Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Process Injection
Дальше: Hook Injection

shows how a malware author achieves this suspended state by passing CREATE_SUSPENDED (0x4) as the dwCreationFlags parameter when performing the call to CreateProcess.

shows C pseudocode for performing process replacement.

Once the process is created, the next step is to replace the victim process’s memory with the malicious executable, typically using ZwUnmapViewOfSection to release all memory pointed to by a section passed as a parameter. After the memory is unmapped, the loader performs VirtualAllocEx to allocate new memory for the malware, and uses WriteProcessMemory to write each of the malware sections to the victim process space, typically in a loop, as shown at .

In the final step, the malware restores the victim process environment so that the malicious code can run by calling SetThreadContext to set the entry point to point to the malicious code. Finally, ResumeThread is called to initiate the malware, which has now replaced the victim process.

Process replacement is an effective way for malware to appear non-malicious. By masquerading as the victim process, the malware is able to bypass firewalls or intrusion prevention systems (IPSs) and avoid detection by appearing to be a normal Windows process. Also, by using the original binary’s path, the malware deceives the savvy user who, when viewing a process listing, sees only the known and valid binary executing, with no idea that it was unmapped.

sss
sss

© RuTLib.com 2015-2018