Process Injection in Malware

What is Process Injection?:

Process Injection is by definition: The ability to inject code and memory data into the address space of another process.

Malware authors use process injection commonly to disguise their own malicious code within other trusted processes like chrome.exe, outlook.exe, firefox.exe, svchost.exe, dllhost.exe to name a few.

They do this to obfuscate the malware from a non-suspecting victim and from Incident Response Handlers to detect and analyse the malware early, bypass firewalls that block internet connection, maintain persistence undetected and much more.

Some malware that use process injection are also file-less and inject themselves into memory so you won’t find any evidence on the disk.

DLL Injection:

There are many forms of process injection. In this blogpost, i will be showing one of the most common methods malware authors embed malicious code into a process: DLL injection, and demonstrate how it works.

A DLL quite simply is a Dynamic Link Library. They are PE files that allow programs/applications to perform various functions to operate. A DLL can also be shared among various other applications at once. An attacker can inject a DLL maliciously to run malware code into one of the victim’s many processes in a computer.

Analysis:

In this malware, i have renamed some of the functions and arguments to make it easier to understand. This is what the main function we will be analysing looks like for understanding DLL injection.

We can see first that it calls to a function that i have named “SeDebugPriv4Access”. Inside it we can see the following:

Inside the function SeDebugPriv4Access

We can see it calls to some API’s like LookUpPrivilegeValueA, GetCurrentProcess, OpenProcessToken, AdjustTokenPrivileges. These API’s are used for SeDebugPrivilege. We can see that in this function it tries to retrieve LUID, get the current process, open the access token which contains some security information of the logon session of a process and disable the privileges of it.

If we look at the link here: https://docs.microsoft.com/en-us/windows/win32/secauthz/privilege-constants, SeDebugPrivilege can be used to debug and adjust memory of a process. A malicious actor can unfortunately use this to write data into a process that he/she chooses to inject malicious code via debugging privileges.

The malware then tries to find ‘explorer.exe’ and after this calls to function ‘GetProcessID’. Inside the GetProcessID function we can see the following:

Take snapshot of all processes and Find 1st Process

Find Next Process and Loop until explorer.exe PID is found

In the 2 images above, we can see the function tries to take a snapshot of all processes via CreateToolhelp32Snapshot due to the flag being 2 which is TH32CS_SNAPPROCESS in its MSDN Documentation. The malware then retrieves information about the first process taken by CreateToolhelp32Snapshot via Process32FirstW, and then tries to get the next processes via Process32NextW. It will continue to loop and keep searching for the next process, until it finally finds the process ID of explorer.exe.

After this, it will call to a function that i have named ‘WoW64ProCheck’ as seen below. IsWow64Process basically searches if a process is 32-bit or 64-bit in a 64-bit system.

Check if Process is 32/64-bit in a 64-bit system

If the process is 32-bit we can go to a location which i have renamed ‘OpenExplorerInjectMalware’. In this location, it calls to a function called sub_4053F0. We can look inside sub_4053F0 to see:

Open Process, Allocate space in memory, inject memory inside process

We can see that it opens the explorer.exe process via OpenProcess. It then tries to allocate space in the memory of explorer.exe for code injection via VirtualAllocEx. It then uses WriteProcessMemory to inject memory inside explorer.exe.

Create Thread inside process and run thread immediately after creation

After this it creates a remote thread/execution path inside the explorer.exe process to run the malware code, and immediately runs it as we can see 0 in dwCreationFlags. You can find out more about what the flag means in the CreateRemoteThread MSDN Documentation.

TLDR:

The malware we analysed inserts a malicious DLL inside the explorer.exe process. It checks whether it is a 32 bit process inside a 64-bit operating system, allocates some space inside explorer.exe to inject memory inside it and creates a thread inside explorer.exe for the malware to work and maintain persistence.

DLL injection is very common and usually has this structure which you can find in some types of malware:

CreateToolhelp32Snapshot → Process32First → Process32Next → OpenProcess → VirtualAllocEx → CreateRemoteThread

Thanks for reading.