tldr; You’ll find the talk deck embedded within this post.
The relevant code is posted on Github – https://github.com/BreakingMalware/PowerLoaderEx
The folks at BSides were also kind enough to publish the video of our talk – https://www.youtube.com/watch?v=0BAaAM2wD4s
BSides LV last week, August 4th & 5th, was awesome! We don’t have a count on the exact number of attendees, but it did seem to approach the 1000 figure. Already at 10:00am there were no more walk-ins.
This was our first BSides and we were fortunate enough to be accepted to present: “Injection on Steroids: Code-less Code Injections and 0-Day Techniques”.
Most nefarious activities carried out by malware – such as running code in Internet Explorer in an attempt to steal passwords, hijack sessions, or conduct Man-in-the-Browser fraud- require code injection.
Two types of code injection techniques exist – those that originate from user-mode and those from kernel-mode. User injection techniques are more popular as they are simpler to implement and don’t require elevated privileges. Yet, most of them are easy to detect. On the other hand, less than a handful of kernel injection techniques are known today. Although these techniques are more complex to implement, they are super-stealthy, flying under the radar of most defense solutions.
It is the malware authors’ goal to implement easy code injection while ensuring that the injection remains stealthy.
In this talk, we discuss known-yet-complex and less documented code injection techniques. We further expose additional new user- and kernel-mode injection techniques. One of these techniques we’ve coined as “code-less code injection” since, as opposed to other known injection techniques, does not require adding code to the injected process. We also reveal an additional kernel-mode code injection which is a variation to the technique used by the AVs. However, as we demonstrate, malwares can actually simplify this process.
Here’s our full deck of the talk:
I’d like to thank the BSides volunteers for videotaping the whole talk-
We’ve released the code via Github so you can grab it here –