Playing Malware Injection with Exploit thoughts

Video thumbnail (Frame 0) Video thumbnail (Frame 1686) Video thumbnail (Frame 2371) Video thumbnail (Frame 3634) Video thumbnail (Frame 6124) Video thumbnail (Frame 7815) Video thumbnail (Frame 9826) Video thumbnail (Frame 10876) Video thumbnail (Frame 11398) Video thumbnail (Frame 12000) Video thumbnail (Frame 12879) Video thumbnail (Frame 13690) Video thumbnail (Frame 14507) Video thumbnail (Frame 15387) Video thumbnail (Frame 16395) Video thumbnail (Frame 18374) Video thumbnail (Frame 19500) Video thumbnail (Frame 21057) Video thumbnail (Frame 22362) Video thumbnail (Frame 23241) Video thumbnail (Frame 23905) Video thumbnail (Frame 24458) Video thumbnail (Frame 24911) Video thumbnail (Frame 26096) Video thumbnail (Frame 26738) Video thumbnail (Frame 27567) Video thumbnail (Frame 29136) Video thumbnail (Frame 29781) Video thumbnail (Frame 30200) Video thumbnail (Frame 31151) Video thumbnail (Frame 31704)
Video in TIB AV-Portal: Playing Malware Injection with Exploit thoughts

Formal Metadata

Playing Malware Injection with Exploit thoughts
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
In the past, when hackers did malicious program code injection, they used to adopt RunPE, AtomBombing, cross-process creation threads, and other approaches. They could forge their own execution program as any critical system service. However with increasing process of anti-virus techniques, these sensitive approaches have been gradually proactively killed. Therefore, hackers began to aim at another place, namely memory-level weakness, due to the breakages of critical system service itself. This agenda will simply introduce a new memory injection technique that emerged after 2013, PowerLoadEx. Based on this concept, three new injection methods will be disclosed as well. These makes good use of the memory vulnerability in Windows to inject malicious behavior into system critical services. The content will cover Windows reverse analysis, memory weakness analysis, how to use and utilize, and so on. The relevant PoC will be released at the end of the agenda.
Injektivität Injektivität State of matter Multiplication sign Exploit (computer security) Bit Student's t-test Degree (graph theory) Malware Malware Information security Information security Routing
Vulnerability (computing) Computer virus Injektivität Malware Personal digital assistant Musical ensemble Website Power (physics) Booting
Ocean current Trail Presentation of a group Injektivität Service (economics) Thread (computing) Proxy server Code Spyware Mereology Power (physics) Read-only memory Personal digital assistant Computer worm Circle Process (computing) Proxy server Booting Injektivität Serial port Spyware Computer file Electronic mailing list Shared memory Digital signal Thread (computing) Power (physics) Electronic signature Hooking Process (computing) Personal digital assistant Remote procedure call Wireless LAN Window Electric current Asynchronous Transfer Mode Spacetime Booting
Functional (mathematics) State of matter Physical law Code Insertion loss Semiconductor memory Graphical user interface Message passing Semiconductor memory System programming Normal (geometry) Process (computing) Gastropod shell Table (information) Thetafunktion Message passing Window Address space
Trail Hoax Touchscreen Demo (music) Length Code Demo (music) Shared memory Code Semiconductor memory Malware Message passing Semiconductor memory Source code Computer worm Software testing Process (computing) Gastropod shell Table (information) Window Address space Computer worm Row (database)
Vulnerability (computing) Touchscreen Code Interface (computing) Demo (music) Electronic mailing list Exploit (computer security) Drop (liquid) Event horizon Process (computing) Event horizon String (computer science) Circle Hydraulic jump Vulnerability (computing)
Category of being Functional (mathematics) Process (computing) Computer file Function (mathematics) Interface (computing) Point (geometry) Data structure Table (information) Event horizon Social class
Injektivität Interface (computing) Code Sound effect Drop (liquid) Proper map Category of being Pointer (computer programming) System programming Computer worm Process (computing) Gastropod shell Table (information) Address space
Trail Computer file Code Length Interior (topology) Code Set (mathematics) Drop (liquid) Semiconductor memory Event horizon Category of being Message passing Semiconductor memory Factory (trading post) System programming Source code Computer worm Circle Gastropod shell Process (computing) Table (information) Window Physical system
Functional (mathematics) Interface (computing) Demo (music) Event horizon Dressing (medical) Category of being Process (computing) Object-oriented programming Semiconductor memory Source code Circle Table (information) Address space
Functional (mathematics) Inheritance (object-oriented programming) Computer file Code Event horizon Category of being Message passing Data management Casting (performing arts) Event horizon String (computer science) Formal verification Gastropod shell Cuboid Circle Table (information) Window
Personal identification number Crash (computing) Functional (mathematics) Semiconductor memory Formal verification Table (information) Window Address space Social class Data buffer
Functional (mathematics) Message passing Semiconductor memory Term (mathematics) Source code Circle Table (information) Rule of inference Address space Window
Message passing Functional (mathematics) Graphical user interface Oval Personal digital assistant Code Source code Gastropod shell Musical ensemble Table (information) Address space
Computer virus Information Videoconferencing Convex hull Window Reverse engineering Physical system
Thread (computing) Spyware Validity (statistics) Mapping Code Demo (music) Computer-generated imagery Workstation <Musikinstrument> Spyware Thread (computing) Computer programming Casting (performing arts) Process (computing) Kernel (computing) Personal digital assistant Semiconductor memory Kernel (computing) Sheaf (mathematics) Process (computing) Window Physical system
Thread (computing) Addition Directory service Computer programming Graphical user interface Natural number Kernel (computing) Row (database) Circle Process (computing) Address space Information Demo (music) Point (geometry) Code Image registration Variable (mathematics) Shooting method Process (computing) Malware Sheaf (mathematics) Right angle Gastropod shell Window Address space
Process (computing) Circle Variable (mathematics) Address space
Graphical user interface Graphical user interface Link (knot theory) Googol Googol Website
Graphical user interface Facebook Slide rule
my friend standing next to me this is his first time speaking at Def Con his name is Chang Gama and he wants to play with malware injection with Eska which exploit of thoughts I don't know if I said that right but let's hear him explaining and before we get started I'm gonna give him a good congratulations oh you already you already did okay so hello everyone my name is Masha inhale and I'm just a method degree student from Taiwan and I'm also a security researcher from state route and tdoge Hagar and this is my first serve speak on deaf Council and the little bit a little bit nervous and I just drink less shot and it's very spicy so that's okay so let's do it so it's a agenda first
I'm going to talk about what is Maori ingestion [Music] availability inspired by posture pop hollander so so let's quick quickly
review what is now ingestion and in the
past maui ingestion is useful some bypassing some potassium like bypassed wireless tracking bypassed NT bars or privilege escalation and for example with tio style on being and digital signature we can bypass the in device and with remote injured and while is this process and we can bypass the wireless while list and we ingest inject explorer and Theo salon beam and self el elevated service we can bypass the windows UST potassium so and then later
several well-known technique like we have known about knows technology about inject like share called circle inject the air inject process following and thread the hijacking art and bumbling and never x brought and in my presentation I will focus on how to do Maui ingestion in its prolly way how to do it and if you want to do a Maui ingestion actually they let us fall Challenger for you you will meet the first one is what is target you you should choose a good target to to ingestion and it's this list again must be meaningful then secondary well to place a marry space for us to place our mouth it now occurred in remote process land suddenly we we not need to know how to write my way code from remote this is and finally we need to find a way out to run the Maui code from the mode this is most difficult difficult part for us and you can create a new threat and hijack current is red or whatever so this is an interesting case for us we are talking about air power loader and what is power loader power loader is known as a strong wind availability so what it is and there is
a Windows theta Windows data window data in is for processing memory and law state heart insight decide how your GUI how your window is look like and this is how it going first a recent cistern will send messages to your Explorer secondary is for a spatula vtable from from loss data finally Explorer invoke lock obey functions and lay the table and you USA what's the problem it is seem very normal it's January so what's the problem the problem is how its professional a vtable because we know you probably will invoke the coab a function from v table so the problem is how is for a bachelor v table actually in fetch v table by by a windows api in and get window long so we
can easily modify a result of get a window long API just use chat window long api to change la vie table address so let's put it all together we can know
if we can inject a fake B table learn learn we can use set window long avi to point la vie table address to laugh track la la fact be table and learn we can if we send any message to explore explore well invoke our malware code from lay back B table so if you give a pillow here and we just prepare our circle and prepare our memory layout on levy table length juice set window long PGI API to modify the V table address of target aka Explorer length just send a message to let Explorer and the we'll check our payload so let's see a creep cricket demo and here you can see this
tester on Windows 7 and here is my share code then it's pretty hard to use the big screen and then you can see I prepare our memory layout and inject the fact B table into target Explorer and send a message to each row you can see if we compile and you can see Explorer is as crashed and down and in and wrong
our circle on the remote so they are three more three more vulnerability from we are talking about next first one is olee jump enter event and what it is and
if you do some reversing stuff you you will see like lost lost code and on screen and it's for a use global add a turn to keep a string name or le jobs target interface list string in but just keep it by global air out on api land
you can see it when it's rural try to resist a Jag and job event you can see explorers stole a job taka structure in oh le job taki interface properties so and you are asked about what is job target this structure is useful what and you can see job target is actually it is a V table class keep every copy function a chest of jag and jar event so it's wrong use and when
when you try to check a file check file any files to Explorer or inside it's for you you will trigger a function name privilege a jegging job and you can see in this function explorer will try to use yet prop W API to fetch lady table crest and invoke the function and the V table when you check any files inside Explorer and you you're asked about why
the problem la probably is it's pretty easy for Earth to modify the table just by another API s step proper W and if we use this API can modify the V table address so what we need to do is inject effect V table and the pointer love or L each up charge interface the properties to our fake be table so finally so let's put let's
let's see how you go into you can see
check files if we check and fast in insular Explorer learn Abilene census is an aberration system send message to our Explorer then it's floral fetch our track be table by get property wapi because we we just use set of wabi to change your variable just then invoke the explorer will invoke lame our code from our factory table so if we need to
prepare if we prepare our Jericho and a v8 biturbo and a crowd Coretta memory adjust length juice prop wapi to modify the V table a chest of lay window data and whenever just explore send or receive any challenge our challenge our event the message land Explorer will invoke the mao-a code of our our circle so it's the first one you
can see how we inject the jegging gel event of Explorer yeah and first you can
see it's our show cold and here what we need to do is prepare our be table address and the Viterbo dress prepare our circle HS the Explorer will call the function on memory + V and we write the process memory little circle into the V table and circle into target process then use just use that profit 8 API to modify or L each job tracker interface properties so you can see if we compile of the oops and we
compile and inject the circle and at V table into target and let there's nothing happen but if we Jack any file into Explorer you can see layers message box layer is from shell code then you can see we can from locate and test a manager and you can see it from is for please let's message box is come from pop pop up from from the Explorer so
second earth the second cast is come CTL subclassed event and first Explorer keep you axe subclass this property string by global add item API again Explorer invoke master subclass press function if it receive any message if in this function you can see Explorer called call function just care subclass hater and to to fetch lay window data learn verify LAIV window data we just get by another function is and the subclass function then finally if they wait at the window data is correct and enthrall will try to invoke the function and window data so let's see how to how
Explorer check the window data and how to call a function and in an untestable
class friend function we just said about it's used for verify lab window data is correct or not so I only see we need need to care about is here Vijay ball plus a the function address cannot be new issue pin newer or it will fetch Allah bad memory adjust and cost Explorer crash so we need to prepare our VIN table we need to keep in nor and window data plus a and in enter subclass
call a function you can see the V table is actually it is Dominic and so it's for I have a drawer actually on unlist writer you can see it's probably a bad rule to get copy function dynamically in our vtable address so we can use this draw to to check quick which address is our circle address should be put at and
finally explore in vocal address we get just under window data to process the lowest message any messages so we just need to prepare another vtable and our circle in la veta Beau Geste and pulley all all together unlocker a term memory adjust land just use self prop eight API
to modify the V table address and just use ten messages to trigger a messaging function of extra work [Music] this is another more interesting case here and you can see is met Hawaii I
build on my PC and if it's finish and
Windows Defender is open and I just took this video yesterday and whenever I just
clink the POC and you can see there's nothing happening for user victim Tintin seen anything there but our main destroying here is cattle reverse chair and we can do anything like LS system info and even we can in is to execute CMD you can see we don't sleep windows different the defender is not having any any old not an appetizer us and you can see the CMD is come from is for final
interesting case is threat hijacking is let's cast is low close validate availability code is in insular Windows 10 so if you use Windows 7 and Windows a is your yourself yes it's very pretty
because every process is create and Windows operating system by lat Evie is creator process this API and kernel will create a new process and map each station into a new process memory then create a new thread land truth land pointer the register to program entry aka adjust of entry and first thread shredder
didn't just jump into a chest of entry first thread away Kohler aldia initialized sank to repair the importer adjustable explore territory and relocation information and the interesting is you were seeing now for now shredders shoot just jump into address of entry right but not for Windows 10 thread well check variables is before thread to jump into a program entry every thread will jump into another analogous is address of LTR delicated out here users register this variables if it's not normal so if it's natural and just jump into it so you can see it's pretty easy for us to abuse so just
put a circle to a target process and write a circle just into LDR delicated out here uses red star this variability and its name is very long every thread must jump into logical or just if it's create a new target process so it's the let's see a final demo here
yeah you can see is a Crump and I open a new cron layer and here I just only
thing I need to do is to to get the actually LDR delcatty RTO users where the star is located at and which address and when we get largesse and we just drive our circle or just into late variables then if Krong it you can see I just inject the she'll go and live variable in target process
and nothing happen there but if we try to browse a new website like
and you can see layers dusty MD come
from chrome yeah thank you you can see
is this DMVs come from chrome so okay so
sing sing for listening [Applause]