prior to executing.
  • Need some basic ASM:
    • JMP -> A jump to an address (to an instruction).
    • PUSH -> Pushes a variable into the stack.
    • CALL -> Calls a Function, our function, user32.MessageBoxA, will pop the stack and take those variables as parameters.
code injection static injection 5
Code Injection – Static Injection (5)
  • Static Code Injection is not widely exploited by Trojans.
  • Understanding how Static Code Injection works helps to understand Dynamic Code Injection.
  • Static Code Injection is harder to detect since it may have occurred before the victim program arrived at a particular location.
dynamic code injection
Dynamic Code Injection
  • Used by rootkits, trojans, viruses, spyware
  • Inserting code into the program’s memory space.
  • No signs of tampering in the executable file. Changes done on-the-fly while the process is running.
dynamic link libraries dll
Dynamic Link Libraries (DLL)
  • DLLs are shared libraries used across many programs.
    • Instead of including the shared code in every executable, common functions are stored in a separate file accessible by the programs.
      • Reduces executable size
      • Increases code re-use
    • Accessed by memory location
      • Import/Export Look-up table
api hooking
API Hooking
  • Closely related to functional overloading in programming
  • Common practice in programming mainly for debugging purposes.
  • Uses DLL injection to implant its hook DLL
api hooking continued
API Hooking (continued)
  • Malicious uses
    • Override functions in programs to intercept data
    • Maintain functionality but add “bad features”
    • Examples:
      • An encryption algorithm in a DLL could be overwritten to output the data before encrypted.
      • A send web data function could be overwritten to send duplicate data to another server.
lab procedures dynamic injection
Lab Procedures (Dynamic Injection)
  • Inject DLLs into running processes using
    • APM
    • Aphex’s DLL Injector
  • Use Process Explorer (PE) to show the new DLL loaded
trojans and firewall evasion 1
Trojans and Firewall Evasion (1)
  • What is the relevance of Code Injection to an Internetwork Security class?
  • Trojans often use code/dll injection in an attempt to evade the Firewall and communicate with the Internet.
  • Reverse Connection: Attacker’s computer does not contact you; your computer contacts the attacker’s computer!
  • Access to data prior to encryption!
trojans and firewall evasion 2
Trojans and Firewall Evasion (2)
  • Static code injection scenario:
    • Install.exe was downloaded from Kazaa. (Assume Install.exe is your favorite videogame).
    • Install.exe is in reality MultiPlayerGame.exe wrapped with invisible Keylogger.exe.
    • MultiPlayerGame.exe was injected with code to connect to the Internet and deliver Keylog.txt to an attacker’s IP address.
    • Because you willingly ran a Multiplayer Game, you will tell your Firewall “Yes, allow MultiPlayerGame.exe to go outbound.”
trojans and firewall evasion 3
Trojans and Firewall Evasion (3)
  • But like we said before, while harder to detect, Static Code Injection is not commonly used by trojans.
  • Dynamic Code/DLL Injection is far more common and far more dangerous!
  • Dynamic Code/DLL Injection scenario:
    • warningIamAtrojanServer.exe was somehow executed by some irresponsible person.
    • This installed in the Run registry a program that runs upon startup for 1 second and injects a trojan.dll into iexplore.exe. Trojan was a Remote Administration Tool and because iexplore.exe has Firewall privileges, this RAT does too!
trojans and firewall evasion 4
Trojans and Firewall Evasion (4)
  • At the lab:
    • We will install a firewall (Sygate Personal Firewall)
    • We will test a firewall using Atelier Web Firewall Tester (tests Firewalls by trying to inject different processes that should already have privileges in the Firewall.
    • Atelier claims that most firewalls fail these tests!!
trojans and firewall evasion 5
Trojans and Firewall Evasion (5)
  • Some Trojans that use injection:
    • Assassin 2.0 – Uses dynamic DLL injection for reverse connection.
    • Beast 2.0 – Uses dynamic DLL injection for reverse connection.
    • Nuclear Uploader – Uses dynamic DLL injection for reverse connection.
    • Flux – Uses dynamic code injection for reverse connection.
    • Institution 2004 – Claims to use DLL injection for reverse connection. Allows to remotely patch a process.
trojans and firewall evasion 6
Trojans and Firewall Evasion (6)
  • In the lab:
  • We will play with Assassin 2.0; show the loaded .dll using Process Explorer.
  • We will play with Institution 2004; show ability to patch processes remotely.
  • We will play with Flux; show that it does indeed use Internet Explorer to evade the Firewall and yet no loaded .dll is detected.
  • Tools: Process Explorer, Sygate Personal Firewall logs.
  • How can you protect yourself from this attack?
  • Anti-Hook
    • Essentially a firewall for DLL’s
    • Rule-based
      • Allow only “trusted” dll’s to be loaded by programs
  • Static Injection
    • File Fingerprinting
  • Dynamic Injection
    • Scan memory for rogue DLL currently loaded
    • Check import/export addresses of linked functions and compare with known addresses
lab procedures defenses
Lab Procedures (Defenses)
  • Use Advanced Process Manipulation (APM) to unload DLL injected into current processes
  • Use TDS-3 to scan memory for rogue DLLs
  • This is a common technique.
  • Comparable to buffer overflows.
  • If you know how the technique works, you can defend yourself against various malware that uses it