tklengyel / drakvuf

DRAKVUF Black-box Binary Analysis
https://drakvuf.com
Other
1.06k stars 253 forks source link

VMI process hollowing #290

Open tklengyel opened 7 years ago

tklengyel commented 7 years ago

The current implementation of injector simply starts a process already present on the filesystem of the VM (or injects commands to download one). Directly injecting a binary into memory would eliminate a lot of setup steps involved with starting externel binaries within a VM by employing process hollowing. The technique relies on creating a new process with the CREATE_SUSPENDED flag set, then replacing the in-memory loaded code with that of the external binary. When process is started the new code will execute in the shell of the old process.

See http://www.autosectools.com/process-hollowing.pdf for more information on the general concept of process hollowing.

saimoon commented 7 years ago

After creating new process with CREATE_SUSPENDED (call its image: SRC) and injecting the host binary in that process address space (call injected image: DEST), any idea to execute DEST without the hollowing technique to unmap the section of SRC, allocate new memory etc... (this way will works, but I'd like to see a smart one... we have OS full control, after all). If the SRC sections size are smaller than DST ones we can replace physical pages using altp2m (maybe it will works), but when SRC is bigger ? Maybe hooking CreateProcess when it call CreateSection and it map SRC file? I'm curious about new ideas.

tklengyel commented 7 years ago

I haven't looked into it more in-depth yet but I would assume that if the memory allocated for the image that will get replace is larger then the one we want to inject then we don't have an issue, we can just overwrite that memory space and then zero out the parts we don't need. If the memory space is smaller, then I would guess additional steps would be needed.