New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

VMI Doppelgänging injection #332

Closed
saimoon opened this Issue Dec 13, 2017 · 8 comments

Comments

4 participants
@saimoon
Copy link

saimoon commented Dec 13, 2017

As highlighted in issue #290 current implementation of injector has some cons.
Directly injecting a binary will be a great improvement.
Process hollowing was not the best way (suspicious, miss file mapping, forensic and other known prob..)
A new injection method was introduced at London BlackHat2017 named Doppelgänging:

https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf

It could be a implemented in VMI world.

@JohnPeng47

This comment has been minimized.

Copy link

JohnPeng47 commented Apr 3, 2018

Hey I would to take this task if no one else has started working on it. Reading through the code in libinjector, I came across the following reference to Rekall in the injector_start_app function:

 // Get the offsets from the Rekall profile
    unsigned int i;
    for (i = 0; i < OFFSET_MAX; i++)
    {
        if ( !drakvuf_get_struct_member_rva(injector.rekall_profile, offset_names[i][0], offset_names[i][1], &injector.offsets[i]))
        {
            PRINT_DEBUG("Failed to find offset for %s:%s\n", offset_names[i][0],
                        offset_names[i][1]);
        }
    }

Googling for Rekall, found out it is a memory forensics framework. Just wanted to ask, what is Rekall being used in for DRAKVUF, and in this code snippet in particular?

@ghost

This comment has been minimized.

Copy link

ghost commented Apr 3, 2018

Hi JohnPen47,
you can check my branch:

https://github.com/saimoon/drakvuf/tree/doppelganging

I developed this kind of injection, but the code (or the
technique ?!?) has proved not so efficient, I had probs with it and until now I've had not time to check it (it worked only using "explorer" process as target...)

If you'll experiment with it, please let us know...

@tklengyel

This comment has been minimized.

Copy link
Owner

tklengyel commented Apr 3, 2018

@JohnPeng47 Rekall is used to create an easily readable debug profile for the target operating system, this is what we call the "Rekall profile". This is a json file containing a bunch of important information about function rva's and structure layouts.

@JohnPeng47

This comment has been minimized.

Copy link

JohnPeng47 commented Apr 3, 2018

@MICSEC Ok will do. Which version of Windows did you test it on?

@saimoon

This comment has been minimized.

Copy link

saimoon commented Apr 3, 2018

@JohnPeng47 : code tested on windows 10.

Saimoon (ex @MICSEC, wrong account before :)

@JohnPeng47

This comment has been minimized.

Copy link

JohnPeng47 commented Apr 3, 2018

@mdolmen

This comment has been minimized.

Copy link
Contributor

mdolmen commented May 1, 2018

Hi! I'm working on this task as part of my Summer of Code project.

@saimoon : maybe you tried to inject a 64-bit process into a 32-bit one. If not I think the problem come from the DLL path passed in argument to RtlCreateProcessParameters. Still, I didn't figure out yet how to correctly pass it to the function, during my last tests it was never taken into account. I have to dig more into that and redo my tests with the last Windows update. I've written some code to do it from a Windows machine (without Drakvuf), you can check it here : https://github.com/mdolmen/proc_dopp (you will have to tuned it a little to run it : filenames, etc.)

mdolmen added a commit to mdolmen/drakvuf that referenced this issue Aug 3, 2018

Add process doppelganging injection support via a shellcode. Solve tk…
…lengyel#332

Provides the shellcode and the source code use to generate it.

Allows to inject a binary into the guest's filesystem and execute it. It
has some limitations due to the technique itself as well as the current
implementation. For example certain programs fail to locate some DLLs.

Also, you need to have write permission on the guest process used as a
cover otherwise the call to `CreateFileTransacted` will fail.

mdolmen added a commit to mdolmen/drakvuf that referenced this issue Aug 3, 2018

Add process doppelganging injection support via a shellcode. Solve tk…
…lengyel#332

Provides the shellcode and the source code use to generate it.

Allows to inject a binary into the guest's filesystem and execute it. It
has some limitations due to the technique itself as well as the current
implementation. For example certain programs fail to locate some DLLs.

Also, you need to have write permission on the guest process used as a
cover otherwise the call to `CreateFileTransacted` will fail.

tklengyel added a commit that referenced this issue Sep 4, 2018

Process doppelganging injection support (#444)
* [In progress..] Universal function to set the stack

* [In progress..] Universal function to set the stack

* [In progress..] Universal function to set the stack

* Universal function to set the stack (64 bit only)

* Fixes astyle

* [In progress..] Exec shellcode : add VirtualAlloc support

* [In progress..] Exec shellcode : write SC to memory

* Revert "[In progress..] Exec shellcode : write SC to memory"

This reverts commit b20ff67.

* Revert "[In progress..] Exec shellcode : add VirtualAlloc support"

This reverts commit 11f60cc.

* Universal funciton to set the stack (32 bit)

* Fixes astyle

* Add process doppelganging injection support via a shellcode. Solve #332

Provides the shellcode and the source code use to generate it.

Allows to inject a binary into the guest's filesystem and execute it. It
has some limitations due to the technique itself as well as the current
implementation. For example certain programs fail to locate some DLLs.

Also, you need to have write permission on the guest process used as a
cover otherwise the call to `CreateFileTransacted` will fail.

* Add process doppelganging injection support via a shellcode. Solve #332

Provides the shellcode and the source code use to generate it.

Allows to inject a binary into the guest's filesystem and execute it. It
has some limitations due to the technique itself as well as the current
implementation. For example certain programs fail to locate some DLLs.

Also, you need to have write permission on the guest process used as a
cover otherwise the call to `CreateFileTransacted` will fail.

* Adds a more detail comment

* Fixes astyle for shellcode source code

* Fixes astyle for shellcode source code

* Adds precision to help message

* Removes unused structure

* Fix infinite loop when additional breakpoint is never hit

* Check Windows build before setting additional breakpoint

* Move build date check

* Add DRAKVUF licence
@tklengyel

This comment has been minimized.

Copy link
Owner

tklengyel commented Sep 4, 2018

Implemented by #444

@tklengyel tklengyel closed this Sep 4, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment