DInvoke’s injection API
If you have been following me around for a while, you know I’m a super fanboy of @TheRealWovers work, and the D/Invoke framework in particular. I strongly believe that if you are developing anything in C# you should always D/Invoke instead of P/Invoke. It’s just so damn good. If you wanna find out more I recommend reading the blogpost of The Wover or my own blogpost over at the NVISO blog. If you want a presentation, I suggest you tune in to my D/Invoke talk at the redteam mayhem event on May 29th.
What I have not talked about in details yet is the D/Invoke Injection API.
The reason for that is because the Injection API still needs a lot of love, the injection capabilities are somewhat limited for now, so if you wanna contribute feel free to do so. I already have my favorite injection technique (QueueUserAPC) lined up as a pull request.
Without further ado, let’s take a look at the magic Injection API:
The goal of this API is to perform process injection techniques while taking the complexity away from the programmer. Process Injection should be as simple as using the following code:
As you can see, this is a dream come true. Obviously in the backend, this requires hard work. At time of writing the process injection capabilities of the main branch of Dinvoke is limited to:
- Only accepting position-independent byte arrays (PICPayloads)
- Allocation is only done using sectionmaps (ntcreatesection, ntmapviewofsection, ntunmapviewofsection)
- Execution is currently only supported using RemoteThreadCreation (NtCreateThreadEx,RtlCreateUserThread or CreateRemoteThread)
This will change in the future to also support alloc,protect,write virtualmemory and using QueueUserAPC as already stated. If you have other cool process injection techniques to contribute, feel free to implement them and open up a PR.
A tale of token duplication and command-line spoofing on the cheap
As some of you might now Randy Pargman and myself are working together on some purple team research that we hope to present at a con this year, part of that research involves writing some custom malware and I was trying to figure out how I, from a high privilege context (administrator rights) could spawn a process with parent ID spoofing of a process that was not running elevated (explorer.exe for example).
Turns out that that is not that hard to do using DuplicateTokenEx and CreateProcessAsUserA from Advapi32.dll, thanks to ParanoidNinja for pointing me in the right direction for that one 🙂
DuplicateTokenEx creates a new access token that duplicates an existing token. This is interesting because that means you can duplicate any token you have rights to. In our context, we want to duplicate our own token, and that is pretty easy to do in C# using
WindowsIdentity.GetCurrent().Token;Now that we have a duplicated token, we can use that token (and it’s access rights and security context) to create new processes, if those processes happen to have extended startupinfo with a spoofed parent well …. 😉
A nice little trick I found out using createremotethread process injection is that, if you spawn a process in a suspended state, and you use createremotethread, your process will actually not be suspended anymore (which makes sense as spawning a process in suspended state just means that all threads of that process are suspended). The process will use your new injected thread as its main thread. This means that you can spawn a process with arbitrary command-line arguments in a suspended state, create a remote thread and terminate the original entry point thread which can be found in the process information structure.
If you launch my PoC showcasing Dinvoke’s Injection API you’ll end up with this:
GitHub Repo: https://github.com/redteamertips/DinvokeDupetokenAndThreadSwitcheroo
This is really useful research to see in action! Especially since so many detection queries rely on accurate information about process parents and command line arguments. Thanks for sharing this with the community so that both red and blue teamers can see what this looks like in practice