A forum for reverse engineering, OS internals and malware analysis 

Forum for discussion about user-mode development.
 #23743  by blackd0t
 Tue Sep 02, 2014 2:48 pm
Hello,

I'm researching the subject of process injection to create my own code injection library.
This is the method I currently use:
* CreateProcessInternalW - to start process in SUSPENDED state.
* NtMapViewOfSection - for injecting the code into created process.
* NtQueueApcThread - to queue the APC with injected code entrypoint for launch
* NtResumeThread - to start the suspended process

There are also other methods I know of:
* NtGetContextThread/NtSetContextThread - to change the EIP in target process.
* NtGetContextThread/NtSetContextThread - to change EAX in target process (EAX points to module entry point in RtlUserThreadStart) [won't work on XP I believe]
* NtWriteVirtualMemory - to insert a JMP instruction at EIP.

Other interesting method that I read about used by malware is here: http://www.malwaretech.com/2013/08/powe ... truly.html
This one I believe will only work on explorer.exe process that is currently running though.

Are there any other methods that I'm not yet aware of?
Is it possible to monitor and catch these injection methods from kernel-mode without using SSDT hooks (especially the NtQueueApcThread method)?
 #23752  by Vrtule
 Tue Sep 02, 2014 8:47 pm
Are there any other methods that I'm not yet aware of?
Is it possible to monitor and catch these injection methods from kernel-mode without using SSDT hooks (especially the NtQueueApcThread method)?
You can use the ObRegisterCallbacks to be notified when someone attempts to open a process or a thread. You can also filter out access rights that permits him to change state of the object. Such access rights are needed to successfully use routines such as NtWriteVirtualMemory, NtSetContextThread, NtQueueApcThread or NtCreateThread.

The problem is you just get control when someone is trying to GAIN sufficient acces to perform certain operation... but not when he/she actually ATTEMPTS to perform it.
 #23754  by EP_X0FF
 Wed Sep 03, 2014 3:04 am
blackd0t wrote:* CreateProcessInternalW - to start process in SUSPENDED state.
CreateProcess(CREATE_SUSPENDED) is not so l33t? Or then your bot triggers AV? http://www.kernelmode.info/forum/viewtopic.php?f=8&t=16
Aside from what Vrtule posted, your APC inject can be detected in user mode handler.
 #23756  by blackd0t
 Wed Sep 03, 2014 7:42 am
Thank you for replies.

I should've made it clear in the beginning that I'm researching the injection methods for use with Metasploit's shellcodes for pentesting purposes.
I'm sorry if that is considered to be against forum's rules.

EP_X0FF, I doubt it can be detected in user mode when Nt* syscalls are executed directly, right?
 #23784  by t4L
 Fri Sep 05, 2014 3:02 am
blackd0t wrote:...
I doubt it can be detected in user mode when Nt* syscalls are executed directly, right?
Nope, everything is detected no matter what/where you call them from usermode. The only exception is when you call it from Kernelmode.