Objectives About Us Sponsors News Past Events Contact Us
Login G-TEC CC Mirror Forums Links

 

 

SIG^2 Secure Code Study Project Proof-Of-Concept

Dynamic Forking of Win32 EXE

by Tan Chew Keong
7 April 2004

Download

Introduction

This Proof-Of-Concept (POC) code demonstrates the dynamic loading of a Win32 EXE into the memory space of a process that was created using the CreateProcess API with the CREATE_SUSPENDED parameter. This code also shows how to perform manual relocation of a Win32 EXE and how to unmap the original image of an EXE from its process space.

Description of Technique

Under Windows, a process can be created in suspend mode using the CreateProcess API with the CREATE_SUSPENDED parameter. The EXE image will be loaded into memory by Windows but execution will not begin until the ResumeThread API is used. Before calling ResumeThread, it is possible to read and write this process's memory space using APIs like ReadProcessMemory and WriteProcessMemory. This makes it possible to overwrite the image of the original EXE with the image of another EXE, thus enabling the execution of the second EXE within the memory space of the first EXE. This can be achieved with the following sequence of steps.

  1. Use the CreateProcess API with the CREATE_SUSPENDED parameter to create a suspended process from any EXE file. (Call this the first EXE).

  2. Call GetThreadContext API to obtain the register values (thread context) of the suspended process. The EBX register of the suspended process points to the process's PEB. The EAX register contains the entry point of the process (first EXE).

  3. Obtain the base-address of the suspended process from its PEB, i.e. at [EBX+8]

  4. Load the second EXE into memory (using ReadFile) and perform the neccessary alignment manually. This is required if the file alignment is different from the memory alignment

  5. If the second EXE has the same base-address as the suspended process and its image-size is <= to the image-size of the suspended process, simply use the WriteProcessMemory function to write the image of the second EXE into the memory space of the suspended process, starting at the base-address.

  6. Otherwise, unmap the image of the first EXE using ZwUnmapViewOfSection (exported by ntdll.dll) and use VirtualAllocEx to allocate enough memory for the second EXE within the memory space of the suspended process. The VirtualAllocEx API must be supplied with the base-address of the second EXE to ensure that Windows will give us memory in the required region. Next, copy the image of the second EXE into the memory space of the suspended process starting at the allocated address (using WriteProcessMemory).

  7. If the unmap operation failed but the second EXE is relocatable (i.e. has a relocation table), then allocate enough memory for the second EXE within the suspended process at any location. Perform manual relocation of the second EXE based on the allocated memory address. Next, copy the relocated EXE into the memory space of the suspended process starting at the allocated address (using WriteProcessMemory).

  8. Patch the base-address of the second EXE into the suspended process's PEB at [EBX+8].

  9. Set EAX of the thread context to the entry point of the second EXE.

  10. Use the SetThreadContext API to modify the thread context of the suspended process.

  11. Use the ResumeThread API to resume execute of the suspended process.

 

Techniques Demonstrated by POC Code

  1. Manual relocation of an EXE using its Relocation Table.
  2. Unmapping the image of the original EXE using ZwUnmapViewOfSection.
  3. Reading and Writing to a process's memory space using ReadProcessMemory and WriteProcessMemory.
  4. Changing the base-address of a process by modifying its value in the process's PEB.

 

Usage

loadEXE.exe <EXE filename>

This POC code will use the CreateProcess API to create a process in suspend mode from calc.exe. It would then load and align the EXE file given by the "EXE filename" commandline parameter. Following this, it would copy the aligned EXE image into calc.exe's memory space and resume execution.

 

 

Contacts

For further enquries or to submit malicious code for our analysis, email them to the following.

Overall-in-charge: Tan Chew Keong


Updated: 11/3/2004
webmaster@security.org.sg