Code injection is a technique that is increasingly used by attackers in today's breaches. Enterprise organizations are increasingly deploying application whitelisting, so the old techniques of dropping an executable to disk and running it are becoming less effective every day. Contrary to many media reports, as an industry we are getting better at defense. While traditional code injection is nothing new, attackers are developing new techniques regularly.
Unfortunately, most defenders have no idea how code injection really works. It's challenging to investigate attackers using code injection if you don't understand what attackers are doing. Most defenders know that code injection exist but hope that endpoint protection products (dare I say antivirus) will take care of it.
Incident responders and forensic investigators are not doing much better. Many reports that blame "code injection" do so by elimination. "We've checked for all the stuff we know and didn't see any of that - it must be code injection." In this unfortunate model, code injection has become the boogey man. Investigators who understand the mechanics of code injection truly understand the realm of the possible and are better prepared to investigate today's breaches.
But what about penetration testers and red team members who use code injection on a regular basis? Sadly most of them don't really understand it either. Ever used the "migrate" feature of metasploit? You've used code injection. Do you know how it works or why? You should – it will make you better at your job. Professional pilots don't just train for flying in calm weather. They train for flying in choppy weather, when an engine fails, and everything goes to pot.
Whether you're in infosec offense or defense, truly mastering code injection will make you better at what you do. In this course, you'll learn all the programming interfaces (APIs) that make code injection happen. For each different code injection technique, you'll receive source code that uses the technique. We'll examine how the technique works, how stealthy it is, what endpoint protections stop it, and what forensic artifacts it leaves behind.
In this course, we'll start by covering the basics of code injection, using the venerable "CreateRemoteThread" and move into advanced topics like Atom Bombing and Gargoyle that evade many traditional forensics techniques. On the way, we'll cover how DLL sideloading is used to inject code into processes and what this looks like forensically. We'll cover how hooking can be used to bypass antivirus and leave little forensic evidence on disk. You'll also learn how memory-only (so-called fileless malware) also operates.
Although this is not a programming course, we will get our hands dirty with some code. Not a programmer? Don't worry, completed projects are provided so you don't have to write a single line of code. We provide pre-built binaries as well, but having source available is critical for experimentation with the techniques.
We'll also spend some time in the debugger and in IDA Pro. Why? Defenders don't have source code and usage for the malware they find in their environments. They must analyze the programs left behind by the attacker. Reverse engineering is not the primary focus of the course, but we will have an assembly, debugger, and disassembly primer for those not familiar with those concepts.
Day 1: Introduction to the Windows API, code injection, and detection/forensics techniques
Introduction to our toolset:
- Visual Studio, x32/x64dbg, IDA Pro (freeware edition), and Volatility
- Lab: Tool familiarity/installation
- Introduction to virtual memory, cross process injection, and hooking
- Lab: Investigating cross process injection with Process Hacker
- Building code injection tools with CreateRemoteThread – the OG of code injection
- Lab: Building and using CreateRemoteThread code injection tools
- Memory forensics topics in code injection
- Lab: Investigating code injection using memory forensics
- Investigating code injection tools that use CreateRemoteThread
- Lab: Investigating CreateRemoteThread code injection tool artifacts
- DLL Sideloading and path abuse
- Constructing DLL sideloading attacks and how to detect/investigate them
Day 2 – Reflective injection and process hollowing
- Reflective code injection – code injection that never touches disk
- Building reflective injection code and investigating how it works
- Lab: Building and deploying reflective injection code
- Detecting reflective injection code and investigating attacks that use it
- Lab: Detecting and investigating reflective injection attacks
- Process hollowing – what is it, why does it exist, and how can we use it
- Lab: Building and deploying process hollowing code injection tools
- Detecting process hollowing code and investigating attacks that use it
- Lab: Detecting and investigating process hollowing code injection attacks
Day 3: Bam – Crank it up another notch!
- Hollowing processes that are already running to bypass AV
- Lab: Building and deploying running process hollowing tools
- Putting it together like a nation state – chaining code injection techniques like Stuxnet
- Lab: Build your own Stuxnet
- Detecting and investigating chained code injection techniques
- Lab: Investigate your own Stuxnet
- Hooking to inject code
- Lab: Building and detecting code injection using hooking
Day 4: The good, the bad, and the WTF was that?!
- Understanding how code injection attacks can use scripting languages like PowerShell
- Lab: Deploying and investigating PowerShell code injection
- Data Execution Prevention (DEP) and Return Oriented Programming (ROP) fundamentals
- Atom Bombing (no, not the Manhattan Project) – learning about Desktops, Atoms, and other Windows objects
- Lab: Building and deploying Atom Bombing code
- Investigating artifacts left by Atom Bombing attacks
- Lab: Detecting and investigating Atom Bombing attacks
- Evading memory forensics detection using Gargoyle (another ROP based technique)
- Building Gargoyle code to avoid detection by traditional antivirus
Red team personnel who need to build custom tools that bypass antivirus.
Forensics investigators and incident responders who want to understand how code injection works and what artifacts they can expect to find.
People who want to get some malware reversing experience, particularly as it applies to code injection (note: this is NOT a comprehensive reverse engineering course, we'll cover some basics, but this is NOT the course if you want a full RE experience).
Reverse engineers who want to ramp up their understanding of stealthy code injection techniques and take their reversing projects to the next level.
Computer Network Operations tool developers who want to jumpstart their understanding of code injection or need to understand how forensics investigators may find their tool artifacts.
This is not a beginner course. It is an intermediate to advanced course. The only reason it's not listed as advanced only is that we cover code injection from multiple angles so each gets (just a smidgen) less depth than it would if it were solidly about only one discipline.
Students should have some infosec experience. Programming experience is helpful, but totally not required. Reversing, assembly, and debugging experience is also helpful, but we'll cover 100% of what you need to know for the course in the course. Any memory or host forensics experience you have will help you understand course concepts, but again, this is not required.
What you do need to bring is a good attitude and a willingness to learn complex topics. If code injection were easy, everyone would be doing it and there would be no reason for this course. Be ready to work. Be ready to review the course material overnight so you're ready for the next day (each day builds on the last). If you enjoy a challenge, this course is for you. If you want to be spoon fed stale information for some exam, go somewhere else.
A laptop with:
- A modern processor, more cores are better than less cores
- At least 8GB RAM
- At least 50GB free space
- VMWare workstation pro (VMWare player is not acceptable as it does not support snapshots)
- An external mouse (using a touchpad with a debugger sucks)
- A Windows 7 x64 VM and a Windows 10 x64 VM (professional preferred in both cases but not required)
A sweatshirt or light jacket – hotels never seem to be able to control the temperature and it sucks to be cold all day.
Jake Williams is an accomplished infosec professional with almost two decades of industry experience. After spending more than a decade in the US Intelligence Community performing various missions in offensive and defensive cyber, Jake founded Rendition Infosec where he leads a team of professionals performing adversary emulation, incident response, malware reverse engineering, forensics, and exploit development. He is an accomplished conference speaker and is a recognized leader in the infosec community. Jake loves teaching and mentoring other information security professionals and teaches thousands of information security professionals annually. After being called out by the Shadow Brokers, Jake's past is officially no longer a secret. He's lived through the things that most in our industry have only read about in books. He brings insight that his background affords to his professional work and mentoring, providing students and clients an experience they can't get anywhere else.