[Tutorial] Thread Injection

[Hello EMO]

[quote='DarkstaR69' pid='14652305' dateline='1313339898']
This tutorial for thread injection works on x86 processes. Due to register differences it wont work in x64, but can be easily converted.

Codecaving is the practice of injecting machine code into a remote process and making it execute. In this tutorial, I will cover a method of codecaving which I like to call thread injection. Thread inject is an 8 step process.

1. Find target process
   
2. Detect main thread
   
3. Suspend the thread
   
4. Find main threads current instruction pointer
   
5. Allocate memory in target process for a codecave
   
6. Write the codecave to memory
   
7. Spoof instruction pointer to the location of the codecave
   
8. Resume the thread
   

Below, I will explain exactly how to achieve the task of injecting code into a thread. At the very end of this post you will find the full source code.

First, we must obtain our process ID. There are many ways of doing this. I'll do it by using FindWindowA()

Kod:


   windowHandle = FindWindowA(NULL, windowName);
   GetWindowThreadProcessId(windowHandle, &procID);

The next thing we must do is create a structure for the TIB (Thread Information Block). We only need to create a partial structure since we only need limited information.

Kod:

//thanks to http://en.wikipedia.org/wiki/Win32_Thread_Information_Block
struct partialTIB
{
   DWORD SEHFrame;
   DWORD StackTopPointer;
   DWORD StackBottomPointer;
   DWORD Unknown;
   DWORD FiberData;
   DWORD ArbitraryDataSlot;
   DWORD LinearAddressOfTIB; //This is the linear address of this block of data!
   DWORD EnviromentPointer;
   DWORD ProcessID;
   DWORD CurrentThreadID; //This is the last pf what we need, so we'll stop here
};

Now we must actually get the TIB of our target process. There is no documented conventional way of doing so, so we must use a small trick. The FS register points to the current processes TIB. The TIB contains a member named LinearAddressOfTIB. As the name suggests, this member points to the memory address of the TIB. This address is universal for every process. In order to get the TIB for a remote process, we will simply get our TIB from the FS register, grab the memory address of the TIB, and then read memory from that location in our target application.

Kod:


    _asm
    {
     MOV EAX, FS:[0x18]
     MOV [pointerTID], EAX
    }

    HANDLE hProcess = OpenProcess(PROCESS_VM_READ, false, procID);
    ReadProcessMemory(hProcess, (const void*)pointerTID, &TIB, sizeof(partialTIB), NULL);
    CloseHandle(hProcess);

Now that we have our threadID, we must open the thread and suspend it. This is very simple since we have the WinAPI at our disposal.

Kod:


   HANDLE thread = OpenThread((THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, threadID);
   SuspendThread(thread);

With the thread suspended, it is time to get its control context. We suspended the thread first so it wont be executing and jumping from instruction to instruction once we get the context.

Kod:


   CONTEXT threadContext;
   threadContext.ContextFlags = CONTEXT_CONTROL;
   GetThreadContext(thread, &threadContext);

The next step is to create our codecave. Since this is just a proof of concept, I will be using a simple code cave. All the codecave will do is return right back to the threads original instruction pointer. You may be asking "How do we know it works, then?" Simple: If you remove the return to the original instruction pointer, the application crashes.

The first thing to do when creating our codecave is to allocate the memory for it. To do this, we use OpenProcess() and VirtualAllocEx()

Kod:

   HANDLE process = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, false, TIB.ProcessID);
   LPVOID codeCave = VirtualAllocEx(process, NULL, 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

Next we must write our codecave to memory in the form of bytecode (Assembler). You can actually write this code in a naked asm function and just copy the memory, but I found this way easier for such a small cave.

Kod:


   DWORD push = 0x68;
   DWORD retn = 0xC3;
   
   WriteProcessMemory(process, codeCave, &push, 1, NULL); // "PUSH" opcode
   WriteProcessMemory(process, (LPVOID)((DWORD)codeCave+1), &InstructionPointer, 4, NULL); //return address
   WriteProcessMemory(process, (LPVOID)((DWORD)codeCave+5), &retn, 4, NULL); //"RETN" opcode


Now that our codecave is in place, we need to do the actual hijack. Hijacking the thread is as easy as changing its instruction pointer to the address of our codecave, and then letting it resume execution.

Kod:


   threadContext.Eip = (DWORD)codeCave;

   threadContext.ContextFlags = CONTEXT_CONTROL;
   SetThreadContext(thread, &threadContext);

   ResumeThread(thread);

And boom. The thread will resume, executing our codecave before continuing with what it was doing. The only thing left to do is free our resources. However, since the thread may not be done executing we must give it some time before we free our codecave. A typical codecave will execute in a matter of nanoseconds, but being safe and waiting 2 seconds will never hurt.

Kod:


   Sleep(2000);

   VirtualFreeEx(process, codeCave, 6, MEM_DECOMMIT);
   CloseHandle(process);
   CloseHandle(thread);

And we're done.
Since I didn't unify everything in this tutorial, the full source code can be found below. It will hopefully help you see how everything ties together and better your understanding of thread injection.

Kod:

#include <iostream>
#include <tchar.h>
#include <windows.h>

using namespace std;

//thanks to http://en.wikipedia.org/wiki/Win32_Thread_Information_Block
struct partialTIB
{
   DWORD SEHFrame;
   DWORD StackTopPointer;
   DWORD StackBottomPointer;
   DWORD Unknown;
   DWORD FiberData;
   DWORD ArbitraryDataSlot;
   DWORD LinearAddressOfTIB; //This is the linear address of this block of data!
   DWORD EnviromentPointer;
   DWORD ProcessID;
   DWORD CurrentThreadID; //This is what we need, so we'll stop here
};


partialTIB GetWindowThreadInformation(char* windowName)
{
    DWORD pointerTID, procID;
   partialTIB TIB;

    HWND windowHandle = FindWindowA(NULL, windowName);
    GetWindowThreadProcessId(windowHandle, &procID);


   //The FS register points to the ThreadInformationBlock
   //As you may recall from our structure, offset 0x18 is the linear address of the TIB
   //So if we get read from FS + 0x18, we can find the address of this block in a remote proccess and
   //get the current thread of that proccess
    _asm
   {
     MOV EAX, FS:[0x18]
     MOV [pointerTID], EAX
    }

    HANDLE hProcess = OpenProcess(PROCESS_VM_READ, false, procID);
    ReadProcessMemory(hProcess, (const void*)pointerTID, &TIB, sizeof(partialTIB), NULL);
    CloseHandle(hProcess);

    return TIB;
}

HANDLE OpenAndSuspendThread(DWORD threadID)
{
   HANDLE thread = OpenThread((THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, threadID);
   SuspendThread(thread);
   return thread;
}

LPVOID CreateCodeCave(HANDLE process, DWORD InstructionPointer)
{
   LPVOID codeCave = VirtualAllocEx(process, NULL, 6, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
   
   DWORD push = 0x68;
   DWORD retn = 0xC3;
   
   WriteProcessMemory(process, codeCave, &push, 1, NULL); // "PUSH" opcode
   WriteProcessMemory(process, (LPVOID)((DWORD)codeCave+1), &InstructionPointer, 4, NULL); //return address
   WriteProcessMemory(process, (LPVOID)((DWORD)codeCave+5), &retn, 4, NULL); //"RETN" opcode

   return codeCave;
}

CONTEXT RetriveThreadControlContext(HANDLE thread)
{
   CONTEXT threadContext;
   threadContext.ContextFlags = CONTEXT_CONTROL;
   GetThreadContext(thread, &threadContext);
   return threadContext;
}

int _tmain(int argc, _TCHAR* argv[])
{
   char windowTitle[128];
   cout << "Enter the title of the window to inject the code into:" << endl;
   cin >> windowTitle;
   cout << endl;
   
   partialTIB TIB = GetWindowThreadInformation(windowTitle);
   cout << "Detected proc: " << TIB.ProcessID << endl;
   cout << "Detected thread: " << TIB.CurrentThreadID << endl;


   HANDLE thread = OpenAndSuspendThread(TIB.CurrentThreadID);
   CONTEXT threadContext = RetriveThreadControlContext(thread);

   HANDLE process = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_OPERATION, false, TIB.ProcessID);
   LPVOID codeCave = CreateCodeCave(process, threadContext.Eip);

   threadContext.Eip = (DWORD)codeCave;

   threadContext.ContextFlags = CONTEXT_CONTROL;
   SetThreadContext(thread, &threadContext);

   ResumeThread(thread);
   Sleep(2000);

   VirtualFreeEx(process, codeCave, 6, MEM_DECOMMIT);
   CloseHandle(process);
   CloseHandle(thread);


   while (true)
      Sleep(100);
   return 0;
}

I hope you guys enjoyed this tutorial.
I have many other, more advanced things I would love to make tutorials about, but it will depend on the response I get from this one - all feedback is welcome!

Thanks for reading.
//DarkstaR
[/quote]