Techniques for Creating Process Injection Attacks with Advanced Return-Oriented Programming

Presented at DEF CON 32 (2024), Aug. 10, 2024, 5 p.m. (20 minutes).

This talk showcases techniques for process injection using advanced return-oriented programming (ROP). Process injection via ROP introduces significant hurdles, requiring many WinAPIs to be chained together, each with complex parameters and return values. We give practical details on how to best manage this. One seemingly insurmountable challenge is in identifying the target binary, as string comparison can be extremely difficult in ROP, as needed ROP gadgets may be lacking. We unveil a unique, universal solution, giving a reliable means of string comparison via ROP, which works all the time, allowing a specific process to be pinpointed and injected into via ROP. We created numerous patterns for different WinAPIs, allowing for as many as a dozen ways of preparing a specific WinAPI via ROP, if using an approach centered around the PUSHAD instruction. With some WinAPIs, there are zero patterns for PUSHAD, forcing us to rely upon the much lauded “sniper” approach. We document all such variations of patterns for the WinAPIs in our demonstrated process injection. This research is not intended to demo a one-off example of process injection via ROP, but to provide a methodology that can be used time and time again, providing unique templates for others to use the same WinAPIs when attempting process injection via ROP. 1. Anonymous.(2019.) Cobalt Strike’s Process Injection: The Details. [link](https://www.cobaltstrike.com/blog/cobalt-strikes-process-injection-the-details-cobalt-strike) 2. Hosseini, Ashkan. (2017). Ten Process Injection Techniques: A Technical Survey of Common and Trending Process Injection Techniques. [link](https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process) 3. Klein, A., & Kotler, I. (2019). Windows process injection in 2019. Black Hat USA, 2019. 4. Landau, Gabriel. (2021). What you need to know about Process Ghosting, a new executable image tampering attack. [link](https://www.elastic.co/blog/process-ghosting-a-new-executable-image-tampering-attack) 5. Mundbrod, N., Grambow, G., Kolb, J., & Reichert, M. (2015). Context-aware process injection: enhancing process flexibility by late extension of process instances. In On the Move to Meaningful Internet Systems: OTM 2015 Conferences: Confederated International Conferences: CoopIS, ODBASE, and C&TC 2015, Rhodes, Greece, October 26-30, 2015. Proceedings (pp. 127-145). Springer International Publishing. 6. Process Injection. MITRE ATT&CK. [link](https://attack.mitre.org/techniques/T1055/) 7. Process Injection. [link](https://redcanary.com/threat-detection-report/techniques/process-injection/) 8. Unal, Ozan. (2020). Process Injection Techniques. [link](https://medium.com/@ozan.unal/process-injection-techniques-bc6396929740)

Presenters:

  • Bramwell Brizendine - Assistant Professor at University of Alabama in Huntsville
    Dr. Bramwell Brizendine completed his Ph.D. in Cyber Operations. A security researcher, currently Bramwell is an Assistant Professor at the University of Alabama in Huntsville, and he is the founding Director of the Vulnerability and Exploitation Research for Offensive and Novel Attacks (VERONA Lab). A cybersecurity expert, Bramwell has taught numerous undergraduate, graduate, and doctoral level courses in reverse engineering, software exploitation, advanced software exploitation, malware analysis, and offensive security. Additionally, Bramwell has authored several important cybersecurity tools, including JOP ROCKET, SHAREM, ShellWasp, and ROP ROCKET, which are open source and freely available. Bramwell was a PI on a $300,000 NSA research grant to develop a shellcode analysis framework, SHAREM. Bramwell has been a speaker at many top security conferences across the globe, including different regional variations of Black Hat, DEFCON, Hack in the Box, and more.
  • Shiva Shashank Kusuma - Computer Science Master's Student at University of Alabama in Huntsville
    Shiva Shashank Kusuma, a Computer Science Master's student at the University of Alabama in Huntsville, has a deep interest in software engineering and cybersecurity. When not at work, Shiva enjoys reading about Blockchain, Web3, and AI.

Similar Presentations: