To follow, the previous posts (Injections & Security) - I developed a CODE injection module which is able to consistently inject into Mozilla Firefox. Instead of developing a DLL Injection module, I developed a Code Injection module. As Software Engineers in top businesses say - "Code Should be left to the bare minimum", I followed this "tradition" and developed a single application to inject without external file(s).
For those who never heard about Code Injection, I am going to explain what code injection is and it's uses in both commercial softwares, and Security Exploitation Software.
As there are several methods to inject into a application - PE Injection, DLL Injection etc. Code Injection is one of the rarest, first being obviously PE Injection ( Due to difficulty of the long-windedness of the procedure). Code Injection is a method in which we execute our own code\instructions inside a different processes memory space.
Code Injection, unlike DLL Injection, takes a little bit more hard work:
- Calculating injected thread's size
- Exporting single functions from libraries
- Correct Code Placement among Source
- Thread\Code Objects must be all correctly calculated and allocated.
- Manual Thread synchronization such as exporting other functions addresses
All in all, Code Injection is all maintained manually and checked prior to compilation; Code Injection is also infamous for amount of bugs which can be extremely hard and difficult to locate and remove.
Nevertheless, it has unique uses both for commercial uses and for Security Exploitation software, for commercial application development it can be used in various different scenarios:
- To reduce\minimize the size of the code inside a Project as we do not need to develop a DLL and Application.
- To add security watchdog on the software\application
- To add new plugins, without the Developers having *much knowledge about Firefox SDK
- To perform\check system maximum performance
These are few uses of Code Injection in commercial application development although there are way...way more uses in commercial application development, but I'll leave that to your imagination. As for Security Exploitation software, these include:
- To steal and grab vital form data as they are sent.
- To check for signs of Malware present in the system.
- To unhook and prevent Malware from entering vital processes memory space
- To bypass AV firewall solutions
- Bypassing AV proactive file scanning as we are not dropping any malicious DLL files, which may get flagged by local Anti-Virus solution.
Again, this shows small amount of examples in which Code Injection can come into use - but I'll again, leave this to your imagination.
Before you dwell deep into examining the source code provided, I will break down the steps I followed in order to achieve a perfect code injection into Mozilla Firefox:
- Create firefox process with the dwCreationFlag ( 6th Parameter in CreateProcess) set to CREATE_SUSPENDED
- As I inherited important information of the process from the PROCESS_INFORMATION structure such as - Main Thread, Complete Access Process Handle, Main Thread ID, Process ID.
- Then I initialized the parameter structure and later filled in all it's members with valid data
- Next I calculated and allocated memory and wrote the thread's memory inside the allocation unit of the injected thread inside the process memory space
- After I did the same for the parameters
- Lastly I created the remote thread inside the foreign process memory space.
***Note*** I did not do much error checking as I expected the application to work and it was not part of any projects nor large research but in fact a small test-run I did to check if the security of Mozilla Firefox was good.
The Mozilla Firefox version this is tested on is the latest for till this day (14/10/2013) version: 24.0
I expect this code to work on older versions & MAYBE future versions.
Proof-Of-Concept:
This blog post has become way too long than expected, so let me wrap it up and provide you with the code:
http://download1592.mediafire.com/42z1eoock2jg/0i7545s1yiweh41/FirefoxInjection.cpp
Hope you learned something new!
My pleasure
ReplyDeleteMy pleasure, this is yet not fixed and its completely ridiculous to see these sort of loop holes of BASIC code injection present by finest browsers.
ReplyDeleteI really hope the developers of Mozilla Firefox get their security skill back into shape before Firefox becomes number 1 target by malwares.