shows how a malware author achieves this suspended state by passing CREATE_SUSPENDED (0x4) as the dwCreationFlags parameter when performing the call to CreateProcess. shows C pseudocode for performing process replacement.Example 12-3. C pseudocode for process replacement
CreateProcess(...,"svchost.exe",...,CREATE_SUSPENDED,...); ZwUnmapViewOfSection(...); VirtualAllocEx(...,ImageBase,SizeOfImage,...); WriteProcessMemory(...,headers,...); for (i=0; i < NumberOfSections; i++) { ❶ WriteProcessMemory(...,section,...); } SetThreadContext(); ... ResumeThread();
Once the process is created, the next step is to replace the victim process’s memory with the malicious executable, typically using ZwUnmapViewOfSection to release all memory pointed to by a section passed as a parameter. After the memory is unmapped, the loader performs VirtualAllocEx to allocate new memory for the malware, and uses WriteProcessMemory to write each of the malware sections to the victim process space, typically in a loop, as shown at ❶.
In the final step, the malware restores the victim process environment so that the malicious code can run by calling SetThreadContext to set the entry point to point to the malicious code. Finally, ResumeThread is called to initiate the malware, which has now replaced the victim process.
Process replacement is an effective way for malware to appear non-malicious. By masquerading as the victim process, the malware is able to bypass firewalls or intrusion prevention systems (IPSs) and avoid detection by appearing to be a normal Windows process. Also, by using the original binary’s path, the malware deceives the savvy user who, when viewing a process listing, sees only the known and valid binary executing, with no idea that it was unmapped.
Назад: Process Injection
Дальше: Hook Injection
Example 12-3. C pseudocode for process replacement
CreateProcess(...,"svchost.exe",...,CREATE_SUSPENDED,...);ZwUnmapViewOfSection(...);VirtualAllocEx(...,ImageBase,SizeOfImage,...);WriteProcessMemory(...,headers,...); for (i=0; i < NumberOfSections; i++) { ❶WriteProcessMemory(...,section,...); }SetThreadContext(); ...ResumeThread();
Once the process is created, the next step is to replace the victim process’s memory with the malicious executable, typically using ZwUnmapViewOfSection to release all memory pointed to by a section passed as a parameter. After the memory is unmapped, the loader performs VirtualAllocEx to allocate new memory for the malware, and uses WriteProcessMemory to write each of the malware sections to the victim process space, typically in a loop, as shown at ❶.
In the final step, the malware restores the victim process environment so that the malicious code can run by calling SetThreadContext to set the entry point to point to the malicious code. Finally, ResumeThread is called to initiate the malware, which has now replaced the victim process.
Process replacement is an effective way for malware to appear non-malicious. By masquerading as the victim process, the malware is able to bypass firewalls or intrusion prevention systems (IPSs) and avoid detection by appearing to be a normal Windows process. Also, by using the original binary’s path, the malware deceives the savvy user who, when viewing a process listing, sees only the known and valid binary executing, with no idea that it was unmapped.
Войти в систему
Войти с помощью соц. сетей:
