Friday, November 23, 2012

Suicide via Remote Code Injection

A feature which very common among malwares that is "Self-Deletion". Malware authors uses various techniques to delete it self after successful infection. Very famous malware Flame had a built-in feature called "SUICIDE" that can be used to uninstall the malware from infected computers.

Please remember this information is for Educational Purpose only and should not be used for malicious purpose.I will not assume any liability or responsibility to any person or entity with respect to loss or damages incurred from information contained in this article.

Last night I wrote a very simple program that deletes it self without making any new copy of itself or creating any new process.
It actually injects some raw machine code (ShellCode) to any legitimate process and creates a new thread under that process. So when the injected ShellCode execute it deletes the main executable.

So here how it injects code to another process in this case it injects to explorer.exe. Its very common and usual technique to inject arbitrary code into any other process's address space.

So when you execute the compiled binary,

1) It first resolves the PID of explorer.exe. We know that explorer.exe is a process which will always be present in any windows system.
2) After getting the PID it gets the Handle to explorer.exe by using OpenProcess() API.
3) After that it allocates some memory on the remote process's (explorer.exe) address space for our ShellCode using VirtualAlloc() API.
4) After successful allocation it uses WriteProcessMemory() to write the shellcode into remote process.
5) Then it creates a new thread,which will then create a thread and execute the injected shellcode.

Few things about injected shellcode:

I have written the ShellCode in such way that the executable file path (file to be deleted) can just be appended with ShellCode.
Sot the main executable actually writes the [Shellcode]+[Full path of itself] to explorer.exe

The ShellCode present in this below example is HardCoded so it should only work on WinXP SP2 system.
When our main executable transfer the control to our shellcode it waits for 5 seconds (Usign Sleep!Kernel32.dll )and then delete the main executable using DeleteFile!Kernel32.dll.

Here is the C code.