Introduction
This Proof-Of-Concept (POC) code demonstrates the dynamic loading of a Win32 EXE into the memoryspace of a process that was created using the CreateProcess API with the CREATE_SUSPENDED parameter. Thiscode also shows how to perform manual relocation of a Win32
EXE and how to unmap the original image of an EXEfrom its process space.
Description of Technique
Under Windows, a process can be created in suspend mode using the CreateProcess API with the CREATE_SUSPENDED parameter. The EXE image will be loaded into memory by Windows but execution will not begin until the ResumeThread API is used. Before calling ResumeThread,
it is possible to read and write this process's memory space using APIs like ReadProcessMemory and WriteProcessMemory. This makes it possible to overwrite the image of the original EXE with the image of another EXE, thus enabling the execution of the second
EXE within the memory space of the first EXE. Thiscan be achieved with the following sequence of steps.
- Use the CreateProcess API with the CREATE_SUSPENDED parameter to create a suspended process from any EXE file. (Call this the
first EXE). - Call GetThreadContext API to obtain the register values (thread context) of the suspended process. The EBX registerof the suspended process points to the process's PEB. The EAX register contains the entry point ofthe process (first EXE).
- Obtain the base-address of the suspended process from its PEB, i.e. at [EBX+8]
- Load the second EXE into memory (using ReadFile) and perform the neccessary alignment manually. This is required if the file alignment is different from the memory alignment
- If the second EXE has the same base-address as the suspended process and its image-size is <= to theimage-size of the suspended process, simply use the WriteProcessMemory function to write the image of the second EXE into thememory space of the suspended
process, starting at the base-address. - Otherwise, unmap the image of the first EXE using ZwUnmapViewOfSection (exported by ntdll.dll) anduse VirtualAllocEx to allocate enough memory for the second EXE within the memory space of the suspended process. The VirtualAllocEx API must be supplied with
the base-address of the second EXE to ensure thatWindows will give us memory in the required region. Next, copy the image of the second EXE into the memory space of the suspended process starting at the allocated address (using WriteProcessMemory). - If the unmap operation failed but the second EXE is relocatable (i.e. has a relocation table), then allocateenough memory for the second EXE within the suspended process at any location. Performmanual relocation of the second EXE based on the allocated
memory address. Next, copy the relocated EXE into thememory space of the suspended process starting at the allocated address (using WriteProcessMemory). - Patch the base-address of the second EXE into the suspended process's PEB at [EBX+8].
- Set EAX of the thread context to the entry point of the second EXE.
- Use the SetThreadContext API to modify the thread context of the suspended process.
- Use the ResumeThread API to resume execute of the suspended process.
转载自:http://www.security.org.sg/code/loadexe.html
源码下载http://download.csdn.net/detail/sdcxyz/6482053
Techniques Demonstrated by POC Code
- Manual relocation of an EXE using its Relocation Table.
- Unmapping the image of the original EXE using ZwUnmapViewOfSection.
- Reading and Writing to a process's memory space using ReadProcessMemory and WriteProcessMemory.
- Changing the base-address of a process by modifying its value in the process's PEB.
Usage
loadEXE.exe <EXE filename>
This POC code will use the CreateProcess API to create a process in suspend mode from calc.exe. It would then load and align the EXE file given by the "EXE filename" commandline parameter. Following this, it would copy the aligned EXE image into calc.exe's
memory space and resume execution.
Contacts
For further enquries or to submit malicious code for our analysis, email them to the following.