Presented By: David Korczynski, ADA Logics
Code injection is a technique that is becoming increasingly prevalent in attacks and data breaches. Both malware writers and dedicated penetration teams rely on these techniques because host-based intrusion prevention systems and enterprise organisations increasingly deploy whitelisted applications that are all lucrative targets to bypass security checks.
In this course we will cover code injection from beginning to advanced. We will do a deep dive into the Windows API that makes injection possible and go through many existing techniques. You will be provided with source code and binaries of the code injection techniques and get your hands dirty by analysing real-world code injection attacks. We will go through how to detect each of the techniques and also observe how different endpoint protection systems deal with them.
The course starts with an introduction to the course toolbox and the first well-known code injection techniques via “CreateRemoteThread”. We will then progress through more advanced and modern techniques like process hollowing, PowerLoader, Atom Bombing, reflective DLL injection and more, to reach our goal of an advanced understanding about contemporary code injections based on hands-on experiences and, by the end of the course, well-understood concepts.
- Provide students with a fundamental understanding about code injection techniques and the purpose of such.
- To bring students up to speed with the latest code injection techniques including strengths/weaknesses of each technique.
- To enable students to navigate the source code of code injection techniques.
- To enable students to analyse code injection techniques manually via a debugger.
- To familiarise students with how automated procedures for detecting and
analysing code injection techniques work.
- To reinforce the above knowledge through exercises and hands-on experience.
Day 1 – Introduction and first code injections Morning (9.00 – 12.00)
- Introduction and overview of course
- Introducing the toolbox
- Understanding physical and virtual memory, and Windows processes
- First code injection techniques (CreateRemoteThread)
- Executing and monitoring code injections
- Extracting code injection artifacts
Day 2 – In-depth view on common techniques and real-world attacks Morning (9.00 – 12.00)
- Recap of day 1
- Reflective code injection (injections that never touch disk)
Afternoon (13.00 – 17.00)
- Constructing and analysing reflective code injection
- Process hollowing and hooking
- Constructing and analysing process hollowing
- Deep analysis of real-world attack
- Deep-dive into a real-world malware sample that heavily utilises code injections.
Day 3 – Taking it to the next level with exploit-like techniques Morning (9.00 – 12.00)
- Recap of day 2
- Chaining code injections together like APTs
Afternoon (13.00 – 17.00)
- Introduction to Return Oriented Programming (ROP) and Data Execution Prevention (DEP)
- Introduction to Windows shared objects and shared sections
- PowerLoader – Targeted code injection using exploit-like features
- Building and analysing PowerLoader
- Real-world example of PowerLoader malware
- Atom Bombing – Advanced code injection against any Windows process
- Further code injections
- Course summary and conclusion
This course has a broad audience and is relevant for both defenders and attackers, as well as both programmers and analysts. All of the exercises throughout have source-code and binary-code available so you can go through exercises without writing a single line of code, while still understanding the material of the course in-depth. Specifically, you do not need to be a programmer to use the information from this course.
Specifically, this course is aimed at:
- Malware analysts
- Threat analysts
- Incident response
- Red team professionals that build custom tools
- Security engineers
It is expected that students have some information security experience and are familiar with concepts of programming, assembler and debugging. The course is not a beginners course, but does not need for you to be an expert in either of the three skills listed. We will move from early beginners concepts and then move to advanced topics later in the course. As such, the learning curve can be steep at times, but the course comes with many tailored materials that students can digest at their own pace, e.g. varying complexity in exercises.
What to Bring
- A modern processor (we will run virtual machines, so more cores is better)
- At least 8 GB ram
- At least 50 GB free space
- VMWare workstation pro (we need pro because of snapshots)
- Windows 7 x64 and x86, and Windows 10×64 virtual machines
Students will be provided with
- Printed course book
- Source code and binary format of code injections introduced
- Examples of real-world malware that uses code injection techniques, including relevant and detailed analysis.
- Access to online platform with exercises and content
About the Trainer
Lead Instruction – David Korczynski, Ada Logic – @davkorcz
David Korczynski is a researcher in software security and program analysis. He specialises in building tools to automate reverse engineering, be it custom malware sandboxes, static analysis tools, automatic bug finders, compiler extensions etc. He is a co-founder of Ada Logics, a company that specialises in advanced software research for high-profile industry clients. Ada Logics specialises in automatic program analysis for software security. David finished his PhD in Computer Science at Oxford University where he specialised in automatic analysis of malware that use advanced code injection techniques and other complex obfuscation techniques. He has carried out software security research in both industry and academia.