logo

Please Inject Me, a x64 Code Injection

Conference:  Defcon 27

2019-08-01

Summary

Inject-Me is a new method for x64 code injection that manipulates the target process to read data from the injecting process, copy and execute it, allowing for better hiding of malware presence and gaining persistence.
  • Code injection allows hackers to run their code in remote processes, but traditional techniques are widely detected by security solutions or limited by native OS protections
  • Inject-Me is an injection-less method that manipulates the target process to read data from the injecting process, copy and execute it
  • The method is based on abusing ReadProcessMemory and calling conventions in X64
  • Creating an infinitely running thread is necessary to initialize the target process before manipulation
  • The method involves copying jump LBX opcode to the target process and using it to jump to the shellcode
  • The shellcode is executed using a function like CreateRemoteThread
  • Code injection can be used for both malicious and benign activities, including stealth, evasion, adding functionality, and monitoring
  • The speaker demonstrated the method by injecting code into Notepad and displaying the command line in a message box
The speaker demonstrated the Inject-Me method by injecting code into Notepad and displaying the command line in a message box.

Abstract

Malware authors are always looking for new ways to achieve code injection, thereby allowing them to run their code in remote processes. Code Injection allows hackers to better hide their presence, gain persistence and leverage other processes’ data and privileges. Finding and implementing new, stable methods for code injection is becoming more and more challenging as traditional techniques are now widely detected by various security solutions or limited by native OS protections. Inject-Me is a new method to inject code to a remote process in x64. Inject-Me is in fact “injection-less” – the remote (target) process is manipulated to read data from the injecting process, copy and execute it. The manipulation is mainly based on abusing ReadProcessMemory and calling conventions in X64. In addition to presenting Inject-Me, the talk will mention a generalized approach to copying data in remote processes to recreate shellcode from the injecting process.

Materials:

Tags:

Post a comment

Related work






Conference:  Defcon 31
Authors: Dr. Bramwell Brizendine Assistant Professor at University of Alabama in Huntsville, Jake Hince, Max 'Libra' Kersten
2023-08-01