New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VMI process hollowing #290

Open
tklengyel opened this Issue Aug 4, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@tklengyel
Owner

tklengyel commented Aug 4, 2017

The current implementation of injector simply starts a process already present on the filesystem of the VM (or injects commands to download one). Directly injecting a binary into memory would eliminate a lot of setup steps involved with starting externel binaries within a VM by employing process hollowing. The technique relies on creating a new process with the CREATE_SUSPENDED flag set, then replacing the in-memory loaded code with that of the external binary. When process is started the new code will execute in the shell of the old process.

See http://www.autosectools.com/process-hollowing.pdf for more information on the general concept of process hollowing.

@tklengyel tklengyel self-assigned this Aug 4, 2017

@saimoon

This comment has been minimized.

saimoon commented Sep 10, 2017

After creating new process with CREATE_SUSPENDED (call its image: SRC) and injecting the host binary in that process address space (call injected image: DEST), any idea to execute DEST without the hollowing technique to unmap the section of SRC, allocate new memory etc... (this way will works, but I'd like to see a smart one... we have OS full control, after all).
If the SRC sections size are smaller than DST ones we can replace physical pages using altp2m (maybe it will works), but when SRC is bigger ? Maybe hooking CreateProcess when it call CreateSection and it map SRC file? I'm curious about new ideas.

@tklengyel

This comment has been minimized.

Owner

tklengyel commented Sep 11, 2017

I haven't looked into it more in-depth yet but I would assume that if the memory allocated for the image that will get replace is larger then the one we want to inject then we don't have an issue, we can just overwrite that memory space and then zero out the parts we don't need. If the memory space is smaller, then I would guess additional steps would be needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment