Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to achieve Windows 10 process hollowing out technology, the article is rich in content and professional analysis and description for you, I hope you can get something after reading this article.

Preface

Replacing a normal process in a Win10 x64 environment is a relatively superb technique. Using this technology, you can execute viruses and Trojans in memory. To achieve immunity from killing at the document level. You can encrypt a Trojan horse using DES and put it in a resource. When executed, it is released from the resource, decrypted by DES in memory, and injected into a system process.

Environment

1. VisualStudio 2015 Enterprise Edition

two。 Ordinary program Notepad.exe (C:\ windows\ system32\ Notepad.exe)

3. Trojan program MalWare.exe

4. Source code download address, http://www.isafe.cc/article.asp?id=77

5. Download address of EXE, http://www.isafe.cc/article.asp?id=77

Steps

Create a suspended process notepad.exe- > read thread context-> read process memory-> read Notepad.exe raw entry point-> uninstall memory occupied by Notepad.exe-> put MalWare.exe binary into memory buffer-> allocate a memory space in Notepad.exe process-> inject MalWare.exe into Notepad.exe process-> modify Notepad.exe segment-> modify Notepad.exe Entry point-> restore main thread-> successful injection.

Code to achieve one. Create a suspended process notepad.exeBOOL WINAPI CreateProcess (_ In_opt_ LPCTSTR lpApplicationName, _ Inout_opt_ LPTSTR lpCommandLine, _ In_opt_ LPSECURITY_ATTRIBUTESlpProcessAttributes, _ In_opt_ LPSECURITY_ATTRIBUTESlpThreadAttributes, _ In_ BOOL bInheritHandles, _ In_ DWORD dwCreationFlags, _ In_opt_ LPVOID lpEnvironment) _ In_opt_ LPCTSTR lpCurrentDirectory, _ In_ LPSTARTUPINFO lpStartupInfo, _ Out_ LPPROCESS_INFORMATIONlpProcessInformation)

A.) The parameter lpApplicationName is the path to the executable file. For example

C:\ programfiles\ sub dir\ program.exe

C:\ program files\ a.exe

Netstat

B.) LpCommandLine this represents the parameter of the application. For example-an

C.) LpProcessAttributes process property structure variables

D.) LpThreadAttributes thread attribute structure variable

E.) BInheritHandles specifies that the current intra-process handle cannot be inherited by a child process

F.) The dwCreationFlags process creates an identifier, and CREATE_SUSPENEDE means to create a pending process.

G.) The lpEnvironment points to the environment block of a new process. If this parameter is empty, the new process uses the environment of the calling process.

H.) LpCurrentDirectory points to a string that ends with NULL, which is used to specify the working path of the child process. This string must be an absolute path that contains the drive name. If this parameter is NULL, the new process will use the same drive and directory as the calling process.

I.) LpStartupInfo points to a STARTUPINFOConstructor that determines how the main form of the new process is displayed.

J.) LpProcessInformation holds the structural variables of all the information in the process.

The CreateProcess function is used to create a process. The cAppName is C:\\ Windows\\ notepad.exe, which is the path to the program file, and the sixth parameter is CREATE_SUSPENDED, which means to create a suspended process. The last two parameters, si,pi, hold information about the process (the handle of the process, the handle of the thread, and so on).

two。 Read thread context

The GetThreadContext function is used to get the thread context.

Pi.hThread is the thread handle

Context thread information structure.

three。 Read the original entry point of Notepad.exe

The ReadProcessMemory function reads the memory of another process. Here the dwVictimBaseAddr stores the read data with a size of 4 bytes.

Prototype

BOOL ReadProcessMemory (HANDLE hProcess,LPCVOIDlpBaseAddress,LPVOID lpBuffer,DWORD nSize,LPDWORDlpNumberOfBytesRead)

The first parameter, hProcess, is the process handle to be read.

The second parameter, lpBaseAddress, is the memory first address of the process to be read. Start address.

The third parameter, lpBuffer, is the buffer that receives the contents of the data.

The fourth parameter, nSize, is the number of bytes read from memory.

The fifth parameter, lpNumberOfBytesRead, the number of bytes that have been read.

The function returns 0 to indicate that the call failed.

four。 Uninstall memory consumed by Notepad.exe

The pfnNtUnmapViewOfSection function is used to unload the memory occupied by the process

five。 Allocate a memory space in the Notepad.exe process

The VirtualAllocEx function is used to allocate a memory space in the specified process.

Function prototype:

LPVOIDVirtualAllocEx (HANDLE hProcess,LPVOIDlpAddress,SIZE_T dwSize,DWORDflAllocationType,DWORD flProtect)

The first parameter, hProcess, requires a handle to the process in which the space is allocated.

The second parameter, lpAddress, the first address of the allocated memory.

The third parameter, dwSize, is the amount of memory allocated.

The fourth parameter, flAllocationType, is the type of memory region.

The fifth parameter, flProtect, the memory protection property.

six。 Inject MalWare.exe into the Notepad.exe process, modify the Notepad.exe section and the PE file header

The WriteProcessMemory function is used to write any data to the Notepad.exe process.

Function prototype:

BOOL WINAPI WriteProcessMemory (HANDLE hProcess, LPVOID lpBaseAddress, LPCVOID lpBuffer, SIZE_T nSize, SIZE_T * lpNumberOfBytesWritten)

The first parameter, hProcess, is the process handle to be operated on.

The second parameter, lpBaseAddress, is the starting address of the data to be written.

The third parameter, lpBuffer, is the first address of the buffer to write the data to.

The fourth parameter, nSize, is the length of the data to be written.

The fifth parameter, lpNumberOfBytesWritten, the length of the data that has been written.

seven。 Modify the entry point of Notepad.exe RCX stores the entry point. eight。 Restore the main thread

The SetThreadContext () function is used to restore thread context, where the new entry point address Rcx is specified

The ResumeThread () function is used to start a suspended thread.

Compile to EXE

Must be compiled with Visual Studio 2015. Source code download (http://www.isafe.cc/article.asp?id=77))

In solution Explorer, right-> rebuild

See 1 successful program in the output window (note that a 64-bit Release program is generated here)

MalWare.exe compiled to EXE

Source code download (http://www.isafe.cc/article.asp?id=77))

Open VS2015, click the menu [File]-> [Open]-> [Project / solution].

Open the Malware.vcxproj project file and compile it. The mode is Release and the platform is x64.

In the output window, 1 prompt was successful.

Win10 platform testing

Drag the ProcessReplacement.exe into the virtual machine.

Double-click, prompt

What documents seem to be missing? Copy the file vcruntime140.dll under the VS2015 environment to the virtual machine

Double-click to execute ProcessReplacement.exe

The Win10 x64 process hollowed-out technology introduced by the editor can be used to avoid killing Trojans at the file level.

The above is the editor for you to share how to achieve Windows 10 process hollowed-out technology, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.