Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington
Agenda • Background: Processes and DLLs • Code Injection • Static Injection • Dynamic Injection • Trojans and Firewall Evasion • Defenses
Processes and DLLs (1) • What are processes? • What are DLL files? • More on this later • Processes are running tasks that are managed by the Operating System. Processes may load DLL files (Dynamic Link Libraries, in Windows). • Dynamic Link Libraries are executable code that can only be executed when called by a process.
Processes and DLLs (2) • At the Lab: • We will have a brief review of Processes. • Use Windows Task Managers to Observe Processes. • Use Sysinternals Process Explorer (view processes and .dll files loaded by processes). • Process Name, Process User, Process Description, Process ID, Process DLL’s.
Code Injection • Code Injection: ‘Injecting’ code (putting executable code within) into another program. • Two Kinds: • Static Injection: Occurs prior to program execution. • Dynamic Injection: Occurs on or after program execution. • Original Program/Process + Injected Code = Malicious Program/Process
Code Injection – Static Injection (1) • Occurs prior to execution of a program. • Example: • A program innocent.exe is modified so that prior to executing itself it executes code that has been injected to do some nasty thing. • Then the program is delivered to the victim who thinks the program is innocent (a virus? A trojan? A technique!).
Code Injection – Static Injection (2) • How is it done? • Programs have a memory space. • Not all of the memory space is used, some parts of the memory space (usually at the end) is full of NOOPs. This area is known as a “cave.” • A cave can be overwritten without corrupting (other than by adding a desired functionality) the victim program.
Code Injection – Static Injection (3) • In order to execute the code in the cave, the program has to be able to reach the code. • How? • Every program has an Entry Point. By changing the first instruction in the Entry Point into a JUMP to our added code, as soon as the program starts our code executes. • At the end of our code we add any instructions overwritten by the JUMP and then enter a JUMP back to the 2nd Instruction of the Entry Point. • Program execution continues normally.
Code Injection – Static Injection (4) • In the Lab: • We will use OllyDbg (a debugger or decompiler) to modify the memory space of winmine.exe (Minesweeper) so that it displays a Message Box prior to executing. • Need some basic ASM: • JMP -> A jump to an address (to an instruction). • PUSH -> Pushes a variable into the stack. • CALL -> Calls a Function, our function, user32.MessageBoxA, will pop the stack and take those variables as parameters.
Code Injection – Static Injection (5) • Static Code Injection is not widely exploited by Trojans. • Understanding how Static Code Injection works helps to understand Dynamic Code Injection. • Static Code Injection is harder to detect since it may have occurred before the victim program arrived at a particular location.
Dynamic Code Injection • Used by rootkits, trojans, viruses, spyware • Inserting code into the program’s memory space. • No signs of tampering in the executable file. Changes done on-the-fly while the process is running.
Dynamic Link Libraries (DLL) • DLLs are shared libraries used across many programs. • Instead of including the shared code in every executable, common functions are stored in a separate file accessible by the programs. • Reduces executable size • Increases code re-use • Accessed by memory location • Import/Export Look-up table
API Hooking • Closely related to functional overloading in programming • Common practice in programming mainly for debugging purposes. • Uses DLL injection to implant its hook DLL
API Hooking (continued) • Malicious uses • Override functions in programs to intercept data • Maintain functionality but add “bad features” • Examples: • An encryption algorithm in a DLL could be overwritten to output the data before encrypted. • A send web data function could be overwritten to send duplicate data to another server.
Lab Procedures (Dynamic Injection) • Inject DLLs into running processes using • APM • Aphex’s DLL Injector • Use Process Explorer (PE) to show the new DLL loaded
Trojans and Firewall Evasion (1) • What is the relevance of Code Injection to an Internetwork Security class? • Trojans often use code/dll injection in an attempt to evade the Firewall and communicate with the Internet. • Reverse Connection: Attacker’s computer does not contact you; your computer contacts the attacker’s computer! • Access to data prior to encryption!
Trojans and Firewall Evasion (2) • Static code injection scenario: • Install.exe was downloaded from Kazaa. (Assume Install.exe is your favorite videogame). • Install.exe is in reality MultiPlayerGame.exe wrapped with invisible Keylogger.exe. • MultiPlayerGame.exe was injected with code to connect to the Internet and deliver Keylog.txt to an attacker’s IP address. • Because you willingly ran a Multiplayer Game, you will tell your Firewall “Yes, allow MultiPlayerGame.exe to go outbound.”
Trojans and Firewall Evasion (3) • But like we said before, while harder to detect, Static Code Injection is not commonly used by trojans. • Dynamic Code/DLL Injection is far more common and far more dangerous! • Dynamic Code/DLL Injection scenario: • warningIamAtrojanServer.exe was somehow executed by some irresponsible person. • This installed in the Run registry a program that runs upon startup for 1 second and injects a trojan.dll into iexplore.exe. Trojan was a Remote Administration Tool and because iexplore.exe has Firewall privileges, this RAT does too!
Trojans and Firewall Evasion (4) • At the lab: • We will install a firewall (Sygate Personal Firewall) • We will test a firewall using Atelier Web Firewall Tester (tests Firewalls by trying to inject different processes that should already have privileges in the Firewall. • Atelier claims that most firewalls fail these tests!!
Trojans and Firewall Evasion (5) • Some Trojans that use injection: • Assassin 2.0 – Uses dynamic DLL injection for reverse connection. • Beast 2.0 – Uses dynamic DLL injection for reverse connection. • Nuclear Uploader – Uses dynamic DLL injection for reverse connection. • Flux – Uses dynamic code injection for reverse connection. • Institution 2004 – Claims to use DLL injection for reverse connection. Allows to remotely patch a process.
Trojans and Firewall Evasion (6) • In the lab: • We will play with Assassin 2.0; show the loaded .dll using Process Explorer. • We will play with Institution 2004; show ability to patch processes remotely. • We will play with Flux; show that it does indeed use Internet Explorer to evade the Firewall and yet no loaded .dll is detected. • Tools: Process Explorer, Sygate Personal Firewall logs.
Protection • How can you protect yourself from this attack? • Anti-Hook • Essentially a firewall for DLL’s • Rule-based • Allow only “trusted” dll’s to be loaded by programs
Detection • Static Injection • File Fingerprinting • Dynamic Injection • Scan memory for rogue DLL currently loaded • Check import/export addresses of linked functions and compare with known addresses
Lab Procedures (Defenses) • Use Advanced Process Manipulation (APM) to unload DLL injected into current processes • Use TDS-3 to scan memory for rogue DLLs
Conclusions • This is a common technique. • Comparable to buffer overflows. • If you know how the technique works, you can defend yourself against various malware that uses it