CN115510441A - Method for realizing cross-process injection - Google Patents

Method for realizing cross-process injection Download PDF

Info

Publication number
CN115510441A
CN115510441A CN202211159893.5A CN202211159893A CN115510441A CN 115510441 A CN115510441 A CN 115510441A CN 202211159893 A CN202211159893 A CN 202211159893A CN 115510441 A CN115510441 A CN 115510441A
Authority
CN
China
Prior art keywords
dll
file
injected
memory
header
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211159893.5A
Other languages
Chinese (zh)
Inventor
刘庆林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Zhongrui Tianxia Information Technology Co ltd
Original Assignee
Shandong Zhongrui Tianxia Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Zhongrui Tianxia Information Technology Co ltd filed Critical Shandong Zhongrui Tianxia Information Technology Co ltd
Priority to CN202211159893.5A priority Critical patent/CN115510441A/en
Publication of CN115510441A publication Critical patent/CN115510441A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a method for realizing cross-process injection, belonging to the technical field of networks. The method comprises the following steps: opening the injection process to enable the DLL to be written into the injected process, and then positioning a base address of the DLL file in a memory of the DLL in the injected process; acquiring a required system API from a core DLL file of an injected process; allocating a space for loading DLL in the memory of the injected process, and copying the head and each section of the DLL file in the allocated corresponding memory space; processing an import table of the DLL and relocating the DLL; the DLL entry point is called. The method can bypass the effective interception of the security product, files do not need to fall to the ground and directly run in the memory, and the intercepted risk is reduced.

Description

Method for realizing cross-process injection
Technical Field
The invention belongs to the technical field of networks, and particularly relates to a method for realizing cross-process injection.
Background
Cross-process traversing is a very common technique in malware to propagate among systems. Conventional process injection techniques use the LoadLibraryA () function to cause the injected process to load the specified dll. The conventional implantation means is as follows:
1) Dll injection is performed on the injected process creating thread by calling the createremotetrathreadable ()/ntcreatenethreshed ()/rtlceatereuserthread () function.
2) The thread load dll that the injected process already exists is hijacked by calling the QueuUserAPC ()/SetThreadContext () function.
3) And setting an interception event by calling a SetWindowsHookEx () function, and when a corresponding event occurs, injecting the event into a process to execute an interception event function loading dll.
One fatal drawback to the manner in which conventional dlls are injected is the need for malicious dlls to be stored in files on the victim host. This makes the conventional dll injection technique leave a large trace on the victim host, which is easily detected by security products such as edr.
Disclosure of Invention
In view of the above, the main objective of the present invention is to provide a method for implementing cross-process injection. The invention bypasses the monitoring of anti-virus software by injecting the function into the high-credibility process, thereby improving the injection success rate.
In order to solve the technical problems, the technical scheme adopted by the invention is as follows: a method for implementing cross-process injection, the method comprising: opening the injection process to enable the DLL to be written into the injected process, and then positioning a base address of the DLL file in the internal memory of the DLL file in the injected process; acquiring a required system API from a core DLL file of an injected process; allocating a space for loading DLL in the memory of the injected process, and copying the head and each section of the DLL file in the allocated corresponding memory space; processing an import table of the DLL and relocating the DLL; the DLL entry point is called.
Optionally, the base address is obtained by using a relocation method: ULONG _ PTRcaller (VOID) { return (ULONG _ PTR) _ return address (); }
The function _ return address () returns the return address of the current calling function, that is, the address of the next instruction of the caller (), and the return address is found, so that the file header conforming to the PE format is searched, and then the address of the DLL file in the memory is determined to be found.
Optionally, the API function is a LoadLibraryA () function in kernel32.dll, getProcAddress (), virtualAlloc () function, and an ntflushlnstructioncache () function in ntdll.dll, and positions of kernel32.dll and ntdll.dll in the memory are searched by using the PEB. PEB is an abbreviation for ProcessEnvironment Block.
Optionally, the allocating a piece of space for loading a DLL includes: using a function VirtualAlloc (), a larger piece of memory space is allocated for loading the DLL, and the loaded size of the DLL is recorded by a SizeOfImage member in an IMAGE _ optimal _ HEADER structure in the PE HEADER.
Optionally, the header of the DLL file is copied by a process injection program, and the respective sections are copied into the corresponding positions according to the section table of the PE file.
Optionally, the header of the DLL file includes a DOS file header, DOS instrumentation code, and a PE file header.
Optionally, loading other DLLs depended by the injection DLL, and modifying an IMPORT table of the injection DLL, wherein the IMPORT table of the PE file is an array with an element of IMAGE _ IMPORT _ DESCRIPTOR, and each depended DLL corresponds to an element in the array.
Compared with the prior art, the invention has the following advantages:
a new thread is started in a target process without using a CreateRemoteThread function, so that the execution of an API function LoadLibrary is avoided, the monitoring of a security product can be avoided, and the file attack is avoided.
Drawings
FIG. 1 is a flow chart of a method for implementing cross-process injection in accordance with the present invention;
Detailed Description
The following are specific embodiments of the present invention and are further described with reference to the drawings, but the present invention is not limited to these embodiments.
In particular, in conjunction with fig. 1, an injection process is first selected, and then the process is opened, so that the function carried therein is written into the injected process. If the writing fails, exiting; if the writing is successful, the following steps are performed:
firstly, applying for a readable and writable memory:
first, the base address of the DLL file in the memory is located. The approximate location of the DLL itself is found using relocation techniques in this case: ULONG _ PTRcaller (VOID) { return (ULONG _ PTR) _ return address (); }
Where function _ ReturnAddress () returns the return address of the current calling function, i.e., the address of the next instruction of the caller (). This address is located inside the reflexiveloader, which is located inside the injected DLL file, so this address is not far from the header of the DLL file.
By means of the found address, through upward traversal byte by byte, after the file header conforming to the PE format is found, the address of the DLL file in the memory can be considered to be found.
And secondly, acquiring a required system API. When the injection software is started, the injected process is in a normal running state, and the injected process is loaded with a plurality of core DLL files. By searching the DLL files, the needed API functions are searched, and convenience is provided for subsequent operation. Specifically, the required functions are LoadLibraryA () function in kernel32.Dll, getProcAddress (), virtualAlloc () function, and ntflushlnstructioncache () function in ntdll. Dll, we find the locations of kernel32.Dll and ntdll. Dll in memory by means of PEB.
Third, a piece of space is allocated to load the DLL.
The DLL file is already in the process memory, but a larger space is needed to load the DLL. A larger memory space is allocated for loading the DLL by means of the function VirtualAlloc () obtained in the second step. The size of the DLL after loading is described by the SizeOfImage member in the IMAGE _ option _ HEADER structure in the PE HEADER file.
And secondly, reading the DLL file to a memory.
In this process, the PE file header and the sections are copied. The method specifically comprises the following steps: after allocating the space for loading, the process injection program copies the DLL file's header to the header of the new space. And copying each section to a corresponding position according to the section table of the PE file. The header of the DLL file includes a DOS file header, DOS instrumentation code, and a PE file header.
Next, the incoming table of the DLL is processed and the DLL is relocated.
Since the injected DLL may depend on other DLLs, the dependent DLLs need to be loaded and the import table of the DLL needs to be modified, so that the introduced functions can operate normally.
The IMPORT table of the PE file is an array with an element IMAGE _ IMPORT _ describe. Each DLL that is relied upon corresponds to an element in the array.
The injected DLL only has the code in the reflexiveLoader which is intentionally written into the address irrelevant and does not need to be relocated, and the other parts of the code need to be relocated to run correctly. Each DLL has the possibility of not loading the predetermined base address, so each DLL is ready to relocate itself, and so the DLL is relocated by the information provided by the DLL file.
Finally, the DLL entry point is called.
Through the above steps, the reflexiveloader task is completely completed, and finally it transfers control to the entry point of the DLL file, which can be found through AddressOfEntryPoint in the NT optional impression header. Initialization of the C runtime is done through the entry point, a series of security checks are performed and dllmain is invoked.
Through the steps, the novel injection method is realized, the effective interception of the safety product can be bypassed, the file does not need to fall to the ground, the file directly runs in the memory, and the intercepted risk is reduced.
The specific embodiments described herein are merely illustrative of the spirit of the invention. Various modifications or additions may be made to the described embodiments or alternatives may be employed by those skilled in the art without departing from the spirit or ambit of the invention as defined in the appended claims.

Claims (8)

1. A method for implementing cross-process injection, the method comprising: opening the injection process to enable the DLL to be written into the injected process, and then positioning a base address of the DLL file in the internal memory of the DLL file in the injected process; acquiring a required system API function from a core DLL file of the injected process; allocating a space for loading DLL in the memory of the injected process, and copying the head and each section of the DLL file in the allocated corresponding memory space; processing an import table of the DLL and relocating the DLL; the DLL entry point is called.
2. The method of claim 1, wherein the base address is obtained by using a relocation method: ULONG _ PTR caller (VOID) { return (ULONG _ PTR) _ ReturnAdress (); and the function _ ReturnAddress () returns the return address of the current calling function, namely the address of the next instruction of the caller (), and the return address is searched, so that the byte-by-byte upward traversal is performed, and after the header of the PE file is found, the address of the DLL file in the memory is judged to be found.
3. A method for implementing cross-process injection as claimed in claim 1 or 2, wherein the API function is LoadLibraryA () in kernel32.Dll, getProcAddress (), virtualAlloc () and ntflushinstractincache () function in ntdll. Dll, and the locations of kernel32.Dll and ntdll. Dll in memory are looked up by means of PEB.
4. The method of claim 3, wherein allocating a piece of space to load a DLL comprises: and allocating a larger memory space for loading the DLL by adopting a VirtualAlloc ().
5. The method of claim 4, wherein the loaded size of the DLL is documented by a SizeOfImage member in an IMAGE _ OPTIONAL _ HEADER construct in a PE file HEADER.
6. The method of claim 1 or 2, wherein the header of the DLL file is copied by a process injection program, and the respective sections are copied into the corresponding positions according to the section table of the PE file.
7. The method for implementing cross-process injection of claim 6, wherein the DLL file header comprises a DOS file header, DOS instrumentation code, and a PE file header.
8. The method of claim 1 or 2, wherein the loading of other DLLs on which the injected DLL depends and the modification of the IMPORT table of the injected DLL are performed, wherein the IMPORT table of the PE file is an array with an element of IMAGE _ impact _ DESCRIPTOR, and each dependent DLL corresponds to an element in the array.
CN202211159893.5A 2022-09-22 2022-09-22 Method for realizing cross-process injection Pending CN115510441A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211159893.5A CN115510441A (en) 2022-09-22 2022-09-22 Method for realizing cross-process injection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211159893.5A CN115510441A (en) 2022-09-22 2022-09-22 Method for realizing cross-process injection

Publications (1)

Publication Number Publication Date
CN115510441A true CN115510441A (en) 2022-12-23

Family

ID=84505857

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211159893.5A Pending CN115510441A (en) 2022-09-22 2022-09-22 Method for realizing cross-process injection

Country Status (1)

Country Link
CN (1) CN115510441A (en)

Similar Documents

Publication Publication Date Title
US10460099B2 (en) System and method of detecting malicious code in files
US10528735B2 (en) Malicious code protection for computer systems based on process modification
US9195823B1 (en) System and method for intercepting process creation events
US7631249B2 (en) Dynamically determining a buffer-stack overrun
AU2006210698B2 (en) Intrusion detection for computer programs
US7831791B2 (en) Method of address space layout randomization for windows operating systems
EP3230919B1 (en) Automated classification of exploits based on runtime environmental features
US20040103252A1 (en) Method and apparatus for protecting memory stacks
US11822654B2 (en) System and method for runtime detection, analysis and signature determination of obfuscated malicious code
US6698016B1 (en) Method for injecting code into another process
KR20150065715A (en) Exception handling in a data processing apparatus having a secure domain and a less secure domain
JP2015534186A (en) Data processing apparatus and method for protecting secure data and program code from insecure access when switching between secure and less secure domains
CN114385189B (en) Function address space layout randomization method for deep embedded system
CN108920253B (en) Agent-free virtual machine monitoring system and monitoring method
CN116150739A (en) Automatic stack overflow defense method based on dynamic protection of key address
US11847222B2 (en) System and method for preventing unwanted bundled software installation
CN115510441A (en) Method for realizing cross-process injection
JP4643201B2 (en) Buffer overflow vulnerability analysis method, data processing device, analysis information providing device, analysis information extraction processing program, and analysis information provision processing program
US11893113B2 (en) Return-oriented programming protection
EP3293660A1 (en) System and method of detecting malicious code in files
CN117150487A (en) Dynamic link library file injection detection method and device
RU2265241C2 (en) Method for calling a procedure on basis of binary stack
CN117034278A (en) Vulnerability detection method and device, storage medium and electronic equipment
CN115185568A (en) Function Hook updating method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination