BG - Injection on Steroids: Code-less Code Injections and 0-Day Techniques - Paul Shofield & Udi Yav

without further ado okay yeah no I'm very sorry you know you're right there was a last-minute replacement and I totally just read the wrong bio because homer's not here today it's been a wonderful morning okay so in that case

uh oh you know a lot of that going around all right odlo also oven silo is the CTO and you know so obviously we got upgraded that's you know only you could give speaker upgrade to or a a room host upgrade as well you'd be better off so oh d also has tons of experience in cyber security prior to in silo he spearheaded the cyber security unit at the National ektron acquire fair research the simulation center upright fuel advance defensive if you're getting the biggest just that this these people work together for a while um and you know what you'd want to listen to me talk so let's just have him do it okay so that's that and we already had enough

about that and okay so what we're going to talk about today is the injections so we start with a user mode injections will go really quickly through common air injection techniques then we'd go for too quickly of a power loader its advanced in D and J injection technique and we move on to an improved version of power loader that works both on 64-bit it has other features will talk about then we will move on to Canada injection if I go over a common injection techniques first and then we'll go through a new injection techniques we call it a top frame injection and they will finish with kody scott injections which i'll explain later okay so let's

start so quickly through common injection methods probably the most common one is just you open some process allocate some new coding you

hello I'm ki kheer unfortunately video rigs seemed to freeze up and no one seemed to notice until about the 20 minute twenty second walk in so unfortunately we lost some audio up until then sorry about that

you you you

you

you

you

you

you

it is pretty well documented and the basic step to using the steps using it is just wait on a load image notify routine which gets called each time an image is mapped into the target process hi deploy some payload into the other space let's say something that calls el diallo dll to inject some dll or load library there are several variations to it but the principle is pretty much the same and then insert a PC using a que que insert a QA PC code for this method can be found in the internet relatively easily so there's no need to elaborate here another less common method that was used by Dooku that's pretty white wolf mentioning it's also well documented but

quickly explain how it works like the pursuit in it waits on the low demand notify routine for the main module to load let's say the driver visible driver and dot this so once the main image is loaded the driver Maps some payload into the target application then it replaces the entry point of the target image with a jump to the payload and once the payload execute it restores the original bytes and the main nay image entry point and jumps back to it and this is nice answer it ensures that the payload will execute before the main cause executed and another method which is to our knowledge pretty much undocumented as we call it in pool table patching

I don't think it has any formal name so it never been used by Melville to our knowledge as well but it is commonly used by my security vendors a steer semantics and Microsoft up we use it and they can be probably very similar method the text put the TLS at the fred local storage directory of the p file to achieve similar results i won't go through it so this is the way it works first you wait on the image notify routine like the other two methods allocate new import table for the mainly for the executable and copy the old in pool table with a small modification I just at the dealer you want to inject as

the first entry of the new import table then we direct the the import able of the original image to the to the new one and once the injector dll loads it can restore the the import able and this what's nice about this method is let's say you attached with all your immunity debugger or anything like that to a process which is injected this way it will appear as if the dll the injected dll was originally part of the process you want you won't see the loading part so quick summary of this method this method i used by both mobile and security vendors and and all of them pretty much used used to inject dls and

they required some kind of payload in user in user mode outer space maybe except for the import table patching and pretty much all of them use the load the image notify okay so now we let's move on to a new method we we developed we call it a frame injection so have firms created each time the CPU and those exceptions or interrupts basically what it does is save the state of the user mode program on the cannon mode stock so it will be able to restore it was the system call or exceptional interrupt handling whatever is done and the structure used by the kernel to all this information is a que top frame there is a pointer to each fed as a

pointer to to a top frame indicator the structure and what we see now with the structures the way that define as nothing really special the only thing important is we can see that it's pretty much holds the entire state so everything that is it can be will be restored can be modified before before it goes back to goes back to user mode and so in order to make trivial injection with this with top frames all we need to do is to wait on some some colbert surface some callback routine it could be fed creation registry action access file access whatever and and once the callback is trigger allocate some payload into the target application after the instruction pointer it was

saved in the top frame and when the when the colonel goes back to user mode the payload the real harm and restore normal execution one it's done but this talk is about cold escort injections so the idea was to to do it without adding any new code to the process and still be able to do complex operations for example to send a post request form internet I opened him all cheer from some horses and keep it something that's easy to delight so I will be able to do complex things and without too much hassle and main limitation is no code injection oh we wanted any new card to the process so let's see how it can be done so instead

of using a IP to other the execution will try to mess with the user stack so once again let's see what happens in ki thread call back and use it to do something trivial so what we can do is build some option for example to load the library and then alter the stack pointer to the big e to the beginning of the to start of the LOB chain and when the and when the system probably attend the Bob chain will execute and but as I said that we won't do it without adding new code so loading a new library is kind of cheating so we do it without loading our own library into the process

and so but first we have a few challenges we have to solve in order to make this thing work first we need to be able to get return values back to kernel mode so we are able to react to fill the app in user space so the first solution which I'll dive into later is the to use the vice handle in order to get notifications and explain it in a moment another possibility is to trigger some local events such as registry access wait for it to happen then grab the return value for somewhere and they fix the context this is far this is harder to do and go that way another issue is deadlocks because we don't know the exact state of

the user mode program when the callback is triggered we can't be sure that any code we inject a rope chain we inject into the program won't cause some kind of deadlock and let's say a load library is being called so some lock is held right now so we can't use it so the solution to diplow to this was to use the dedicated thread and we see how we do it later on now we get this dedicated Fred another issue is what if we need to use a user mode function that requires a call back as parameter so one possibility is just not to use this guy these functions we didn't need to use such functions from for demos we did and

we still were able to do almost everything if we have to do it we had to do it we probably use the method I oh I mentioned earlier and we'll figure some something that's workable like registry access file access or something like that and then store the context accordingly so now let's move on to how to use anti closed function and to trigger callbacks back to our driver so what we can do is to use a device object [Music] will create a file clear device for the driver and whenever we require a call back I will just create a new endl in the target process and build a rope chain that will eventually close the

tender now once the handles is closed and what's going to happen this is the IRP will be generated and the cleanup render of our driver will be called so what we can do is take the F let's say we first save the the value we need it some some some where a user mode so it won't be destroyed and and then when the callback is triggered we get we get this value and the actor coating accordingly one thing to note is that we can just move for example excited I exist to some to some other registered to some other register and then get it from directly from the top frame because it might be lost when let's say it's a 32-bit

application which triggers some system cause it won't go directed to the kennel it first go through a a chain a 64-bit Walsh is all 64 and the register might be lost along the way so now where we know how to get callbacks but we still don't know how to create a dedicated flag so let's see the API for creating new files and basically the two arguments we care about the first one is the procedure that the thread is about to execute and the other is a parameter it's about to receive so what we're going to do is we just gonna use the trick we did to get callbacks and we'll set the create thread call with anti

closes procedure and the device center as an argument so what's going to happen is that when the further just starts to execute I will get a call back to our driver and now we'll be able to tell it where and in our own thread it's a dedicated Fred no death note the dead locks are going to happen and once you damage the process we can let the thread dyin everything will okay we walk well ok what we did next is we want to why the this kind of programs easily so we developed a relatively simple API actually we probably could have created the some kind of small compiler to just translate a seco seco to the way it

should be a in order to execute in our driver and we didn't have time to do it but it is possible so the first epi is a gate program we just did where you want this program to one for example internet explorer then you add the steps to the program and for example a open socket it's okay things like that tell it to one with run program and once it's running it will wait until the target process does something that we can hook on and build the hob chain for creating a dedicated thread and starts to run the program in the context of that that process and the other several a metal the API were using it to you to open a

library that's already loaded in the in the process call some function l'eau de l'eau the new library to the process for example if it's a process that doesn't have socket API logged into it we might need to to load it okay so and this is a very simple program to the API you know we create a program to run in internet explorer we had the new step to it for examples to load some library and run it and the code for loading some libraries just to load library added to the option and they load some data so what I'm going to show right now is of this diver actually walks and I would create a reverse shell from a window

gone process okay so we have here netcut running waiting for some connection and just we stole the snapshot I didn't wanna go for it during the presentation so here we can see a post explorer we're going to want to see that when we're gone indeed open some awesome and what we see i make it full screen so it will be easier it i hope it's visible okay so what we're looking at now with this is a already level it created edit instigated Freddie and this is the first the first chain that it turns on the dedicated friend and now single step through it what we did it is a modified version of the driver that we made some kind of

debugging support to it so it injects break point each step step doing the injection so it's easier to to work for what's going on and when we do it without adding breakpoints the debugger can't even a single step for it it just happened so let's see what happens oh ok ok so first I'm loading a socket socket library and the interesting part will be when we get to the w close which is empty clothes what's going to happen now is that the driver is gonna get a get a call back because the handle is closed and it's going to write a new hope changing to the stack so what's going to happen is that the

stock just jumped up and the new function is being executed now it's a WS a startup we need to call it before creating any sockets so once again I'll go for it actually I just let it run and see where we go so the next step is going to be creating a new socket so the same way we saw in a previous call the chain is executed with each the ZW clothes and a new chain will be created now it's full connection let it run now I the same thing will happen for create process it is just a simple reversal for demo purposes but we also hold things which are much more complex than their

ok so let's add it ok as you can see a new command line was created on the window go on and let's see what we got in the net cut side so why am I so I'm system and that's a and that what that the best shall we got from the driver okay so okay so to sum things up and injections are pretty important factor for both security vendors and mellow lighters and techniques are getting a much less generic and probably more advanced and actually cool and there are no new techniques are constantly being invented we'll probably see new things in the future we'll publish source code in a few days on our on our

site so you can go and see it over there and that's it thank you alright we have