Code Injection Cyber Range by Muhammad Hadiq Husnain

hello everyone my name is Muhammad uh I'll be presenting my capsom project that I did at Shar in college which is a code injection uh cyber range so a little thing I a little stuff I planned out for today is I'll talk a bit about myself the methodology and why I chose the topic uh two examples thread hijacking and windows API hooking future goals for how the project and some future example that I want to go through as well and we'll go through Q&A so a little bit about me uh I graduated from Sheran College a few weeks ago in information system security I also did my Co-op at Sheran College as a network administrator right

configuration management and other stuff like that so and a little bit about the project so code injection cyber range is a uh cyber range for like uh environment for virtual environments for running malware for mainly for this project was meant for students who couldn't access uh other other ones online that are behind a pay wall so the difference between minds and the ones online where some that are free and available and are open source where some online are not as interactive or engaging for the audience and students who are wanting to learn more about code injection and how malware is functioning some examples that I found on ired team were simple with you have an IDE you're

running uh M Visual Studio you run the code and you have to interact with the code and look at process hacker and do some basic stuff here and there for M it's like more of the capture of flag type of style where you're using different tools different methods and whatever you learn in school to apply into the real world so one uh example that I did was uh thread hijacking so this is where you have a Target process and you take it over with another process with with malicious code and from there you can run malicious code through remote process so here on irad team they simply have a you use simply they have a process ID where

you have to manually put into the code and as you're debugging through the code it will change and you'll have a memory location which you will have a remote you'll have a shell reverse Shell Code there for the user to view and compare with the code and in the memory location and here is this is simple step by step where you have you open the code you launch it you open process hacker you put in the process ID from process hacker into the code and once you change the code you click on the debug and it'll execute and then you'll get a memory address location within with visual studio and then you can compare the code from the memory address

location within Visual Studio to the actual code within C be the reverse shell uh in my example it's a little bit more different where it's like a capture flag where the user executes a PDF file in this case where it opens up a Shell Code it console and then you and it'll give you like uh it'll key log and do other stuff as

well so here as soon as uh we open the open the PDF file it opens up notepad and it opens up uh process hacker and you have a command line open up as well so here uh you what this is what what it's going to do is you can enter a bunch of stuff in notepad and go through the console you can type in a bunch of numbers or letters and as I'm as I'm typing in through here nothing is really happening no numbers do anything and then what happens from here is that I'll search in process hacker to find out the what is a process ID for notepad and from there it the code will continue to

execute the way is

attended okay yeah so here's also a key logger so you're just going to type in hello world and I'm typing in my name as well like my name is Muhammad and then here we'll find the process ID for notepad we'll go to the memory module which will then display what is the uh where we'll go into memory to find out a certain a hidden

address yeah so as soon as we type in the process ID we have a message block being displayed with the with the memory address location and a hint notifying us that there is a change in the user directory so what I'll do is I'll keep the message box open and I'll go into the memory module location so from here I'm going to scroll down as close as possible to the memory address location or the exact memory address location uh or as close as possible and see if they if the reverse shell is actually at that memory address

location y so here we can see that this is uh the correct memory address location where is a the reverse shell being displayed in memory to verify this there's two files that also get created when you enter the correct process uh ID for notepad so here we'll go into the user directory and from here we can I you can notice that there's a two files that are being created one is a hash file and one is a readme file the readme file is a key lock file which all the keys are being uh logged into and which is supposed to uh send over the Internet over to the thread actor's uh computer computer and then we have the hash file

in here which we can compare in memory and the exact uh in the notepad we can compare the two notepad uh two memory address locations and the exact Shell Code that's in the location so another example that I did was a Windows API where we you have the original function in memory and you patch it to a hooked function and from there you have a proxy function which then is used by the thread actor to run malicious code from uh intercepting um the functions from wind uh from inbuilt apis so on IR team their example was simple as just having a message B being popped up and then saying hi this memory address has been

hooked this is on this message box and then it gives you only the memory address location in Visual Studio and not in a prompt to like help the user or like give the user hints to like where to go what tools to use and other stuff like that and some there's a message that they give is a they have a message in memory hidden by using a right process into memory in my example here I have a another example where here it does similar things but there's two hidden uh messages in memory

okay so in this example we have a game that someone pired called black myth Wukong and from there once you open the application it's going to do something similar to from before where it opens up a command line and but in this case you have a bunch of gibberish text being displayed and nothing else given or opening so then from here what you the user has to do is try to guess through what keys or what numbers can um give them the hint or do something so here we're just pressing a bunch of numbers and then when you press two it closes the Clos the application so pressing two closes it so then by reopening it I know

two is going to close it so I'll press one by pressing one there is a there's a hint saying please just press something to continue but as doing nothing happens so what what we can do is scroll up to see if there's any hidden messages after I press one so I do that I press one again and I scroll up and then here once you scroll far enough there is going to be a hint for the user it says notepad is not running so in this case I'm going to open up notepad and then rerun the program again to see what changes and now I'm going to scroll back up from doing that as well so and there's only two options

where one is have notepad open and two is to close the application okay so I'll press one again and from here I will open up notepad and then I'll press any key to continue and then we going to scroll right back up to see if there any more messages or any other hidden messages for me to look at to go further on for this process here we have uh two messages being given to me where a load Library function has been hooked into one address and then also at another address there is a hidden message so from here what what what the user has to do is use the tools that they have learned throughout the program like you

can use process hacker and other and any other tool that you can use uh um memory so here I'll open up process hacker and I'll look up notepad I'll search up notepad I'll open up and go into the memory address location the same process applies where I have to go to the similar memory address location as well and then close as possible or the exact same one I'll start by going to the the message memory address location

first yeah as soon as I find it there's a message saying hey you found me notifying the user that this is the correct memory address location that they found and the next one is going to be a little bit more tricky as it's not exact memory memory address location given in the memory memory addresses given that are mapped out for notepad so in this case I have to find out that the one is the next closest one and in this case when if I just skip through a little bit if I find the next closest one which is going to be around this one right here ending in 100 then I'm going to scroll down as much as possible to find the

last five bytes that match in memory and from there what I can do is assume that those class 5 bytes in this memory address location match where load Library a is being hooked into notepad which is of being as which is allowing the user to do malicious which allowing the thread actor to do malicious things uh in the background so some future goals that I have for this project is U doing it in different languages some languages that I found are really interesting and have more offensive uses to it are rust and go so what I want to do is turn these examples I've done and use it into go as it is quite very interesting and I found

a very particular example that uses go and that is still undetected uh till this till today so by using there's a GitHub profile that I found that uses offensive go and it uses a very interesting libraries to where it goes undetected for antivirus systems for Microsoft so here it's a simple uh reverse shell that's being on being executed and pay loaded and downloaded into the victim's machine uh through a virtual through virtual machines that we have here once the user has down once the user has downloaded the virtuell UN unexpectedly on their behalf there's obsc done on the code on from the from th actor's side to prevent the antivirus system from detecting it and it uses a

technique where it does multiple thread multiple thread man thread manipulation to prevent it from being detected by the uh antivirus here you can see that running it in when it's partial you're executing the dlll file and you're trying to bypass the fire uh the bypass the firewall and in case it is bypassing a firewall and any antivirus system in in real life detection and from there the user is a once the reverse shell is executed and is you can see the connection here is a simple Go reverse shell meaning that once output. exe has been executed as a go Lang there's in go it's a a connection has been secured and then from there the user is

able the thread actor is able to control the user's uh computer in different ways by sending it malicious uh intents throughout Riv uh throughout throughout the connection here you can notice that also in process hacker as well as on the VM that there's as the user is sending in militias of reverse of malicious intent and executed on different threads and it's being undetected on process hacker and as the user you can see the user is running different commands on the Cali Linux VM onto the user and you can see in the background there is user that thread actor is able to track whatever the user is doing and view all his positions where the mouse is what

keyboards what keys are being pressed and all that fun stuff and once as you continue as the user continues throughout with the ex example here you can see that the user has a administrative power the threat has administrative power and in explore. exe once you go through enough with memory you can see that there is a reverse shell that is possibly similar to exactly what the thread actor had in mind yep yeah and once the exploit is and then once you and from here the thread actor is also able to exploit multiple times after running the code uh after restarting it shutting it down and the user and the victim cannot Escape uh whatever the thread hacker has

done and you can see if you go to Windows Event Viewer if you want to find out exactly what files or what other information is being com uh committed without the user without the victim noticing you can see see there's a goang proc on event fer that is running on different times and it's creating an update log and upgrade log that is hiding on fact on updates so hopefully what my attent for this whole project and my the groupmates projects for this Capstone project was that we can spread more cyber awareness and train other people in the industry especially students who are new and upcoming and don't have much experience and are as exposed to malware that is uh

I feel like that we should have been in uh school thank you

thank you so um we're running ahead of schedule so we have time for questions and uh uh if anyone has anything for Muhammad um and I bet he'd also be happy to talk about his program as well as well as his Capstone project ah somebody had their hand up oh right at the bottom hi what a question

question so in the in the last example Windows Defender was not able to catch this particular uh threat as it was Able by using thread manipulation in different ways that I'm still trying to understand how the user on get up I was was actually able to bypass Windows Defender so they used one thing I didn't understand they Ed THD manipulation to spread out their application their threat their code into different processes and from that Windows offer was able to detect why able to detect those type of obscuration for the code for this particular thread and the other question is

that was that's Windows notepad that's inbuilt Windows notepad that's not not new notepad that that I created it's just simple notepad from Windows that's being compromised yeah yeah so that's a process ID that belongs to notepad when every single time you open a new process Windows gives it a process ID so if you open up Windows Explorer File Explorer Google whatever application you use they all have a ID attached to it for a process and that is what the user has to enter for the program to be able to compromise notepad in that particular example to show step by step how thread actor is able to take over and compromise through different processes without the user

being

notified yeah yeah is able to like help the user able to like get more able to understand how debugging and troubleshooting and mitigate threats on their own and other tools that they can research online

yeah hi uh be available on GitHub will your group will be ring it maybe with guides for you know students because like I understand what's going on I think for if there are students here they're like what's going on there I you learn it from your courses yeah they might not have the same courses from different school so I am so so I have some code available right now on my GitHub but that's not the so that's not updated as this one I changed I so the code that I took from my GitHub that I posted for this project from Sheridan I changed it up for this particular uh conference as I want to make it more interactive and more

engaging and more interesting so I still have to update this I'm just finalizing a little bit more things here and there in the code and then I'm going to upload it the new updated version onto my GitHub which is which is publicly available yeah