PELoader: implement various shellcode injection techniques
PELoader
PELoader implements various shellcode injection techniques and uses libpeconv library to load encrypted PE files instead of injecting shellcode into remote thread.
Following techniques were implemented:
- Module Stomping (LoadLibrary)
- Module Stomping (NtMapViewOfSection)
- Transacted Hollowing
- Ghostly Hollowing
- NtMapViewOfSection (RWX-RW-RX)
- NtAllocateVirtualMemory (RW-RX)
Testing
PELoader was tested on Windows 10 with Cortex XDR / SentinalOne / Windows Defender / CrowdStrike, and Windows Defender / CrowdStrike detected Transacted Hollowing techniques. Characteristics of each technique were tested with a memory scanner tool Moneta from @forrest-orr.
Module Stomping (LoadLibrary)
Call LoadLibrary to load a legitimate DLL. Overwrite DLL with payload
Pros
- payload mapped as MEM_IMAGE which looks legitimate for EXE or DLL
- impersonating a legitimate DLL
- Sections mapped with original access rights (no RWX)
Module Stomping (NtMapViewOfSection)
Call NtCreateSection to create a file mapping object (PAGE_READONLY) for a legitimate DLL, and call NtMapViewOfSection to map it to the current process. Overwrite the DLL with payload.
Pros
- payload mapped as MEM_IMAGE which looks legitimate for EXE or DLL
- impersonating a legitimate DLL
- Sections mapped with original access rights (no RWX)
- Not connected to the list of modules (invisible for Module32First/Module32Next)
Cons
- Not connected to the list of modules (check “Missing PEB module” in below Moneta’s scanning result)
reference to @hasherezade’s PoC.
Transacted Hollowing
A hybrid between Process Hollowing and Process Doppelgänging. Create an “invisible” file within the NTFS transaction and write the payload into the file. Map section to the current process and execute it.
Pros
- Payload mapped as MEM_IMAGE
- Sections mapped with original access rights (no RWX)
- dummy file not necessary to be exist
Cons
- Detection if there is TxF activity monitoring
Ghostly Hollowing
A hybrid between Process Hollowing and Process Ghosting. Create a file with delete pending state and write payload into the file. Map section to the current process and execute it.
Pros
- Payload mapped as MEM_IMAGE
- Sections mapped with original access rights (no RWX)
- Avoid “System Idle Process” without any image path (IOC of process ghosting)
Cron
- Dummy file created on disk
reference to @hasherezade’s PoC.
NtMapViewOfSection (RWX-RW-RX)
Call NtCreateSection to create a memory section (RWX). Call NtMapViewOfSection to map a view to the current process (RWX). Call VirtualProtect to change protection to RW. Copy shellcode to mapped section. Change protection to RX and execute it.
Pros
- Payload mapped as MEM_MAPPED to avoid MEM_PRIVATE which is common in malware
Cons
- Set memory page to RWX protection at an initial stage
- abnormal mapped EXE memory with RX protection
NtAllocateVirtualMemory (RW-RX)
Call NtAllocateVirtualMemory to allocate memory (RW). Copy shellcode to memory. Change protection to RX and execute it.
Pros
- avoid RWX memory page
Cons
- staging shellcode to memory page with private type MEM_PRIVATE
- abnormal private EXE memory with RX protection
