Malware-Analysis With HBgary Respender Profesional
Malware-Analysis With HBgary Respender Profesional
Malware-Analysis With HBgary Respender Profesional
Introductions
Trainer
Class participant introductions
Name
Experience in Incident Response and Reverse Engineering
Why are you here?
What would you like to learn in this class?
Class Structure
This course is focused on Incident Response and
malware analysis using the HBGary Responder
Professional product. Each section of this course
features the following:
Lecture
Hands-on lab exercises
Quiz
Demonstrations and videos
Class Materials
Course DVD contains:
videos
slides
malware samples
Key
Demo video
Class exercise
Objectives
After completing this course, students will be able to:
Identify the role of physical memory in Incidence
Response
Explain Microsoft Windows Operating system internals
Install and use HBGary Responder Professional
Utilize a factors-based methodology for threat
assessment
Module 1
Memory Forensics is
Random Access Memory (RAM)
Contains the current state of the computer
Very far down into the weeds
A more
complete
investigation
Logged in Users
NDIS buffers
Open Files
Unsaved Documents
Live Registry
Video Buffers screen
shots
BIOS Memory
VOIP Phone calls
Advanced Malware
Instant Messenger chat
Perl scripts
Hex editors
Strings.exe, grep searches, manual carving
Volatility framework
Kernel mode
Can hide and modify low-level blocks of memory/disk
Can subvert software dumping of RAM
Thats why were working on ICEDUMP
Similar to the Princeton approach
Counter-Measures
Pause the processor virtual machines
Existing file system memory images (made by
Windows)
Hibernation files
Crash dumps
Hibernation
Saves system state to disk for faster resume
Compresses physical memory and writes it to c:\hiberfil.sys
Space reserved when hibernation enabled
Not cleared, contains disk free space
Disk Data
Hibernation
Not enabled by default until Windows Vista
Now called Sleep
Hibernation
Header
Wiped upon successful restore
Free pages
Page tables
Compressed data
TIPS
Quiz
1. What information is found in RAM, but not on disk?
a) Passwords
b) Chat sessions
c) Saved documents
Quiz
3. Which of the following is NOT a countermeasure to
kernel-mode rootkits?
a) Locking your computer screensaver
b) VMware snapshot files
c) Hiberfil.sys
Module 2
Computers
Desktops, PCs, Laptops
Hardware
Commodity PCs are built from similar, replaceable
components
Motherboard
Random Access Memory (RAM)
Hard disk drive
Peripherals (video card, keyboard, mouse)
Even Laptops?
Yes, even laptops. The components may be integrated
together and less replaceable, but they still adhere to
standardized designs and interfaces.
Diagram
Motherboard
Memory (RAM)
CPU
FrontSide Bus
NorthBridge
PCI Slots
IO
Serial/Parallel
Keyboard
Mouse
SouthBridge
USB
IDE/SATA
Hard Drive
Windows Concepts
The Windows OS is highly structured, and utilizes the
following concepts:
Architecture Diagram
User Applications
User Applications
User Applications
User Applications
Executive
Base Kernel
Windows
API
Environment
Subsystems
Device Drivers
USER and GUI
support
System Support
Processes
HAL
Kernel mode
Services
User mode
Ring 0
Ring 1
Ring 2
Ring 3
Windows Kernel
Kernel components have
unrestricted access to
the entire system
(dangerous!)
The Windows Kernel is
Ring 0
Ring 0
Ring 1
Ring 2
Ring 3
Windows Kernel
Windows Executive handles memory, process, thread,
security, object, IO, and networking management
Hardware Abstraction Layer (HAL)
USER and GUI functionality
Device drivers provide extendable user and hardware
input/output (I/O)
Contains:
User applications
Support processes (logon)
Service processes
Environment subsystems
Ring 0
Ring 1
Ring 2
Ring 3
What is a Thread?
A Thread is a container for execution
Services
User mode programs that provide functionality
independent of the current user
For example:
Task scheduler
Print spooler
Windows Update
Services
Services.exe
Svchost.exe
Others (see VMWareService.exe)
Registry
A system database that contains important system
information
For example:
Startup settings
Hardware configurations
Application configurations
Current user data
Memory
Memory (RAM)
Physical Memory
Operating System
Virtual Memory(s)
2 GB Memory (RAM)
OS
4GB
4GB
4GB
4GB
4GB
4GB
Virtual Memory
6 x 4GB = 24 GB of Logical
Memory
Physical Memory
2 GB
4 GB
4 GB
4 GB
0 GB
Physical Memory
2 GB
4 GB
4 GB
Hard Drive
4 GB
Paging to Disk
When Physical Memory is getting full, the least used
pages of memory are written to disk
When those pages are needed again, they are read
back into Physical Memory and some other pages are
written to disk. This is called Swapping.
Swapping reduces system performance.
Memory Dump
To get a complete collection of memory you need to
collect two pieces:
Physical Memory
The on-disk pagefile
Unreferenced Memory
Unreferenced Memory is a feature of Windows
Memory Management that may leave empty sections
in a memory dump
When loading a binary from disk, the Windows Memory
Manager may decide to only read portions of the binary into
memory
The unread portions (unreferenced pages) of the binary are
tracked
0 GB
Physical Memory
2 GB
Hard Drive
pagefile
4 GB
ANYFILE
4 GB
0 GB
Physical Memory
2 GB
0x00C00000
0x00E00000
0x00CE0000
0x00E00000
0x00CD0000
0x00CDF000
PTE 0010 - 0015
0x00CE0000
0x00CF0000
VAD Tree
Hard Drive
4 GB
0x00D10000
0x00D20000
Memory Map
Memory Block
Individual Pages for this Block Unreferenced Pages
Block Length
4 GB
2 GB
0 GB
User Memory
Application Binary
0 GB
Stack
Heap or Allocated Memory
Might be Heap
Stack
Responder provides a
complete picture of
contents in memory
Application
DLLs
System DLLs
Quiz
1. Device drivers have what level of system access?
a) Restricted to the device the driver is written is control
b) Unrestricted!
c) No access
Quiz
3. How do programs allocate virtual memory?
a) Statically
b) Dynamically
Module 3
INTRODUCTION TO RESPONDER
PROFESSIONAL
Architecture
User View
Digital DNA
2.
3.
4.
Static PE Import
Binary import and analysis
(static binaries from disk)
5.
Machine details
Optional - Add details about the Case and Machine
Pattern Files
Add a text (.txt) file to
search for user-specified
patterns.
Supported pattern file
formats:
string the search is NOT
case sensitive
[hex] brackets
containing a hex pattern
Report Tab
The Report tab stores the human-readable results of an
analysis, and allows the user to quickly create report
items from interesting pieces of data, and to sort them
into groups or folders.
Report Panel
Case # - User supplied
number
Double-clicking any of
the Report folders or
Report items takes the
user to the item entry in
the Report summary
Report Summary
The Report Summary
contains details of the
items in the Report
Panel.
Items in the Report
Summary are designed
to be exported in html,
and can be printed.
Report Folders
Report folders can be added, edited and deleted by
right-clicking the Report folder
Report Items
Report items can be moved up/down, edited, deleted
and copied to the clipboard by right-clicking the Report
item
Detail Panels
To access a detail panel for an entry in the Report or
Object tabs, perform one of the two following steps:
1. Double-click the icon in the Object tab.
2. Click View Panels
Detail panels
Provide detailed information about the selected
category in the Object panel
Data can be searched and exported to the following
formats:
PDF
HTML
RTF
- XLS
- Image
- CSV
- Text
MSDN Query
Objects Tab
Displays all harvested
objects
Processes, modules, drivers
Strings, symbols
Macroscopic view of
object data
Allows drill-down on most
objects
Objects Tab
Project type
Top level folders
Leaf-node folders:
double-click these to see
details view of the folder
Expandable folders: singleclick these to expand contents
of the folder
Table: double-click this to
see contents of table.
Snapshot Summary
The Snapshot Summary panel provides specific
information related to the case. The information is
user-supplied when the project is created, or is
generated during the static import process, and can be
edited or supplemented as the analysis progresses.
Drivers Panel
Device drivers are hardware-dependent, operatingsystem-specific, and they usually provide the interrupt
handling for hardware on the system.
Processes Panel
Displays information about all processes running at the
time the memory image was taken.
Analyzing Modules
To extract and analyze a
driver or process, rightclick the package and
choose Package
Analyze Binary, or you
can simply double-click
the package.
Module Post-analysis
Analysis creates two folders:
Function thunks
Global
Strings
Strings, a data type storing a sequence of data values
expressed as a sequence of characters, provide clues to
origin and intention
Usually in the language of the developer
Typically use descriptive variable names
Symbols
The Symbols panel provides information about a
binary's capabilities (by the functions that it imports),
and its utility by other applications (by the functions
that it exports).
Threads Panel
The Threads panel displays lists of OS threads.
Timeline Tab
(Responder Pro only)
Illustrates the data held in a REcon output file (.FBJ).
This data is organized into both a timeline and tracks.
Tracks can be viewed by process and thread, or by sample
group.
Canvas Tab
(Responder Pro only)
Visually renders
relationships and flow
Control flow
Data references
Behavioral representation
of the binary
Relationships are displayed
graphically
No need to pour over
disassembly language
Function head
Function end
Data reference
Binary Tab
The Binary tab displays
the raw hexadecimal
bytes that represent any
specific binary. This view
can be very useful in
identifying the
boundaries between
code and data sections.
Digital DNA
(Responder Pro only)
The Digital DNA (DDNA) sequence appears as a series of
trait codes, that when concatenated together, describe
the behaviors of each software module residing in
memory. DDNA identifies each software module, and
ranks it by level of severity or threat.
DDNA Tab
HBGary DDNA technology evaluates binary behavioral
characteristics and automatically provides an easy to
understand description of suspicious traits
An excellent starting point for analyzing malware
Sort by severity and start analyzing from the top
DDNA Traits
Examine trait descriptions to gain a quick
understanding of a binarys functionality.
Script Tab
(Responder Pro only)
The Script Panel allows a
user to write C# scripts
that can automate
Responder features
Quiz
1. Which of the following is NOT a Responder project
type?
a) Physical Memory Snapshot
b) Logical Memory Snapshot
c) Static PE Import
Quiz
3. Which two folders are created after a binary is
analyzed?
a) Strings
b) Symbols
c) Global
VMEMs
VMWare session capture of run-time data
Lab Exercise 1
Module 4
Baserules.txt
What is the Baserules.txt file?
It is a malware identification file
It can Auto-magically analyze hits
Baserules.txt
Suspicious Strings
API calls
Bytes
Assembly
*Wildcards
Example
Dropper process
wincom32.exe
###################################
### Blacklisted Modules - Alert ###
###################################
Lab Exercise 2
Module 5
INTRODUCTION TO MALWARE
THREAT FACTORS
Threat Factors
Threats can be broadly grouped into six behavioral
categories, or factors:
Development
Communication
Command and Control
Installation and Deployment
Information Security
Defensive
Development Factors
Communication Factors
Where does it connect to on the Internet?
Drop point
IP addresses or DNS names
Defensive Factors
Does it:
have self-defense?
use stealth?
bypass parts of the operating system?
bypass virus scanners?
Quiz
1. Which of the following is not considered malware
threat factor?
a) Communication
b) Information Security
c) Offensive
Lab Exercise 3
Module 6
Communication
Malware is often designed to communicate over
networks for various reasons:
Attacker
Internet
Targets or
Victims
Relay Point or
Jump Point
Infected Website
Server
Network Sockets
Look for:
active network
connections
unusual processes
communicating on the
network
unusual port numbers
Examine IP addresses
using
http://arin.net/whois
APIC
Asia Pacific Network Information
http://wq.apnic.net/apnic-bin/whois.pl
Internet History
Examine
Search
.cn
.ru
others
Hooking
What is Hooking?
Modifying important locations so that the Malware can
control OS functionality
Many different places can be hooked
Hooking Details (1 of 2)
Normal OS Function
Hooking Details (1 of 2)
Malware inserts itself between important functionality
to control OS behavior
Normal OS Function
Malware
IDT/SSDT Hooks
Low-level hooks that allow the malware to:
Hide itself (processes, files, registry keys)
Communicate covertly
Control the OS
User-Mode Hooks
Hooks of user-mode applications or DLLs that allow
malware to:
Hide itself (processes, files, registry keys)
Communicate covertly
Hidden Objects
Many objects can be hidden by malware. The most
common are:
Processes
Files
Registry Keys
Hidden Processes
By hooking low-level calls on certain Windows API
functions, malware can hide or remove itself from the
list of processes
Malware can also modify low-level OS data to remove
objects (instead of hooking)
Processes Panel
The processes panel identifies any processes that are
hidden. Responder uses a variety advanced of
techniques to locate hidden processes.
Hidden Drivers
By hooking specific functions or modifying low level
data, malware can hide drivers
Remember, drivers provide unrestricted access to the
system. Malware will often install a driver and then
hide it.
Drivers Panel
The drivers panel identifies any drivers that are being
hidden within the system. Responder uses a variety
advanced of techniques to locate hidden drivers.
Quiz
1. When using the Open Network Sockets panel, look for
which of the following?
a) Active network connections
b) Unusual port numbers
c) URLs
Lab Exercise 4
Module 7
3
1
2 3 4
Module 8
INTRODUCTION TO API
What is an API?
An application programming interface (API) is:
the interface (calling conventions) by which an application
program accesses operating system and other services.
defined at source code level and provides a level of
abstraction between the application and the kernel (or other
privileged utilities) to ensure the portability of the code.
Windows API (1 of 2)
The Windows API can be grouped into the following
eight functionality categories:
Base Services: Access to system resources (kernel32.dll)
Advanced Services: Access to Windows registry,
shutdown/startup, and user accounts (advapi32.dll)
Graphics Device Interface: Output to monitors, printers, etc.
(gdi32.dll & kernel-mode win32k.sys)
User Interface: Functionality to create and manage windows,
buttons, scrollbars, mouse and keyboard input , etc
(comctl32.dll)
Windows API (2 of 2)
Common Dialog Box Library: Access for opening and saving
files, choosing color, font, etc (comdlg32.dll)
Common Control Library: Provides programs access to
operating system advanced controls such as status bars,
progress bars, toolbars and tabs (commctrl.dll)
Windows Shell: Application access to change and enhance
Windows shell (shell32.dll)
Network Services: Access to network capabilities (TCP/IP,
NETBIOS, Winsocket, etc)
New license
applications
API
License
renewal
API
Registration
renewal
API
DMV Kernel
Driving tests
API
Written tests
API
API Arguments
Arguments are inputs to the API
For example, an argument defines the location of the mouse
pointer in the API of the comctl32.dll
A registry entry can also be an API argument
For example, the Recent Documents list in many common programs
started as a registry entry, and is retrieved by the Windows API as an
argument when the program starts
Windows API
Application
1. Calls WriteFile
Kernel32.DLL WriteFile
2. Calls NtWriteFile
NTDLL.DLL NtWriteFile
3. Issues a SYSENTER
instruction
NtosKrnl.exe KiSystemService
SSDT
0x84c0780
NtosKrnl.exe NtWriteFile
4. Looks up requested
service in the System
Service Descriptor Table
(SSDT)
User mode
Kernel mode
6. Perform a write
7. Return to user mode caller
Google Search
Within Responder, an API can be searched through
using the Google Text Search, and Google Code
Search features.
MSDN Description
The MSDN Library
includes how-to and
reference
documentation, sample
code and technical
articles for Microsoft
developer technologies
and products.
http://msdn.microsoft.com
Quiz
1. The Windows API allows which mode access to system
resources?
a) User-mode
b) Kernel-mode
Module 9
Objects of Interest
File extensions
.exe
.dll
.sys
CreateDirectory
GetSystemDirectory
CreateFile
DeleteFile
CopyFile
OpenFile
ExpandEnvironmentStrings
%PROGRAM FILES%
%SYSTEMROOT%
C:\
.EXE
*.*
\\ (double backslash)
MoveFile
\\TEMP
WINDOWS
SYSTEM32
cmd /c del
del %s
GetTempPath
.DLL
.SYS
.INI
.INF
.BAT
CreateDirectory, CreateDirectoryEx
mkdir, wmkdir, _tmkdir
_creat
system(mkdir )
system(md )
Environment Variables
ExpandEnvironmentString
GetEnvironmentVariable
getenv, putenv
%ALLUSERSPROFILE%
%APPDATA%
%COMPUTERNAME%
%COMSPEC%
%HOMEDRIVE%
%HOMEPATH%
%PATH%
%PATHEXT%
%PROGRAMFILES%
%PROMPT%
%SYSTEMDRIVE%
%SYSTEMROOT%
%TEMP% and %TMP%
%USERNAME%
%USERPROFILE%
%WINDIR%
%DATE%
%TIME%
%CD%
%ERRORLEVEL%
%RANDOM%
SHGetSpecialFolderLocation
CSIDL_ADMINTOOLS (FOLDERID_AdminTools) The file system directory that is used
to store administrative tools for an individual user.
CSIDL_ALTSTARTUP (FOLDERID_Startup) The file system directory that corresponds
to the user's nonlocalized Startup program group.
CSIDL_APPDATA (FOLDERID_RoamingAppData) C:\Documents and
Settings\username\Application Data.
CSIDL_BITBUCKET (FOLDERID_RecycleBinFolder) The virtual folder that contains the
objects in the user's Recycle Bin.
CSIDL_CDBURN_AREA (FOLDERID_CDBurning) C:\Documents and
Settings\username\Local Settings\Application Data\Microsoft\CD Burning.
Use MSDN to lookup all the possible values, there is a long list
Shell32 API
SHELL32.DLL
SHGetPathFromIDList
SHBrowseForFolder
SHGetSpecialFolderLocation
Internet Downloads
The WININET.DLL API
InternetOpenFile
InternetReadFile
InternetOpenURL
InternetConnect
winsock API
socket
WSASocket
connect
WSAConnect
http://
www
.com
HTTP/1.0
Content-Type
Try searching
CurrentControlSet
CurrentVersion
SOFTWARE (all caps)
HKLM\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
HKLM\SYSTEM\CurrentControlSet\Services\{Service Name}
Lab Exercise 5
Lab Exercise 6
Livebin: inhold_toolbar.1.mapped
Description: Use graphing techniques to
quickly isolate installation
behavior of inhold.toolbar
Time: 25 minutes
Module 10
REGISTRY KEYS
RegCreateKey
RegOpenKey
.REG
regedit
RegCloseKey
CreateService
DeleteService
OpenSCManager
ServiceMain
ServiceDll
StartService
CurrentControlSet
SOFTWARE
\\ (double backslash)
CurrentVersion
User Init
HKLM\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit
The above key takes a comma delimited list of
programs to execute. Malware may install additional
programs, or even replace the existing userinit.exe with
a trojan version. The normal location for userinit.exe
will be something like
C:\WINDOWS\system32\userinit.exe (the windows
install directory will be system specific). Any strange
looking path or additional executables should be
examined in detail.
Services Creation
Creating a service via API calls simply creates registry
keys under the hood
CreateService
Lab Exercise 7
Type Beizhu_2.vmem
Description Use graphing techniques to
quickly isolate the temporary
path used with runonce key
Time 25 minutes
Module 11
RECONSTRUCTING FORMAT
STRINGS OPERATIONS
Format strings
Format strings are important to understand because
you will encounter them so often.
What are they?
Format String
printf
%s
sprintf
%c
fprintf
%f
snprintf
%i
swprintf
%d
wsprintf
%l
vsprintf
%lu
etc
Path Creation
GetSystemDirectory
Target: CreateRemoteThread livebin
Is used to place files in the windows/system32 directory
If, within a subroutine, grow up to see what kind of
arguments are passed in
Call setup
4
2
3
1
1 2 3 4
Batch Files
%1, %2, %3, etc
Used to indicate arguments passed to a batch file
Look for .bat extension in strings
Lab Exercise 8
Module 12
DROPPERS &
MULTI-STAGE EXECUTION
What is a Dropper?
Malware is delivered in steps
Dropper is initial downloaded package
Can be a Trojan or embedded exploit
Embedded Resource
Decompressed to
Disk
Embedded Resource
is Launched as an
EXE
Multi-Stage Execution
Child Process Spawning
CreateProcess
ShellExecute
Creating Files
WriteFile
CopyFile
CreateProcess
Rundll32.exe
cmd.exe
cmd /c
command.com /c %s
ShellExec
ShellExecute
ShellExecuteA
WinExec
Shell32.DLL
exec
execve
system
@echo off
:%s
del %%1
if exist %%1
goto %s
rem %s"
Lab Exercise 9
Type inhold_toolbar.1.mapped.live
bin
Description Recover ShellExecute
arguments used within
inhold toolbar
Time 25 minutes
Multi-Stage Execution
Resource Extraction
OpenResource
Resource Extraction
Starting points for Resource
Extraction
FindResource
SizeOfResource
PsCreateSystemThread
\\DosDevices
.sys
drivers
IoCreateSymbolicLink
IoDeleteSymbolicLink
IoCreateDevice
IoDeleteDevice
KeInitialize
SpinLock
ObReferenceObjectByHandle
Child Processes
All of the child processes
are available in the
memory snapshot.
Examine them all and
compare them to one
another.
Loaded Modules
Note how the copy of
the process has more
loaded modules
Compare Copies
Compare the secondary execution against the first one
Different number of loaded modules
The one with more modules implies that it has progressed
farther in the execution lifetime
Unpacked Modules
RunDLL32
Executes a subroutine exported from a DLL
RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>
Example:
RUNDLL32.EXE SHELL32.DLL,Control_RunDLL desk.cpl,,0
void CALLBACK EntryPoint(
HWND hwnd,
HINSTANCE hinst,
LPSTR lpszCmdLine,
int nCmdShow);
Module 13
Passwords
Keystrokes
Login credentials
Intellectual property/secrets
File scans
Keystrokes
Usernames and passwords
Screen shots / screen scraping
File Searching
Used for a variety of reasons
File Searching
Typical API Calls
FindFirst( )
FindNext( )
Strings
Wildcards
File Extensions
Target: soysauce
View Code
Keystroke Logging
Lab Exercise 10
Lab Exercise 11
Module 14
SHELL EXTENSIONS
The Shell
Malware can install one or more DLLs on the system
that are tied into your shell, menus, mouseclicks,
actions, browsing almost anything you can imagine
Shell
ShellEx
Classes\Folder
Classes\CSLID
InProcServer32
shell\open
shell\open\command
exefile
batfile
comfile
ddeexec
HKCR\batfile\shell\open\command
HKCR\comfile\shell\open\command
HKCR\exefile\shell\open\command
HKLM\Software\Classes\batfile\shell\open\command
HKLM\Software\Classes\comfile\shell\open\command
HKLM\Software\Classes\exefile\shell\open\command
Module 15
BROWSER EXTENSIONS
The Browser
Malware can install one or more DLLs that are tied into
your browser, browsing events, keylogging, user
interface, and more
\Internet Explorer
\Extensions
\Explorer Bars
\Script
\Exec
\Browser Helper Objects
InprocServer32
URLSearchHook
Implemented Categories\
{00021494-0000-0000-C000-000000000046}
{00021493-0000-0000-C000-000000000046}
{4D5C8C2A-D075-11d0-B416-00C04FB90376}
InitPropertyBag\Url
Browser Extensions (1 of 2)
This includes adding menus and shortcuts, additional
toolbars, explorer bars, and browser helper objects. A
simple way to add an additional menu item or button is
to register a GUID under the following key:
HKCU\Software\Microsoft\Internet
Explorer\Extensions\{GUID}
HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}
Browser Extensions (2 of 2)
You may also find subkeys that path to an executable or
script:
HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}\Script
HKLM\Software\Microsoft\Internet
Explorer\Extensions\{GUID}\Exec
Lab Exercise 12
Module 16
Process Enumeration
For any process to write to another process, it needs a
handle to the target
To get a handle to a process, the process must be located
from the list of all processes
DLL Injection
Injected DLLs stand out clearly if they use:
Non-standard paths
Unusual or odd-sounding names
DLLs in Responder
All modules
Remote Threads
A remote thread is created in a second process, not
part of the first process
A remote thread is typically used to inject a DLL into
another process, but not always
A remote thread can also operate without a DLL
injection
This is a more advanced technique
Page Protections
In order to inject against another process, memory
protections will need to be unlocked
This is done via the VirtualQuery API
CreateRemoteThread
OpenProcess
VirtualAlloc
WriteProcessMemory
WaitForSingleObject
explorer.exe
SeDebugPrivilege
CreateToolhelp32Snaps
hot
CreateEvent
Process32First
Process32Next
Module32First
Module32Next
Lab Exercise 13
Time 25 minutes