Shulou(Shulou.com)05/31 Report--

This article shows you how to reverse analyze the implementation mechanism of Microsoft IFEO image hijacking from ring3 to ring0. The content is concise and easy to understand, which will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

IFEO (Image File Execution Options) is set in the Windows registry. The purpose of creating the IFEO registry key is to allow developers to choose to debug their software, so that developers can use the registry key to attach any program to any executable file, but many are used to implement process injection. Many people only know part of the mechanism of ring3, but do not know the complete mechanism. Today we will analyze the mechanism of the whole process from ring3 to ring0.

Develop a small test.exe parsing command line to facilitate debugging of the tester plus a Messagebox pop-up box

After compiling, we can modify the registration show below IFFO

* * HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows NT\ CurrentVersion\ Image File Execution Options\ {name of the executable} * *

Add a notepad.exe project and then add Debugger's keyvalue

"Debugger" = "{full path to the debugger}"

Then we type notepad in the search box in the lower left corner of windows

Then start notepad.exe, and our test.exe will be started.

The purpose of today is to analyze the principle of this mechanism.

Remove the MessageBox that the above code continues to modify, and add the process in the startup parameters of notepad.exe directly.

Then debug and run on ollydbg.

Enter the command for the breakpoint of CreatPorcessW after startup: bp CreatPorcessW

Break point. Stop.

Continue F8 and then F7 enter

* * 775F1054 |. E8 22010100 CALL kernel32.CreateProcessInternalW**

Check through IDA that there are basically some string copying actions in front of CreateProcessInternalW.

At the beginning of Ollydbg, F8 will directly run it in one step.

The next step is to create the environment.

These also go straight through, when we get here one step at a time.

The debugger sets the breakpoint here.

And then F8.

find

NtCreateUserProcess (& Process, & ThreadHandle, 0x2000000, 0x2000000, v188, v189, v64, 1, v60, & v194, & v347)

The return value of the eax of the function is 0xC0000039, which means that when the kernel is called to create it, it fails directly.

The return value is STATUS_OBJECT_PATH_INVALID consciousness, which means that the path object is invalid. By analyzing the data of the ninth parameter structure, it is found that there is really no problem with the path.

We can do a comparative experiment to delete the corresponding registry Debugger of IFEO and then run debugging.

The following is the run after the registry is deleted under normal circumstances

The parameters are basically the same, and then run directly in F8 step by step, resulting in a return value of eax = = 0

That is, STATUS_SUCCES, when there is no debugger registry key value, the return value of the NtCreateUserProcess kernel is 0. Now we can roughly guess that the registry key value of this IFEO location is also processed in the kernel. In order to find out how the kernel handles it, we directly debug the kernel with a virtual machine on windbg.

Next, the upper and lower breakpoints in NtCreateUserProcess, and the breakpoints in windbg stop when NtCreadtUserProcess is executed in Ollydbg.

One of the easiest ways is to try to step into the function step by step and then Call returns the function with the value of 0xC0000039. Finally, after repeated implementation, it is found that 0xC0000039 is returned when the NtCreateUserProcess calls the * * PspAllocateProcess** function.

Break point at fffff800`0412651f

Disconnect after running

The debugger stopped at

Call ntasking PspAllocateProcess (fffff8000412852c), check the Eax value r eax after F10, and display

That is to say, the process of dealing with the registry may be involved in this function. Open the kernel file of ntkrnlmap.exe with ida, and you will find such a piece of code if you look at it slowly.

In this code, determine whether IFEOKEY has corresponding Debugger registry settings. If you flip above, you will find that what IFEOKey opens is the registry of IFEOKey of the current process name.

RtlpOpenImageFileOptionsKey called RtlpOpenBaseImageFileOptionsKey,RtlpOpenBaseImageFileOptionsKey will ZwOpenKey IFEO the registry

To verify our results, the breakpoint under the RtlQueryImageFileKeyOption function

When you step into the RtlQueryImageFileKeyOption function to ZwQueryValueKey, after F10

Check the values in rsi

You will find that the setting registry of Debugger is read at this time, and then return to the following instruction before the call:

To determine whether eax is 0, the function returns a value of 0, and then enters

Mov r12d,0xC00000039h

Finally, r12d is assigned to eax to return.

It was at last that I saw that the creation process failed, error number 0xC00000039

When the former fails, the ring3 layer enters

76B4F75F. FF15 5006B176 CALL DWORD PTR DS: []; ntdll.LdrQueryImageFileKeyOption

Function to read the Debugger registry of IFEO

After obtaining the data, after successfully parsing the parameters, the path of the current process is loaded into the process corresponding to Debugger as a parameter to form a startup process parameter.

In the image above, you can see that the two paths are added together. The new parameter constructed is

UNICODE "C:\ Users\ Administrator\ Desktop\ test.exe C:\ Windows\ System32\ notepad.exe"

Finally, goto LABEL_87 rebuilds the process parameter environment to execute the new process, and then enters NtCreateUserProcess, but at this time it starts test.exe.

At this point, the return value is 0, which is created successfully.

At this point, the whole process is analyzed. Microsoft's IFEO mechanism was originally used for developers to debug programs, but later it was slowly hijacked by malicious software. there is a description in Microsoft's official msdn that when using DEBUG_ONLY_THIS_PROCESS and DEBUG_PROCESS CreateProcess, it will not read the registry to hijack, but this is indeed the case in actual testing, and readers can analyze the specific principles themselves. Special statement: reverse analysis and debugging is a weapon and should not be used in illegal ways. The above is how to reverse analyze the implementation mechanism of Microsoft IFEO image hijacking from ring3 to ring0. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.