[HN Gopher] Early Cascade Injection: From Windows process creati...
___________________________________________________________________
Early Cascade Injection: From Windows process creation to stealthy
injection
Author : wsintra2022
Score : 74 points
Date : 2024-11-09 17:55 UTC (5 hours ago)
(HTM) web link (www.outflank.nl)
(TXT) w3m dump (www.outflank.nl)
| purplehat_ wrote:
| This is a great writeup, thanks for posting it. The post mentions
| Early Bird APC is a fairly recent development, around 2018, but
| process injection has been around for a long time. Is there any
| theoretical work being done towards locking down processes
| against injection in more robust ways than simply making sure
| there is no temporal chance to inject a malicious code? I'm
| thinking something along the lines of CFI, but for processes
| instead of subroutines, would be useful if it could be made to
| work.
| haxorudjsk wrote:
| The whole reason this complicated method was researched is
| exactly because the traditional injection routes are locked
| down/easily monitored.
|
| In a previous life where I had to find a way to stealthily
| inject Chrome (in the presence of good anti-viruses), the
| solution was to find an obscure type of Windows shell extension
| which if registered would automatically be loaded by Windows
| into Chrome without triggering an alert.
| wslh wrote:
| Great! We have been working on Windows Process (and COM)
| injection since 2003 [1][2][3]. I need to talk with the current
| development team about reviewing it with the EDR-Preloading
| technique. We have a driver also that suspends a new process
| before hooking it, we also hook existing processes.
|
| Business-wise our work on this went down once Microsoft Detours
| was made FOSS even when our products has other capabilities. A
| good old thread is here [4].
|
| [1] https://github.com/nektra/Deviare2
|
| [2] https://github.com/nektra/Deviare-InProc
|
| [3] https://github.com/nektra/RemoteBridge
|
| [4]
| https://www.reddit.com/r/programming/comments/22crn0/gpl_alt...
| anaisbetts wrote:
| I'm surprised the call to WriteProcessMemory or creating
| suspended processes isn't being picked up, it usually gets you a
| lot of points on the "Detect binary as malware heuristic"
| detector
| seligman99 wrote:
| I suspect this is where Windows backwards compatibility bites
| them a bit. I've got a very old tool [1] that uses
| WriteProcessMemory and CreateRemoteThread to create a thread in
| the command process that launched it to remotely change the
| directory in that process.
|
| It works to this day, despite looking exactly like what malware
| would do. My tool is nothing in the grand scheme, but I suspect
| I'm not the only one doing these sort of shenanigans, and no
| doubt some big important app is doing it and can't be bothered
| to fix itself, so MS is stuck supporting it.
|
| [1] https://github.com/seligman/ccd
| ale42 wrote:
| If the Windows API provides those functions in the first point,
| I guess there are good reasons to use them. Of course if you're
| watching out for malware, WriteProcessMemory looks very
| suspicious, but it's not enough to conclude you're in presence
| of malware.
| Dwedit wrote:
| Not all overriding and detouring is malicious. For instance,
| Steam detours Direct3D every time you launch a game in order to
| set up the steam overlay.
| tredre3 wrote:
| Windows offers "legal" ways of DLL injection, which is
| presumably what Steam does, and this article isn't about those
| methods.
___________________________________________________________________
(page generated 2024-11-09 23:00 UTC)