Injecting a DLL without a Remote Thread

Tuesday, March 14, 2017

A well-known technique for injecting a DLL into another process involves using the CreateRemoteThread(Ex) function to create a thread in another process and point the thread function to the LoadLibraryA or LoadLibraryW, since these functions have the same signature (on the binary level) as a thread function. Before calling CreateRemoteThread, the caller uses VirtualAllocEx to allocate some memory to hold the path to the DLL. This technique is simple and reliable, but has a couple of drawbacks: 1. The target process must be opened with a relatively broad access mask that includes PROCESS_CREATE_THREAD. 2. Anti-malware agents typically...
no comments

NTFS Alternate Streams

Thursday, October 13, 2016

A little known feature of the NTFS file system is the ability to add “streams”, which are much like files, but hidden within a “normal” file. This can serve as a way to add custom metadata to a file without any standard tool noticing – the file size reported by standard APIs does not change, even though the added streams consume disk space. This is also a possible technique for malware to hide literally “in plain sight”, as these streams can be added to any file (PE or not), without anything looking suspicious with most standard tools. To create...
no comments

Code Injection with Image File Execution Options

Saturday, April 9, 2016

A well-known features of Windows is the Image File Execution Options registry key located in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Under that key, key names with executable files (e.g. Notepad.exe) can be created and various options can be set. These options are observed when a process with the key name (from any directory) is about to be created. A convenient tool to set these options is the Gflags.exe utility, available as part of the Debugging Tools for Windows. One of the useful values is "Debugger" that allows another process (typically a debugger) to be launched when the specific executable is...

Creating an Object Manager Browser Part 3 – Security Dialog

Wednesday, February 26, 2014

In the previous post we’ve managed to get most of WinObj’s functionality – browsing the folders and viewing object information. The last “major” missing piece is the security dialog that shows security related information for certain object types. I’m certainly not a security expert; on top of that the security API in Windows is one of the most dreadful APIs in all Windows. Fortunately, to get the standard security dialog to show we just need to call one function – EditSecurity or CreateSecurityPage. The former shows the basic security dialog box and returns when it’s dismissed, while the latter...