Skip to content

Shield from thread injection

April 17, 2007

Originally posted on rootkit.com
http://www.rootkit.com/blog.php?newsid=640

——————————————————————————————

This method was discovered when I was doing some random debugging. Sudden idea came to my mind when I inject some DLL into olly-debugged process. Olly log traced that one thread was created and terminated. Then I thought since the DLL loading takes place in user-mode, why cant I prevent it from loading by hooking some function ?

So I put a bp on kernel32.LoadLibraryA() and inject DLL again. ollydbg halted. I traced the stack frame to one function in kernel32.dll. I inject some DLL again, and yet I traced to the same function.

My sense tell me that is the function I’m looking for. So I began coding and hook that function. Voila, now Winject reports DLL-injection failed. But wait, our job is not done yet.

After more debugging I found that my hook was preventing the our own thread from creating too. So I need a method to distinguish rogue thread from our own thread.

Finally, I found a method used by Piotr Bania to prevent shellcode execution. He used VirtualProtect() to determine whether a code is rouge or not. Usually shellcode is injected as a result of stack-overflow or any other memory-based leak. These memory should be writable. If any pointer is pointing to a writable memory section, we can conclude that it is altered by the shellcode.

Yet, this method has a flaw. Most packer and protector modifies PE and mark the image as writable (to decompress or decrypt the content) and doesn’t bother to restore them. It would raise false alarm when we use VirtualProtect() to check the protection. So I thought of a better solution.

I used VirtualQuery() to check for memory type. Usually when we create a thread, it should point to code within the image. (marked by loader as MEM_IMAGE) Any VirtualAllocEx() allocated memory would not have that flag set.

——————————————————————————————

Trypanophobia
http://code.google.com/p/opcode0x90/source/browse/trunk/snippets/Trypanophobia/

——————————————————————————————

Coming soon – Stopping SetWindowsHookEx() injection. 😉

Advertisements
5 Comments
  1. Andrew permalink

    Hey op,

    this is just wonderful piece of code and article.

    however, this only works in xp .. I tried many times to look it up in vista, but obviously they got rid of that function or they changed the way it looks .. not sure.

    I tried to search for the same asm pattern and all I got is nothing.

    Hopefully, we find out a way in vista to block the calls.

    regards,
    -Andrew-

  2. 16 déc. 2009 grippe a : des médecins critiquent l’usage systématique du tamiflu® la semaine dernière, les autorités sanitaires françaises ont recommandé

  3. MMM… ça sent le bon commentaire via un ruskof ça 🙂

  4. Отличное предостережение

    Не раздумывая надо не зыбыть записать эту новость.

  5. cheap Marlboro wholesale

    cigarettes Marlboro online shop
    where can i buy a carton of cigarettes Marlboro online
    can you sell cigarettes Marlboro online
    digital cigarettes Marlboro
    cigarettesless cigarettes Marlboro

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: