Go The idea and implementation of n kernel injection DLL

Kernel injection, the technology is old but very practical. Now part RK tends to have no process, playing isSys+dll, there are no files, all exist in memory. Some people might say, "It's all in the kernel." What can't do? ”。 Yes, software developers don't have to do apps if the kernel can do everything, including R3. Sometimes, we really need to R3 the program to do something difficult or not necessary to drive to do things, process/dll is a good choice, but the process target is too large, so more students tend to note DLL.
To develop security software, small tools, can draw on their ideas, Anti rootkits, in some extreme cases, the same technology can be used to find, clear RK, to ensure the normal use of the user's computer. Here, I will discuss several kernel injection DLL ideas and implementation principles.
(1) APCTechnology
To execute our code, insert the APC into a Alertbale user-state thread and let it execute the shellcode. This method is simple and easy, but not stable enough, the compatibility is not good. The test found that Explorer.exe and other plug-in crashes often occur, and there is a case of killing soft, insertion can sometimes be intercepted, does not have the desired effect. (Refer to one of the drives I've previously reversed:reverse fuck.sys--compilation through--source code)
(2) kernel patch [Url=file://knowndlls/kernel32.dll]//knowndlls//kernel32.dll[/url] CreateThread
[url=file://knowndlls/]//knowndlls[/URL] is the time when the object manager loads the most recent disk DLLs into memory when the system loads, and when other processes want to invoke a DLL, it does not have to be loaded from disk repeatedly, and will map a copy from here to its own process space. This gives us a great opportunity to do a global patch:
Zwopensection Open [Url=file://knowndlls/kernel32.dll]//knowndlls//kernel32.dll[/URL], call zwmapviewofsection map a copy to their process space, and then look for Kernel32.dll in the memory of the Code section of the Gap, choose here as our fake function of the storage buffer. Modify the beginning of the CreateThread function 5 bytes Jump to this gap, when any one thread of the system is created, it goes to the CreateThread function and then executes the shellcode in the Void, which is responsible for invoking LoadLibrary loading our DLL. Once the DLL is loaded, an IOCTL notification will be sent to the driver to let the driver unload the hook. This completes the kernel-injection DLL process. Test foundSvchost.exeThe process calls the CreateThread function very often, so the trigger will also be fast, the basic 1 seconds can be loaded into the DLL, and our hooks are also removed. So stability improved a lot. As follows:

(3)KernelHOOK zwmapviewofsection
When some modules are loaded, they are calledzwmapviewofsection, such as when a process is created to map N-copies of a DLL into its own virtual space. We replace this function in SSDT and filter out the loadKernel32.dll, the base address of the parameter is obtained from the Eat, and the Inline hookCreateThreadfunction, jumps to the buffer in the virtual address space of the process, where the DLL's loading process is completed.
Key API:
zwallocatevirtualmemory----Allocate memory in this process space and store shellcode
zwprotectvirtualmemory----make the current memory block have a readable writable property
ioallocatemdl----Creating an MDL
Key code is as follows:


The principle is similar compared to Method 2. But the modification time is different, the effect is similar, just inject DLL time will be slower. As for the preparation of shellcode, it is very similar. Radish cabbage each their own, mainly to see the individual play. If idle write Shellcode trouble, please go to see Snow College to check information, template a lot, here is not yy.
"Watching the snow reading month" study Shellcode writing
[note] a simple shellcode
Shellcode's little wonder
add_section
(4)KernelHOOK
Ntcreatethread
TrackingProcess -Created process, it is clear that there are more patches available to implement DLL injection.
When the process is created, it is aEmpty water bottle, there is no boiling hot water (threads), so the system calls Ntcreatethread to create its main thread (give water to the empty kettle-Cold Water), in the suspended thread inside the toss after a while tired, so the system jumped out, back to the process space, call Kernel32.dll to notify CSRSS.EXE, said to it: "Here is a new process was born, you in your table marked." Then you start loading the DLL and map a copy of the DLL you need in the system knowndlls to the big kettle. Then kithreadstartup the cold water in the kettle, and it beganBoiling, the main thread begins to work ...
Intercept Ntcreatethread, getCurrent Thread Context, save it to return the address (will go back to the empty kettle), hijacked for our own assigned address, in which to populate the Shellcode to load the destination DLL. As for the choice of buffer, a lot of ideas. Here can simply attach to the current process, in sufficient virtual 2GB process address space to allocate your own small piece of memory, enough to put shellcode sufficient. As follows:

(5) Kernel Infection Common module, let the infection module help us Load DLL
This method is a bit detour, began the most essential and original infection, can add new section, can plug in the gap, in short, let someone else's module load into memory on the way to help us load the next Dll,dll once loaded can restore infection, clear traces. As for the infection code, a bunch of online. As long as it is not driven by the infection driver (more than a checksum), other properties are the same, look at their own play.
(6)Interceptntcreateuserprocess,Ntcreatesymboliclinkobject
The former is only in Vista. After interceptionPslookupprocessthreadbycidGet ethread/eprocess and judge whether it isCSRSS. EXEIf a chunk of memory is allocated within this process space, the callNtgetcontextthreadGet the current thread context, call Zwwritevirtualmemory to populate the Shellcode area, getLdrunloaddll、LdrgetdllhandleWait for the function address to load the DLL through them. and then callNtsetcontextthreadRestores the original context. For this method, refer to the bin of someone on the driverdevelop.
[”The kernel implements DLL injection. Can perfect bypass kav rising and other anti-virus software”]
(7) kernel intercept ntresumethread
(8) Ntusersetwindowshookex injection
By the way, inject the DLL on the R3:
1.CreateRemoteThread(orNtcreatethreadex(used in Vista))
2.SetThreadContext(Change the EIP)
3.Ntqueueapcthread
4.Rtlcreateuserthread
5.Setwindowhookex
Summary:
Throughout the process to start the whole process, patches can be a lot of places, as long as the process, the thread context is not destroyed, injection can be a variety of methods. Just make sure our DLL injection time is short enough for the stability to be high enough. When we have to inject the DLL from the kernel to the user process, the system has been poisoned very deep, at this time using similar techniques mentioned above to load the DLL, so that the DLL to do our drive can not complete the task is acceptable.
The idea mentioned above is what I think and have realized for the time being, and the detailed procedure can be found in the code. Welcome to actively explore better and more stable andNo Evil .The method.

Go The idea and implementation of n kernel injection DLL