There are many ways to obscure the malwares:
1. Launchers
2. Process Injection
3.Process Replacement
4. Detours
2. Process injection is nothing but injecting some code into another running process.
There are two ways you can inject code into the process:-
i. Put your code into a DLL and map the DLL to the remote process
ii. Instead of writing a separate DLL, copy your code to the remote process directly.
2.i. There are couple of methods by which one can map DLL to a remote process. The latest version of Windows enforce session separation so some of the methods may not work on the Win Vista/7/8.
a. Windows hooks (SetWindowsHookEX)
b. CreateRemoteThread
c. App_Init registry key
d. ZwCreateThread or NtCreateThreadEx (Works on all version of Windows)
e. Via APC (Asynchronous procedure calls)
Note: CreateRemoteThread is the most common method used for DLL injection. It is used to work flawlessly till Windows XP. However due to "Session Separtion" feature introduced in Vista, CreateRemoteThread method cannot be used to inject DLL into another running process.To beat that limitation, one can use NTCreateThread function which could inject DLL across session boundaries on Win Vista/7. But in Win 8 CreateRemoteThread works well across sessions.Hence one can use NTCreateThread to inject DLL in all the versions of Windows or can use CreateRemoteThread to inject DLL into Win XP/8.
CreateRemoteThread actually calls NTCreateThread somewhere down the layer.Hence in Vista/7 some extra checking code actually caused CreateRemoteThread to exit.
In my next post, I will explain steps to put these methods into practical implementation.
1. Launchers
2. Process Injection
3.Process Replacement
4. Detours
2. Process injection is nothing but injecting some code into another running process.
There are two ways you can inject code into the process:-
i. Put your code into a DLL and map the DLL to the remote process
ii. Instead of writing a separate DLL, copy your code to the remote process directly.
2.i. There are couple of methods by which one can map DLL to a remote process. The latest version of Windows enforce session separation so some of the methods may not work on the Win Vista/7/8.
a. Windows hooks (SetWindowsHookEX)
b. CreateRemoteThread
c. App_Init registry key
d. ZwCreateThread or NtCreateThreadEx (Works on all version of Windows)
e. Via APC (Asynchronous procedure calls)
Note: CreateRemoteThread is the most common method used for DLL injection. It is used to work flawlessly till Windows XP. However due to "Session Separtion" feature introduced in Vista, CreateRemoteThread method cannot be used to inject DLL into another running process.To beat that limitation, one can use NTCreateThread function which could inject DLL across session boundaries on Win Vista/7. But in Win 8 CreateRemoteThread works well across sessions.Hence one can use NTCreateThread to inject DLL in all the versions of Windows or can use CreateRemoteThread to inject DLL into Win XP/8.
CreateRemoteThread actually calls NTCreateThread somewhere down the layer.Hence in Vista/7 some extra checking code actually caused CreateRemoteThread to exit.
In my next post, I will explain steps to put these methods into practical implementation.
I just found your article through google (thanks for posting this)
ReplyDeletebut at the bottom I see "In my next post, I will explain steps to put these methods into practical implementation."
and I don't see any next steps
did you ever get around to making a follow up post ?
Yeah actually I thought of discussing practical implementation of the above concepts...due to some time constraint I wasn't able to make it..
DeleteAnd also there are many examples out there on net...let me know if u want any specific explanation on the above concept