 My friend standing next to me, this is his first time speaking at DefCon, his name is Shingal Ma, and he wants to play with malware injection with exploitive thoughts. I don't know if I said that right, but let's hear him explain it. And before we get started, I'm going to give him a good congratulations. Are you already drinking? I already did. OK. Hello, everyone. My name is Ma Shingal, and I'm just a master degree student from Taiwan. And I'm also a security researcher from C-Trude and TDOHaker. This is my first time speaking at DefCon, so I'm a little bit nervous. And I just drink that shot, and it's very spicy. So that's OK. So let's do it. So it's the agenda. First, I'm going to talk about what is malware injection? Vulnerability inspired by PowerShell, PowerLonger. So let's quickly review what is malware injection? In the past, malware injection is useful by passing some production, like by passing wireless tracking, by passing antivirus, or privilege escalation. And, for example, with their siloing and digital signature, we can bypass the antivirus. And with remote inject and wireless process, and we can bypass the wireless, wireless, and with the inject explorer and digital siloing and self-elevated service, we can bypass Windows USB production. So then there are several well-known techniques, like we have known about those technology about inject, like shell code, shell code inject, DL inject, process hollowing, and thread hijacking, atom-bombing, and memory export. And in my presentation, I will focus on how to do malware injection in exploit way, how to do it. And if you want to do a malware injection, actually there are four challenges for you, you will admit. The first one is, what is target? You should choose a good target to injection. And this target must be meaningful. Then secondary, where to place a merit space for us to place our malware code in remote process. Then, certainly, we need to know how to write malware code from remote. And finally, we need to find a way out to run the malware code from the remote. This is the most difficult part for us. And you can create a new thread and hijack current thread or whatever. So this is an interesting case for us. We are talking about as power loader. And what is power loader? Power loader is known as extra window vulnerability. So what it is? And there is Windows data in explorer process memory. And those data decide how your GUI, how your window is look like. And this is how it's going. First, operation system will send message to your explorer. Secondary, explorer fetch the Vtable from low-stata. Finally, explorer invoke the code functions on lay Vtable. And you will say, why is the problem? It seems very normal. It's generally. So why is the problem? The problem is how explorer fetch lay Vtable because we know explorer will invoke the code function from Vtable. So the problem is how explorer fetch lay Vtable. Actually, it fetch lay Vtable by a Windows API named get window long. So we can easily modify the result of get window long API. Just use set window long API to change the Vtable address. So let's put it all together. We can know if we can inject a fake Vtable, then we can use set window long API to point the Vtable address to the fact Vtable. And then we can, if we send any message to explorer, explorer will invoke our malware code from lay fact Vtable. So if you, I gave a pillow here and we just prepare our share code and prepare our memory layout on lay Vtable, then use set window long API to modify the Vtable address of target, AKA explorer. Then just send a message to lay explorer and it will trigger our payload. So let's see a quick demo. Here, here, ah, okay. And here, you can see, let's test on Windows 7 and here is my share code. Then it's pretty hard to use big screen. And then you can see I prepare our memory layout and inject the fact Vtable into target explorer and send a message to explorer. You can see if we compile and you can see explorer is crushed and down and run our share code on the remote. So there are three more, three more vulnerability from, we are talking about next. First one is OLE drop enter event and what it is. And if you do some reversing stuff, you will see like those code on the screen and explorer use global add item to keep a string name OLE drop target interface. This string in the, just keep it by global add item API. Then you can see when explorer try to resist a jagged drop event, you can see explorer store the drop target structure in OLE drop target interface properties. So you will ask about what is drop target? This structure is useful what? And you can see drop target is, actually it is a Vtable class. Keep every coping function as just of jagged drop event. So explorer use and when you try to jagged file, jagged file any files to explorer or inside explorer, you will trigger a function named privilege jagged drop. And you can see in this function, explorer will try to use getpropWAPI to fetch lay Vtable class and invoke the function on the Vtable when you jagged any files inside explorer. And you will ask about why is the problem? The problem is it's pretty easy for us to modify Vtable address by another API is setpropW. And if we use this, API can modify the Vtable address. So what we need to do is inject a fact Vtable and point the OLE drop target interface as the properties to our fact Vtable. So finally, so let's see how you go in. You can see jagged files. If we check in files inside the explorer, then operation system send a message to our explorer. Then explorer fetch our fact Vtable by getpropWAPI because we just use setpropWAPI to change the Vtable address. Then the explorer will invoke the malware code from our fact Vtable. So if we need to prepare, if we prepare our share code and the Vtable on the correct memory address, then use setpropWAPI to modify the Vtable address of lay window data. And whenever just explorer send or receive any jagged jar, jagged jar event, the message, then explorer will invoke the malware code of our share code. So it's the first one. You can see how we inject the jagged jar event of explorer. And first, you can see it's our share code. And here what we need to do is prepare our Vtable address and the Vtable address prepare our share code address. The explorer will call the function on memory plus C. And we write the process memory, list share code into the Vtable and the share code into target process. Then just use setpropWAPI to modify the OLE job target interface properties. So you can see if we compile oops, oops, and we compile and inject the share code and the Vtable into target. And there's nothing happen, but if we drag any file into explorer, you can see there's a message box there is from share code. Then you can see we can look it on test manager and you can see it's from explorer. This message box is come from pop up from the explorer. So, oh, so silent. And the second case is comctl subclass event. And first, explorer keep UX subclass this property string by global add item API again. Explorer invoke master subclass plus function if it receive any message. If in this function you can see explorer call the function first get subclass header and to fetch lay window data then verify lay window data we just get by another function is enter subclass frame function. Then finally, if lay way the window data is correct and explorer will try to invoke the function on window data. So let's see how to explore check the window data and how to call the function. And in enter subclass frame function we just said about it's used for verify lay window data is correct or not. So all you see we need to care about is here the vtable plus a the function address it should be new or it will fetch the bad memory address and call explorer crash. So we need to prepare our vtable we need to keep it new on the window data plus a. And in enter subclass call bay function you can see the vtable is actually it is dynamic. So explorer have a rule actually on this slide you can see explorer have a rule to get call bay function dynamically in our vtable address. So we can use this rule to check which address is our circle address should be at. And finally explorer invoke the address we get just on the window data to process any message. So we just need to prepare another vtable and our circle in the vtable address and put it all together on the correct memory address. Then just use the proper API to modify the vtable address and just use send message to trigger a message function of explorer. This is another more interesting case here. And you can see it's meta-square I built on my PC and it's finished and Windows Defender is open and I just took this video yesterday and whenever I just click the POC and you can see there is nothing happen for user. Victim don't see anything there. But our meta-square here is get a reverse share and we can do anything like LLs, system info and even we can execute a CMD you can see Windows Defender is not happening anymore, not potatoes. And you can see the CMD come from explorer. Okay, so the final interesting case is thread hijacking is this case is those vulnerability code is inside the Windows 10 so if you use Windows 7 and Windows 8 you are safe. Yes, it's pretty ridiculous. And every process is created on Windows operating system by let API is create a process this API and kernel will create a new process and map each session into the new process memory then create a new thread then point the PC register to the program entry a.k.a. address of entry and first threader didn't just jump into the address of entry first threader will call the LDR initialize to repair the important address table, export directory and relocation information and the interesting is you will see for now threader should just jump into the address of entry but no, for Windows 10 threader will check variables is before threader jump into the program entry every threader will jump into another address is address of LDR dedicated RTL user threader star, these variables if it's not new so if it's not new it will jump into it so you can see it's pretty easy for us to abuse so just put a share code to the target process and write a share code address into LDR dedicated RTL user threader star these variables its name is very long every threader must jump into the share code address if it's create on the new target process so let's see the final demo here you can see it's a cron and I open a new cron there here I just only thing I need to do is to get the actually LDR dedicated RTL user threader star is looking at which address and when we get the address and we just write our share code address into the variables then if cron you can see I just inject the share code and the variable on the target process and nothing happen there but if we try to browse a new website like google.com and you can see there is a CMD come from cron yeah thank you you can see the CMD is come from cron so okay thank you for listening