1 Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington

2 Agenda Background: Processes and DLLs Code Injection Static Injection Dynamic Injection Trojans and Firewall Evasion Defenses

3 Processes and DLLs (1) What are processes? What are DLL files?  More on this later Processes are running tasks that are managed by the Operating System. Processes may load DLL files (Dynamic Link Libraries, in Windows). Dynamic Link Libraries are executable code that can only be executed when called by a process.

4 Processes and DLLs (2) At the Lab:  We will have a brief review of Processes.  Use Windows Task Managers to Observe Processes.  Use Sysinternals Process Explorer (view processes and.dll files loaded by processes).  Process Name, Process User, Process Description, Process ID, Process DLL’s.

5 Code Injection Code Injection: ‘Injecting’ code (putting executable code within) into another program. Two Kinds: Static Injection: Occurs prior to program execution. Dynamic Injection: Occurs on or after program execution. Original Program/Process + Injected Code = Malicious Program/Process

6 Code Injection – Static Injection (1) Occurs prior to execution of a program. Example: A program innocent.exe is modified so that prior to executing itself it executes code that has been injected to do some nasty thing. Then the program is delivered to the victim who thinks the program is innocent (a virus? A trojan? A technique!).

7 Code Injection – Static Injection (2) How is it done? Programs have a memory space. Not all of the memory space is used, some parts of the memory space (usually at the end) is full of NOOPs. This area is known as a “cave.” A cave can be overwritten without corrupting (other than by adding a desired functionality) the victim program.

8 Code Injection – Static Injection (3) In order to execute the code in the cave, the program has to be able to reach the code. How? Every program has an Entry Point. By changing the first instruction in the Entry Point into a JUMP to our added code, as soon as the program starts our code executes. At the end of our code we add any instructions overwritten by the JUMP and then enter a JUMP back to the 2 nd Instruction of the Entry Point. Program execution continues normally.

9 Code Injection – Static Injection (4) In the Lab: We will use OllyDbg (a debugger or decompiler) to modify the memory space of winmine.exe (Minesweeper) so that it displays a Message Box prior to executing. Need some basic ASM: JMP -> A jump to an address (to an instruction). PUSH -> Pushes a variable into the stack. CALL -> Calls a Function, our function, user32.MessageBoxA, will pop the stack and take those variables as parameters.

10 Code Injection – Static Injection (5) Static Code Injection is not widely exploited by Trojans. Understanding how Static Code Injection works helps to understand Dynamic Code Injection. Static Code Injection is harder to detect since it may have occurred before the victim program arrived at a particular location.

11 Dynamic Code Injection Used by rootkits, trojans, viruses, spyware Inserting code into the program’s memory space. No signs of tampering in the executable file. Changes done on-the-fly while the process is running.

12 Dynamic Link Libraries (DLL) DLLs are shared libraries used across many programs.  Instead of including the shared code in every executable, common functions are stored in a separate file accessible by the programs. –Reduces executable size –Increases code re-use  Accessed by memory location –Import/Export Look-up table

13 API Hooking Closely related to functional overloading in programming Common practice in programming mainly for debugging purposes. Uses DLL injection to implant its hook DLL

14 API Hooking (continued) Malicious uses  Override functions in programs to intercept data  Maintain functionality but add “bad features”  Examples: –An encryption algorithm in a DLL could be overwritten to output the data before encrypted. –A send web data function could be overwritten to send duplicate data to another server.

15 Lab Procedures (Dynamic Injection) Inject DLLs into running processes using  APM  Aphex’s DLL Injector Use Process Explorer (PE) to show the new DLL loaded

16 Trojans and Firewall Evasion (1) What is the relevance of Code Injection to an Internetwork Security class? Trojans often use code/dll injection in an attempt to evade the Firewall and communicate with the Internet. Reverse Connection: Attacker’s computer does not contact you; your computer contacts the attacker’s computer! Access to data prior to encryption!

17 Trojans and Firewall Evasion (2) Static code injection scenario:  Install.exe was downloaded from Kazaa. (Assume Install.exe is your favorite videogame).  Install.exe is in reality MultiPlayerGame.exe wrapped with invisible Keylogger.exe.  MultiPlayerGame.exe was injected with code to connect to the Internet and deliver Keylog.txt to an attacker’s IP address.  Because you willingly ran a Multiplayer Game, you will tell your Firewall “Yes, allow MultiPlayerGame.exe to go outbound.”

18 Trojans and Firewall Evasion (3) But like we said before, while harder to detect, Static Code Injection is not commonly used by trojans. Dynamic Code/DLL Injection is far more common and far more dangerous! Dynamic Code/DLL Injection scenario: warningIamAtrojanServer.exe was somehow executed by some irresponsible person. This installed in the Run registry a program that runs upon startup for 1 second and injects a trojan.dll into iexplore.exe. Trojan was a Remote Administration Tool and because iexplore.exe has Firewall privileges, this RAT does too!

19 Trojans and Firewall Evasion (4) At the lab: We will install a firewall (Sygate Personal Firewall) We will test a firewall using Atelier Web Firewall Tester (tests Firewalls by trying to inject different processes that should already have privileges in the Firewall. Atelier claims that most firewalls fail these tests!!

20 Trojans and Firewall Evasion (5) Some Trojans that use injection:  Assassin 2.0 – Uses dynamic DLL injection for reverse connection.  Beast 2.0 – Uses dynamic DLL injection for reverse connection.  Nuclear Uploader – Uses dynamic DLL injection for reverse connection.  Flux – Uses dynamic code injection for reverse connection.  Institution 2004 – Claims to use DLL injection for reverse connection. Allows to remotely patch a process.

21 Trojans and Firewall Evasion (6) In the lab: We will play with Assassin 2.0; show the loaded.dll using Process Explorer. We will play with Institution 2004; show ability to patch processes remotely. We will play with Flux; show that it does indeed use Internet Explorer to evade the Firewall and yet no loaded.dll is detected. Tools: Process Explorer, Sygate Personal Firewall logs.

22 Protection How can you protect yourself from this attack? Anti-Hook  Essentially a firewall for DLL’s  Rule-based –Allow only “trusted” dll’s to be loaded by programs

23 Detection Static Injection  File Fingerprinting Dynamic Injection  Scan memory for rogue DLL currently loaded  Check import/export addresses of linked functions and compare with known addresses

24 Lab Procedures (Defenses) Use Advanced Process Manipulation (APM) to unload DLL injected into current processes Use TDS-3 to scan memory for rogue DLLs

25 Conclusions This is a common technique. Comparable to buffer overflows. If you know how the technique works, you can defend yourself against various malware that uses it