Anti Forensic: Overwriting executable while it is still running

Download from: https://github.com/jmprsp/ProcessFailures

Reference: https://recon.cx/2016/talks/Process-Failure-Modes.html

As presented in RECON 2016 by James Forshaw. He demonstrated that he is able to overwrite an application’s physical file while it is still running as a process. According to his presentation, NtCreateUserProcess returns a file handle when it is called. The file handle can be used to overwrite the running process His POC is in the form of C#/Powershell. I simply converted it to C/Executable.

slides
Figure 1. NtCreateUserProcess returning file handle

To demonstrate that it really work, I used an executable that simply popup a message box; named demo.pdf. You can see the hexadecimal of the binary file in the HxD GUI below. On executing Overwrite.exe, demo.pdf will be created as a process and while it is still running, Overwrite.exe will then overwrite demo.pdf with an actual pdf file (Process Failure modes – Final.pdf).

setup
Figure 2. Initial Setup

Usage of the program is as follows: Overwrite.exe [Full path to executable] [input file]

overwritten
Figure 3. demo.pdf overwritten with actual pdf

As we can see from the above screenshot, demo.pdf is executed as a process but HxD has already reflected the new bytes in Demo.pdf. We can also observe that demo.pdf file size has changed to 3MB from 165KB proving that this trick did indeed work.

From a RE point of view, we should keep a look out on the CREATE_INFO’s AdditionalFileAccess mask and the usage of undocumented API as shown below.

accessmask
Figure 4. AdditionalFileAccess Mask

 

Advertisements
Anti Forensic: Overwriting executable while it is still running

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s