Friday, June 22, 2012

Syringe – DLL and Shellcode Process Injection Utility

If you remember about an old post of ours – Shellcodeexec, you might have a faint idea of what Syringe does. Shellcodeexec is a small script to execute in memory a sequence of opcodes. What it does is it spawns a new thread where the shellcode is executed in a structure exception handler (SEH). Syringe is a general purpose injection utility for the Windows platform. It supports injection of DLLs, and shellcode into remote processes as well execution of shellcode (via the same method of shellcodeexec). It can be very useful for executing Metasploit payloads while bypassing many popular anti-virus implementations as well as executing custom made DLLs.

Syringe can inject this modified version into the remote process and successfully execute shellcode in its context, interact with our shellcode and exit out of it, without damaging the remote process. Implimenting this technique, it provides users an easy way of injecting shellcode into 32-bit processes while bypassing most forms of antiviruses! Simply put, this technique is implimented by Syringe follows these steps:

Opens a handle to the remote process.
Uses VirtualAllocEx to allocate memory in the remote process with the necessary permissions of read, write, and execute.  Then uses WriteProcessMemory to copy the shellcode to the remote buffer.
Repeats step #2 with the assembly stub.
Starts the assembly stub via a call to CreateRemoteThread, with a pointer to the assembly stub as the function to execute and a pointer to the remote shellcode as the argument.

No comments:

Post a Comment