-Windows Internals: back-end of windows os -processes, file formats, COM, task scheduling, I/O, DLLs and PE connect through RDP: IP, THM-Attacker, Tryhackme!
Abusing Processes -Processes maintain and represent a program being executed -processes have sub-components Private Virtual Address Space → Virtual memory addresses the process is allocated. Executable Program → Defines code and data stored in the virtual address space Open Handles → Defines handles to system resources accessible to the process Security Context → The access token defines the user, security groups, privileges, and other security information. Process ID → Unique numerical identifier of the process Threads → Section of a process scheduled for execution
Process Injection: injection of malicious code into a process through legitimate functionality or components
- Process Hollowing: inject code into a suspended/hollowed target process
- Thread Execution hijacking: inject code into suspended target thread
- DLL injection: inject a DLL into process memory
- PE injection: self-inject a PE image pointing to a malicious function into a target process
-search of task manager -go to details > click User name -find THM-Attacker -look for PID of dllhost.exe: xxxx cd \Desktop\Injectors .\shellcode-injector.exe xxxx flag: THM{1nj3c710n_15_fun!}
Hollowing -inject an entire malicious file into a process -unmapping the process and inject specific PE (Portable Executable) -steps:
- Create a target process in a suspended state
- open a malicious image
- unmap legitimate code from process memory
- Allocate memory location for malicious code and write each section into the address space
- set an entry point for the malicious code
- take the taget process out of a suspended state
-search of task manager -go to details > click User name -find THM-Attacker -look for PID of dllhost.exe: xxxx cd \Desktop\Injectors .\hollowing-injector.exe xxxx flag: THM{7h3r35_n07h1n6_h3r3}
High-level thread hijacking 1.Locate and open a target process to control. 2.Allocate memory region for malicious code. 3.Write malicious code to allocated memory. 4.Identify the thread ID of the target thread to hijack. 5.Open the target thread. 6.Suspend the target thread. 7.Obtain the thread context. 8.Update the instruction pointer to the malicious code. 9.Rewrite the target thread context. 10.Resume the hijacked thread.
-search of task manager -go to details > click User name -find THM-Attacker -look for PID of dllhost.exe: xxxx cd \Desktop\Injectors .\thread-injector.exe xxxx flag: THM{w34p0n1z3d_53w1n6}
Abusing DLLs
- Locate a target process to inject
- Open the target process
- Allocate memory region for malicious DLL
- Write malicious DLL to allocated memory
- Load and execute the malicious DLL
-search of task manager -go to details > click User name -find THM-Attacker -look for rdpclip cd \Desktop\Injectors .\dll-injector.exe rdpclip .\evil.dll flag: THM{n07_4_m4l1c10u5_dll}
Memory Execution Alternatives -Invoking Function Pointers: relies on typecasting → executed on locally allocated memory → doesn’t rely on API calls ((void(*)())addressPointer)();
-Asynchronous Procedure Calls: → APC (async procedure call) through QueueUserAPC → must be in “alertable state” waiting for a callback such as WaitForSingleObject or Sleep
-Section Manipulation → PE (portable executable) and section manipulation commonly seen in malware -.data and .text, tables and pointers to sections are commonly used → obtaining a PE dump is done commonly using DLL or other malicious file fed into xxd → use math through the physical hex data which is translated to PE data → RVA entry point parsing, section mapping, and relocation table parsing
-TrickBot: well known banking malware -browser hooking - allows malware to hook interesting API calls that can be used to intercept credentials -OpenProcess: hanlde common browser paths -steps taken
- OpenProcess - open target process
- VirtualAllocEx - allocate memory
- WriteProcessMemory - copy function into allocated memory
- WriteProcessMemory - copy shellcode into allocated memory
- FlushIntructionCache - Flush cache to commit changes
- RemoteThread - create remote thread
- ResuemThread or RtlCreateUserThread - resume thread or fallback to create a new user thread
What alternative Windows API call was used by TrickBot to create a new user thread? -RtlCreateUserThread Was the injection reflective? Y what function name was used to manually write hooks? -write_hook_iter