Open tklengyel opened 7 years ago
After creating new process with CREATE_SUSPENDED (call its image: SRC) and injecting the host binary in that process address space (call injected image: DEST), any idea to execute DEST without the hollowing technique to unmap the section of SRC, allocate new memory etc... (this way will works, but I'd like to see a smart one... we have OS full control, after all). If the SRC sections size are smaller than DST ones we can replace physical pages using altp2m (maybe it will works), but when SRC is bigger ? Maybe hooking CreateProcess when it call CreateSection and it map SRC file? I'm curious about new ideas.
I haven't looked into it more in-depth yet but I would assume that if the memory allocated for the image that will get replace is larger then the one we want to inject then we don't have an issue, we can just overwrite that memory space and then zero out the parts we don't need. If the memory space is smaller, then I would guess additional steps would be needed.
The current implementation of injector simply starts a process already present on the filesystem of the VM (or injects commands to download one). Directly injecting a binary into memory would eliminate a lot of setup steps involved with starting externel binaries within a VM by employing process hollowing. The technique relies on creating a new process with the
CREATE_SUSPENDED
flag set, then replacing the in-memory loaded code with that of the external binary. When process is started the new code will execute in the shell of the old process.See http://www.autosectools.com/process-hollowing.pdf for more information on the general concept of process hollowing.