Runtime Process Infection (part 1)

Video in TIB AV-Portal: Runtime Process Infection (part 1)

Formal Metadata

Runtime Process Infection (part 1)
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
This presentation will instruct participants on how to inject arbitrary code into a process during runtime. Writing malware on Linux isn't an easy task. Anonymously injecting shared objects has been a frightful task that no one has publicly implemented. This presentation will show how and why malware authors can inject shared objects anonymously in 32bit and 64bit linux and 64bit FreeBSD. The presenter will be releasing a new version of a tool called libhijack. libhijack aims to make injection of arbitrary code and shared objects extremely easy. There will be a live demo injecting a root shell backdoor into multiple programs during runtime.
Thermodynamischer Prozess Presentation of a group Run time (program lifecycle phase) Hacker (term) Multiplication sign Green's function Metropolitan area network Hand fan Reverse engineering
Module (mathematics) Hacker (term) Different (Kate Ryan album) Blog Authorization Bit Surface of revolution Information security Computer programming Number Twitter
Ocean current Trail Thermodynamischer Prozess Presentation of a group Run time (program lifecycle phase) Information View (database) Multiplication sign Electronic mailing list Theory Front and back ends Single-precision floating-point format Reading (process)
Presentation of a group Virtual memory Semiconductor memory Memory management Letterpress printing Cuboid Bit Information security Error message
Presentation of a group Functional (mathematics) Service (economics) Run time (program lifecycle phase) Multiplication sign Random access Set (mathematics) Computer Web 2.0 Revision control Goodness of fit String (computer science) Gastropod shell Cuboid Traffic reporting Information security Thermodynamischer Prozess Multiplication Spyware Block (periodic table) Projective plane Bit Instance (computer science) Exploit (computer security) Connected space Web application Natural language
Thermodynamischer Prozess Kernel (computing) Run time (program lifecycle phase) Computer file Structural load
Area Thermodynamischer Prozess Slide rule Game controller Functional (mathematics) Run time (program lifecycle phase) Multiplication sign Structural load Stress (mechanics) Metadata Hexagon Process (computing) Spherical cap Linker (computing) Semiconductor memory Right angle Object (grammar) Procedural programming Table (information) Address space
Linker (computing) Structural load Oval Metadata Form (programming)
Computer virus Run time (program lifecycle phase) Computer file Code Sheaf (mathematics) Insertion loss Computer programming Different (Kate Ryan album) Semiconductor memory Linker (computing) String (computer science) Data structure Address space Alpha (investment) Thermodynamischer Prozess Email Key (cryptography) Structural load Binary code Virtualization Compiler Uniform resource locator Pointer (computer programming) Formal grammar Right angle Procedural programming Fiber bundle Table (information) Computer worm
Ocean current Point (geometry) Presentation of a group Backup Group action Code Multiplication sign Flash memory Mereology Tracing (software) Computer programming Malware Virtual memory Root Semiconductor memory Different (Kate Ryan album) Forest Single-precision floating-point format Gastropod shell Cuboid Flag Data structure God Exception handling Physical system Thermodynamischer Prozess Touchscreen Inheritance (object-oriented programming) Debugger Content (media) Bit Cartesian coordinate system Cursor (computers) Limit (category theory) System call Flow separation Leak Radical (chemistry) Kernel (computing) Pointer (computer programming) Befehlsprozessor Network topology Natural language Data logger Freeware Speicheradresse
Thermodynamischer Prozess Functional (mathematics) Code Data storage device Memory management System call Computer programming Kernel (computing) Semiconductor memory Operator (mathematics) output MiniDisc Sinc function Window Library (computing)
Thermodynamischer Prozess Slide rule Functional (mathematics) Email Kernel (computing) Pointer (computer programming) Divisor Data structure Table (information) Metadata Library (computing)
2 runtime process infection my name is Shaun wet and I go by the hand letter online at all this presentation is brought to you by a hacking community direct they deal mostly with the reverse engineering an they got a lot of a lot of talented fall on the cruise so this is the 1st time given this presentation of in Canada and while my roommates up here was was given in the getting ready for the day I turned on the TV and the 1st thing that's always red green this idea of red green fans in here what so because I grew up just I grew up about 3 hours away from Canada itself in Washington state major Canadian influence I love red green something start this presentation on how the man's prayer I'm a man had to change if I have to I so I am just another
tech blogger from 1 from a small technology called 0 it's based on a work and I just thought about things that interest me things that humans mainly about security and previously 86 on I am the author of a Drupal module that makes administrating them the net jails really really so so they're not professional security engineers have been working professionally and then in the security seen for a number of years and I just love it's my passion as a hobby although I've been programming in C for 13 years I'm still a bit of a new but there is and I'm pretty decent so
and the member of soldier inspired binary revolution had 3 are they hacker communities the kind of similar to each other just a lot of a lot of kids who who loved to program and do different things you can find me on Twitter and my handle lateral and I am I frequent freenode Iousy on on the previous the channel I'm supposed to give a shout out to them so the idea of
few disclaimers of course the opinions and views expressed here are mind only and not that of my employers my previous employers current employer feature players have to say that cover my but and there's 2 on my talk is similar and there's a lot of background info that I need to explain so it's going in appear my random but it'll all makes sense in the end Organon time every single piece of background information that so almost nothing new is explained the theory the underlying theory is very well known I and understood run runtime profits infection that's how malware work works on it and take a look at a lot of the basic theories on on track and cool front-end process inflectional whole bunch of so you'll get a nice big reading list but I do have a new spin on existing techniques for getting the shellcode to be stored in a so even the underlying theory is very well known I do have a new spin on existing
presentation tools but talk to goes about it's only for educational purposes again this is just to cover I'm not responsible for anything you guys do and really this this presentations can of a high-level presentation so there's not really much know that it can be with the presentation material but do make a few
assumptions where PST can so I signal previously I assume you know
you have a basic knowledge of C and 64 bit memory management so I see away the print that is what now what and map that kind of stuff and I said you know what is memory mapping is deep stack that can be a security engineers and analysts we all we we have to think abstractly we have to think outside the box thinking of how the original engineers designed of what we're looking at and and figure out how to use that utilize it in ways that they did not just on the presentation does it assuming or modify memory layout GR 2nd packs of course don't exist on previously but this is the concepts or are similar you know I assume no error so essentially just make the presentation using to give
a little bit of history on a few years back I was looking at the giant web application for all these my main purpose was to get a shell on the box so I would utilize connect back shows so now Danish only box what would happen is on my box locally I would have have run that can have a listening on the port and the shellcode that is running on the on the victim on the target blocks would connect back to my neck out instance and drop me into a sh so I need a reliable random access Of course this this kind of paired and this really worked fine at McDonald's if I'm at a friend's house if I'm at a hotel a matter what you know I need to be the forward report to my local computer which you know those doesn't doesn't really work firewall hold a bit of a problem so I knew I figured you know what service already listened for reports let's reuse that existing connection to web also needed a way to covertly sniff traffic there is 1 instance where I need to get at the at at some traffic that was encrypted with us itself and then you'd be decoded version of the of the data so I created a tool called live hijack and we'll talk about the project a little later so the set the
stage for this presentation we're going to pretend there's always gonna shell the ATC John or web application exploit and and were just were primarily primarily looking for a reliable back and genetics is a good candidate on because I change next year because Apache on has some extra security things backgrounds or ritual looking at this they didn't and my original target was Apache but not in genetics because in genetics doesn't have the same security settings of the earth security good practices that that prejudice so will do a alive general against engine next today after after the presentation so I you know what I thought it was a good candidate because it's already listen for connections so my main goal then is to modify the in genetics process somehow to how to run a shell rice into special strings so and it gets less shell H the soft 1 . 1 needs to drop me into a shop and you know I could run the Who am I commanded tell me and of the bill so so we need to be able to hold a certain functions of runtime so any time engine next receives the string it will drop me into a shell so it has to happen in multiple times so I might connect to this box multiple times now and talk a little bit about
what happens when exactly is called when a process is loaded on the kernel 1st
checks a very basic stuff with the files that whether you have permission to run and then it loads
was called the runtime of the artillery and for sure and then it loads all the
process metadata initializes the stack of those 2 things that can reverse it 1st of some process metadata metadata and initializes the stack and then that's later then have time to reverse the US I the metadata is looking at that hex address on previous the 64 had that there really wow that's at on right so that user accept the doing of the this area in which the set of of well against itself same wondered what needs to be something with they were were good I I included that had stress on the slides because I'm going to put the slides up on technology and so so you can have an easy place to reference so the run-time
linker its job is to finish loading the process memory it loads all the dependencies all the shared objects like would see if you're Wireshark Wireshark would peak cap that kind of it then patches what is called the procedure linkage table and global offset table for needed dynamic functions will talk about the guilty GOT a lot in detail later then calls all the initialization routines for all the dependencies on and then finally turns control over to your intended process it calls OK Best
Christmas movie ever undergone a christmas and the in I start watching in November the drives my wife insane but Francisco this L stands for the eggs executable and readable form all it is it's metadata it's just data that describes it tells the run-time linker what to load and how load so you
have different you have different header files on or rather see structs so far it's not header files you have different headers on if I say header I mean sea structure because that's what I mean so you have the main Fatah and that has pointers to other different have some of those different headers are processes that are which you have to have at minimum 1 entry for your binary to be valid it contains virtual address locations so where in memory is this data can be stored access rights whether you can read from and write to it were executed and alignment where inside of this virtual address location is going to be located 2nd in the beginning in the middle and the end that new section headers you don't have to have a new section headers in fact when you strip a binary you pretty much structure strip out all the section it describes the data that is loaded the other the process letters you contains the string table the bonding entries if any and compiler comments formal trivial old-school viruses used to store their payload inside of compiler column so there's the dynamic headers as well on those containing relocation entries stubs and appeal to duty procedure linkage table and global losses offset table and that's really the jackpot that's where all the magic happens this is how an
alpha binary works in memory when it's loaded so at the top you have the the main olfactory and right below that of the program had a table also called the process cable and then you have the the actual data that is used by the program that you're read-only data your executable code all that kind of stuff In this section header those may or may not get loaded at runtime depending on how that binary was constructed and how it's constructed the run-time and linker have load itself so by key
traces the old school debugging facilities facility for free BSD I say old school because you really ought to be replaced outright with the trace so the traces much cooler but we're going use features because it's still available is a kernel system call and GDP the new debugger relies heavily on he traces the back and for it's how it's able to so through its magical debugging or you can read and write from and to arbitrary memory locations and you can eat but that memory location has to be valid so you can just write to a memory mapping that doesn't exist it has to actually exist you can get and set all the registers the current instruction pointer the EU flags every single register every single CPU registers can changed with the trees so essentially with p tracer God when you when you attach as a debugger to is another process using the trace you can change every single part of the program and so this little this next bullet debugging becomes child of and above the that's a little bit important forest terminology is concerned because arena in the presentation of all character child relationship I'll be the counselor between the 2 but let's say with and the Firefox Developer and I want to be but 1 of the memory leaks that still plague Firefox and so I have Firefox already running some home star runner downloading a whole bunch of Flash content you know and and then terminal on the screen I got GDP loaded so all so we have Firefox and you the story that completely separate points in time there are unrelated to each other on their start in different manners so completely unrelated but when attached GDP to Firefox then on Firefox conceptually becomes the child of GDP it's as if GDP were were to have spawned Firefox itself so so when I say the parent process I on Titan but GDP or about live hijacked and talking about the child process then it would be Firefox or and its destructive on the user going to know if you're if you're using trace against agree application for example a user will notice that things happening the process just pauses there if you're in Firefox and click on on a text box it nothing will happen not even a little cursor will will display on the process is completely passed so it's structure and this probably isn't true but I like to think so long the original creaturis engineer I like to think is evil as an evil genius like the newly completed because you really are talk over a processor can change I mean like you could you could switch out in genetics inherent LS instead like that we do that but on nuclear you know and traces pretty powerful
there is one limitation in that you can you can use Pinterest against any process unless you're group if your you can you can call PE trace against any process on the system except for the in process but if you are not ruled that you can only help you trace against processes that you on so processes whose you it matches your new so there's some current techniques for getting your shellcode stored in the 1st and original very very popular way was to store initial prolonged stack and now will really really made popular by a guy named left 1 Roman article frac called smashing stock-fund and profit you will probably know about that paper in this room but yet it is really popular because of its popularity on most systems today stack is non-executable OK you can store your code there you can store a they're all you want but you're not going to get a picture of it can store your shellcode at the current instruction pointer at Red the but the problem with that is that much of the original code you don't get your shellcode run once because what you need to do then it is back up the original code that was originally executing overwrite it with her malicious shellcode and then run your malicious shellcode and then restore the backup code and that doesn't really work for our purposes because you only get if you do that you only get your show run once we need our are malicious code to run multiple times every time data is received and it matches that strain that special strain we need to drop into a shell so clearly this but this would be this would be nice if it's a guaranteed spot where you have a guarantee execution but it just won't work for us you can start shellcode on here and that is the very popular and although it's not as as popular today to make the heat non-executable it's becoming you could use all the preload but chances are we will just opponent a non-root process and we don't want to gain root because if the systems properly configured there's probably log files not ITS that says that only certain processes can run as root made search only at certain times so in the process is already started we would need to restart the process meaning the 3 so we
have this arbitrary code store we had the shock of the store but we can't stored anywhere where do we do it what we're gonna do is reinforce the child process to allocate memory and this is the new spin this is the the slightly new technique we're
going to unlike Windows and OS 10 we cannot allocate in the half of the child inside of the pair crossed the child must be the 1 to allocate and that's kind of a problem because the child is probably just waiting on disk access and network access for input from the user and so it so it might I allocate memory right now it's only going allocate memory in the stack and heap it's not an allocate something we can use for our purposes so that that presents kind of problem so what we're gonna do is refined where the kernel is called and so this program we're going to look for the assembly since Collins code and the problem is that the program's main code won't ever called on it call library functions called kernel in a like let's see let's see calls formal everywhere like when you when you do print that it actually has to write stuff to the to the Council which is actually a privileged of privileged operation the kernel has to be the 1 to to do all that so what we'll do
is we'll find a library function calls calls the kernel by crawling through all this kind of metadata by going through all these all factors and passing
them out so the main olfactory contains a pointer to the process that In the process header contains a pointer to the dynamic and the dynamic headers contain a pointer to the GOT the global offset table and the 2nd entry of the global offset table contains a pointer to the OBJ entries structure as a 2nd global offset table entry during those slides as 1 because you're starting at 0 0 offset so 0 what and the OBJ entry struck


  413 ms - page object


AV-Portal 3.21.3 (19e43a18c8aa08bcbdf3e35b975c18acb737c630)