New Method for DLL Injection via Return-Oriented Programming
/ 4 min read
Quick take - A new method for thread hijacking using Return-Oriented Programming (ROP) allows for the injection of a Dynamic Link Library (DLL) into a remote thread without allocating executable memory, while also highlighting potential detection by security systems due to the use of the SetThreadContext API.
Fast Facts
- A new method for thread hijacking using Return-Oriented Programming (ROP) allows DLL injection into remote threads, moving beyond traditional shellcode techniques.
- This approach identifies memory allocation with EXECUTE privileges as an indicator of compromise (IOC) and utilizes the LoadLibrary function for DLL loading.
- Limitations of the SetThreadContext API, which cannot overwrite volatile registers like RCX, are circumvented by constructing a ROP chain to manipulate the register.
- The process involves identifying ROP gadgets, modifying the remote thread’s context, and preparing a stack buffer with necessary values for executing the ROP chain.
- The technique may be detected by Endpoint Detection and Response (EDR) systems due to the use of the SetThreadContext API, raising security concerns monitored by Microsoft security tools.
Sophisticated Thread Hijacking via ROP
A sophisticated method for executing thread hijacking via Return-Oriented Programming (ROP) has emerged, facilitating the injection of a Dynamic Link Library (DLL) into a remote thread. This technique marks a significant evolution from traditional methods, which typically involve writing shellcode directly into executable memory and redirecting the instruction pointer (RIP) to execute the shellcode.
Memory Allocation and ROP Method
In this innovative approach, the allocation of memory with EXECUTE privileges in another process serves as an indicator of compromise (IOC), suggesting potential malicious activity. Instead of allocating executable memory, the ROP method leverages the loading of a DLL, which requires passing an argument to the LoadLibrary function.
However, the SetThreadContext API presents limitations, as it does not allow the overwriting of volatile registers, such as RCX, which is critical for passing arguments. To circumvent this limitation, a ROP chain is constructed to manipulate the required register and execute the injected DLL.
Constructing the ROP Chain
The process begins by identifying a suitable ROP gadget that performs a ‘pop rcx’ followed by a ‘ret’ to transfer the DLL path from the stack into the RCX register. Tools like ROPGadget are employed to analyze system libraries and locate the necessary gadgets, with the address of the ‘pop rcx; ret’ gadget being dynamically retrievable from ‘ntdll.dll’ at runtime.
Subsequently, the path of the DLL is written into the target process’s memory, utilizing functions such as ‘VirtualAllocEx’ and ‘WriteProcessMemory’. The remote thread’s context must be modified to include changes to the instruction pointer (RIP) and stack pointer (RSP). This modification process involves suspending the target thread using the ‘SuspendThread’ API to ensure safe context alterations.
The RIP is then updated to point to the address of the identified ROP gadget, while the RSP is adjusted to allocate appropriate space on the stack. A buffer is prepared and written to the stack, containing essential values for executing the ROP chain, including the memory address of the DLL path, the address of the ‘LoadLibraryA’ function, and a return address that points to ‘ExitThread’.
Once the context is prepared, the remote thread can be resumed using the ‘ResumeThread’ API.
Security Implications and Conclusion
The article emphasizes that this technique may be detected by Endpoint Detection and Response (EDR) systems, particularly due to the use of the ‘SetThreadContext’ API, which notifies two different Event Tracing for Windows (ETW) providers during execution. This raises significant security implications, as Microsoft security tools, including Windows Defender APT, may monitor ‘SetThreadContext’ events for potential threats.
Illustrative images are included in the article to demonstrate the state of the thread before and after context modification. The article concludes by summarizing the ROP chain method for DLL injection without the need for executable memory allocation. Additionally, a proof-of-concept implementation, complete with detailed steps and code, is made available at the provided GitHub link.
Original Source: Read the Full Article Here
