Code and DLL Injection.
#1
Hey guys, quick question. Do you know if there are any applications/services or more specifically the procs related to those on Windows 7 and/or later that would be suited for code or DLL injection without having to bypass UAC? I'm writing a malware but in order to execute some functionality i need to be able to inject either shell code or a DLL into an already running process. Now i know there are ways of bypassing UAC and if there are no other options i will. But i figured some of you might be familiar with certain procs that can be injected "as is" if you will.

Failing that, i read on Twitter the other day there was a technique for UAC bypass/PrivEsc on windows that involved making a directory with trailing spaces in the name, apparently Windows doesn't like that but if done in a certain way it allows you to put stuff in that directory and have it essentially auto-elevate. I don't have an article at hand but if you do, preferably one that goes into technical detail, i'd be very grateful if you could post it.

Oh and with regards to the proc to inject into, there should be a couple, unless i am remembering it inaccurately. Whatever the case, thanks in advance for any help you may be able to provide.
Reply
#2
By the way, if you find the fact that i am writing a malware to be morally objectionable, i'd like to let you know that i am creating it as part of an open source project. A little like i did with my Cypher ransomware. Which you can find on my Github.
Reply
#3
First of all sorry for the late reply, was very busy lately.
Second, I don't really understand your question, why windows 7? And what are you referring to with "procs related to those" ?

Maybe for some inspiration you could check other malwares such as Zeus/Zbot which injects code in processes like winlogon, explorer, csrss or smss.

The main functions you want to use are:

CreateRemoteThread() or whatever other API function to start the execution in the remote process.
WriteProcessMemory()
SetWindowsHookEX()

GetProcAddress()
LoadLibraryA()
VirtualAllockEx()

These seem to be more or less the standard, however I have seen other implementations/methods like the one that zerosum0x0 did usign SetThreadContext() and NtContinue().
https://zerosum0x0.blogspot.com/2017/07/...ction.html

As always github has a lot of implementations and good explanations like this one:
https://github.com/stephenfewer/ReflectiveDLLInjection

For what I know, usually what is done is review the memory sections that are marked as Page_Execute_ReadWrite (or RWX) and try to parse out the memory for injected code.
Here you have a open source tool that basically does what I said, you can try to see the code and reverse engineer the behavior:
http://hooked-on-mnemonics.blogspot.com/p/injdmp.html

For game hacking, where dlls are used too people use "manual mapping", also referred as "manual dll injection". You can check a YouTube channel called "Guided Hacking" which is a  lot of fun and very informative. As I said, he is more related to hacking games but I suppose that it could help for your project too.

Most detectproof cheats use virtual machines that interact with the process from the outside or hide in ring 0 and create a debugger that interacts with the process. In conclusion all you want is to avoid the detection of your hooks.

DEFCON has a lot of good talks about code injection, this one is about reflective dll injection which I suppose that is what you are trying to achieve.
https://www.defcon.org/images/defcon-20/...ection.pdf
And the tool he mentions can be found here:
https://github.com/aking1012/dc20

DLLs are tracked in three different doubly-linked lists for each process. What you want to achieve is to unlink the loaded DLLs from these lists. This is a representation of how it more or less looks like:
[Image: EPROCESS.png]
source: https://www.aldeid.com/wiki/EPROCESS

I found an article which looks pretty good:
http://jumpdollar.blogspot.com/2014/09/w...lists.html

The detection of injected processes are also achieved by enumerating DLLs injected by the OS via registry key. You want to use AppInitDLLs or AppCertDLL.

Redacting more about kernel manipulation you can look more about DKOM (which stands for Direct Kernel Object Manipulation) and can help you hiding processes, adding privileges, etc.

Good luck my friend, and hope to see your code up soon Wink
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Malware Source-code Share Insider 5 1,067 06-14-2020, 06:40 AM
Last Post: Insider
  Basics on Crypters and Binders Insider 0 641 04-26-2020, 02:24 PM
Last Post: Insider
  CIA Vault7 Leak - Development Tradecraft DOs and DON'Ts Insider 2 874 04-25-2020, 02:21 PM
Last Post: Insider
  C++ Keylogger Source Code (Random) Insider 7 8,008 03-20-2019, 04:15 PM
Last Post: Insider