I researched an article and including training materials available on the internet to explore some creative techniques developed by researchers for injecting a malicious payload into a process with minimal traces.
I came across a process injection technique known as Doppelganging, which gained attention during the Black Hat conference in Europe. The technique, although not the latest in the industry, but it struck me as particularly ingenious and unconventional. More information about this technique can be found in the following link: https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf.
The technique under discussion bears a close resemblance to process hollowing, which involves the use of a legitimate binary to overwrite its code with malicious content. This method leverages NTFS Transactions to load legitimate files, subsequently overwriting the allocated memory with a malicious payload during the process.
Briefly put, it is possible to create a file within a transaction in such a way that it is only visible to the creating process until the transaction is committed. This method can be exploited to drop and execute malicious payloads. By rolling back the transaction at an opportune moment, the operating system can be made to behave as if the file was never created.
Process dopplenganging start with creating the NTFS transaction mechanism
Once you created the NTFS transaction then you need to write your payload
The next steps is to create section. The section will become the base of the our process. Remember that our malicious payload is now settled in a memory range
Roll back the NTFS transaction. Executing the rollback process sends a signal to the operating system, indicating the cancellation of the writing process, ensuring that our payload never interacts with the disk. Nonetheless, it is important to note that our payload has indeed been written to a specific section of memory.
Our payload is primed in the memory (hSection); however, in order to execute it, we must establish a suitable process. This process will serve as the environment for executing the code, which comprises our payload.
Once the process is prepared, it is important to customize the procedure to specify the precise location for code execution. The key considerations revolve around determining the base address and entry point.
One of the most crucial steps is to set up the process parameter in a manner that appears legitimate and is not easily detectable by antivirus software. In this scenario, the parameter for our malicious process should be set as C:\temp\mynotes.txt.
We updated the the process information block which contain the process parameter with below codes
The last part is to create a thread. You know that a process must have at least one thread to run. So we create a thread to execute our code
After all, The process will run smoothly
No comments:
Post a Comment