Secondary Categories: 02-Malware
Description:
Module stomping is essentially the process of loading a DLL into your process memory space, injecting code into a random point into that DLL, and executing the code that was injected.
Benefits
The classic shellcode injection allocates memory space in either the stack or heap then executes it. Since this method this is not associated with any DLL it is very simple to catch
Shellcode injected into Notepad using the classic method
If we analyze the current running threads while the message box (our shellcode) is running we can see suspicious behavior
Messagebox (our shellcode) stack thread
In the stack window above we can see in the first line that the last function call made by the thread is NtUserWaitMessage. We can also see where the first function call originates from⦠which is an unregistered memory location which is the location of our shellcode.
Explaination
First we want to add an arbitrary DLL into our current process memory space using LoadLibraryA API function. Using the BreadMan Module Stomping code we can then use InjectSCModuleStomp function passing in our handle to the victim library and tables structure.
the table parameter is used to hold the syscall info that is associated with the native API. This is helpful so the HalosGate technique can be used, which can prevent API Hooking
Resources:
| Title | URL |
|---|---|
| BreadMan Module Stomping using Native WinAPI | https://medium.com/@Breadman602/breadman-module-stomping-api-unhooking-using-native-apis-b10df89cc0a2 |
| BreadMan Module Stomping Code Example | https://github.com/Allevon412/BreadManModuleStomping |
| IRed.team Examples | https://www.ired.team/offensive-security/code-injection-process-injection/modulestomping-dll-hollowing-shellcode-injection |
Also Check Out:
- PLACEHOLDER