PE 1nj3ct10n and Thread Hijacking For Malware Analysis
In this blog post I examine PE injection and thread hijacking for analysis usage windows API calls for getting easier malware analysis. When we reverse the malicious files may be search some API sequence and guess the PE injection or thread hijacking activity. Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
Let’s start;
Thread Hijacking is an malicious operation which in Malicious DLL path is injected in to a legal thread. Smilar to Process Hollowing thread must be suspended before injection. Windows APIs are called during thread injection is shown below;
PE Injection provides attacker execution of malicious code in the memory directly without written phiscal disk. This act is smilar to Reflective DLL injection Method. Import address Table and Realloc table reside in memory. IAT table includes DLL, functions, executables. “When an executable is first loaded, the Windows loader is responsible for reading in the files PE structure and loading the executable image into memory. One of the other steps it takes is to load all of the dlls that the application uses and map them into the process address space.” At this point dynamic addresses is kept in the IAT. So if you manipulate and change memory addresses in IAT you can linked malicious dll instead of valid or legal dll, function or executable files. Changing pointer value is enough for performing this attack;
In PE Injection attack, image base address and it’s size discovered, enough spache is allocated with VirtualAlloc, memcpy is used for image. Next step reloc offset is calculated and addresses which is returned VirtualAllocEx, are changed, WriteProcessMemory is used for copying current address as a base address for executing malicious remote process. Finally CreateRemoteThread is called and malicious code executed. For demonstrating attack structure I used shellter tool as shown below, as you see tool prefer you some windows API’s for PE injection and you can estimate or map the PE injection API calls;
Set the legal file as a PE traget for injection shellcode via PE injection method like shown below;
When malicious file is opened attacker can gain reverse shell from compromised computer;
See you new blog post…
