scdbg vrs Process Injection


Author: David Zimmer
Date: 03.31.11 - 4:30pm



Experimented with some ideas about making scdbg compatiable with process injection shellcode. Added support for the standard functions such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

Even though we dont have any other process to work with, it turned out pretty slick and came up with a simple solution that allows the injection to "work" and then transfer execution right to the injected code to log what it does too.

Basically I just treat remote process allocations and writes in process memory, then transfer execution to the specified "remote" address when CreateRemoteThread is called.

Quite simple implementation, but has powerful results. Makes analyzing this type of shellcode sooo much easier.

401032  CreateProcessA( C:\Program Files\Internet Explorer\iexplore.exe,  ) = 0x1269
401046  VirtualAllocEx(pid=1269, base=0 , sz=1000) = 60000
4010c3  WriteProcessMemory(pid=1269, base=60000 , buf=40120c, sz=1000)
4010f7  CreateRemoteThread(pid=1269, addr=60000 , arg=0, flags=0, *id=0)
        Transferring execution to threadstart...
600ac   LoadLibraryA(urlmon)
600bc   URLDownloadToCacheFileA(http://removed, buf=12fcf8)
600d7   CreateProcessA( , c:\URLCacheTmpPath.exe ) = 0x1269
600ec   TerminateThread(fffffffe) = 1

or

401403  CreateProcessA( wuauclt.exe,  ) = 0x1269
40141a  VirtualAllocEx(pid=1269, base=0 , sz=1a12) = 60000
401434  WriteProcessMemory(pid=1269, base=60000 , buf=401164, sz=1a12, written=12fdc4)
401446  GlobalAlloc(sz=cc) = 62000
40145a  GetThreadContext(h=126a)
401468  SetThreadContext(h=126a, eip=60000)
40146f  ResumeThread(h=126a)
        Transferring Execution to threadstart 60000
6003d   CreateThread(60070, 0) = 1
        Transferring execution to threadstart...
600fc   ExpandEnvironmentStringsA(%ALLUSERSPROFILE%\Plug1.dll, dst=40403f10, sz=104)

or

401156  FindWindowA(class=Progman, window=Program Manager)
401166  GetWindowThreadProcessId(h=0, buf=12fdd0)
401176  OpenProcess(access=1f0fff, inherit=0, pid=14077ac0)
401190  VirtualAllocEx(pid=99999999, base=0 , sz=1000) = 60000
4011ad  WriteProcessMemory(pid=99999999, base=60000 , buf=4019dd, sz=310, written=0)
4011c3  CreateRemoteThread(pid=99999999, addr=60000 , arg=0, flags=0, *id=0)
        Transferring execution to threadstart...
60190   LoadLibraryA(kernel32)





Comments: (0)

 
Leave Comment:
Name:
Email: (not shown)
Message: (Required)
Math Question: 44 + 78 = ? followed by the letter: R 



About Me
More Blogs
Main Site
Posts: (year)
2023 (4)
     Yara Workbench Automation
     VS linker versions
     IDA decompiler comments
     DispCallFunc
2022 (5)
     VB6 Implements
     VB6 Stubs BS
     VB6 TypeInfo
     VB6 VTable Layout
     Yara isPCode rule
2021 (2)
     rtcTypeName
     VB6 Gosub
2020 (5)
     AutoIT versions
     IDA JScript 2
     Using VB6 Obj files from C
     Yara Corrupt Imports
     Yara Undefined values
2019 (6)
     Yara WorkBench
     SafeArrayGetVartype
     vb6 API and call backs
     PrintFile
     ImpAdCallNonVirt
     UConnect Disable Cell Modem
2017 (5)
     IDA python over IPC
     dns wildcard blocking
     64bit IDA Plugins
     anterior lines
     misc news/updates
2016 (4)
     KANAL Mod
     Decoders again
     CDO.Message Breakpoints
     SysAnalyzer Updates
2015 (5)
     SysAnalyzer and Site Updates
     crazy decoder
     ida js w/dbg
     flash patching #2
     JS Graphing
2014 (5)
     Delphi IDA Plugin
     scdbg IDA integration
     API Hash Database
     Winmerge plugin
     IDACompare Updates
2013 (9)
     Guest Post @ hexblog
     TCP Stream Reassembly
     SysAnalyzer Updates
     Apilogger Video
     Shellcode2Exe trainer
     scdbg updates
     IDA Javascript w/IDE
     Rop Analysis II
     scdbg vrs ROP
2012 (13)
     flash patching
     x64 Hooks
     micro hook
     jmp api+5 *2
     SysAnalyzer Updates
     InjDll runtime config
     C# Asm/Dsm Library
     Shellcode Hook Detection
     Updates II
     findDll
     Java Hacking
     Windows 8
     Win7 x64
2011 (19)
     Graphing ideas
     .Net Hacking
     Old iDefense Releases
     BootLoaders
     hll shellcode
     ActionScript Tips
     -patch fu
     scdbg ordinal lookup
     scdbg -api mode
     Peb Module Lists
     scdbg vrs Process Injection
     GetProcAddress Scanner
     scdbg fopen mode
     scdbg findsc mode
     scdbg MemMonitor
     demo shellcodes
     scdbg download
     api hashs redux
     Api hash gen
2010 (11)
     Retro XSS Chat Codes
     Exe as DLL
     Olly Plugins
     Debugging Explorer
     Attach to hidden process
     JS Refactoring
     Asm and Shellcode in CSharp
     Fancy Return Address
     PDF Stream Dumper
     Malcode Call API by Hash
     WinDbg Cheat Sheet
2009 (1)
     GPG Automation