As presented in RECON 2016 by James Forshaw. He demonstrated that he is able to overwrite an application’s physical file while it is still running as a process. According to his presentation, NtCreateUserProcess returns a file handle when it is called. The file handle can be used to overwrite the running process His POC is in the form of C#/Powershell. I simply converted it to C/Executable.
To demonstrate that it really work, I used an executable that simply popup a message box; named demo.pdf. You can see the hexadecimal of the binary file in the HxD GUI below. On executing Overwrite.exe, demo.pdf will be created as a process and while it is still running, Overwrite.exe will then overwrite demo.pdf with an actual pdf file (Process Failure modes – Final.pdf).
Usage of the program is as follows: Overwrite.exe [Full path to executable] [input file]
As we can see from the above screenshot, demo.pdf is executed as a process but HxD has already reflected the new bytes in Demo.pdf. We can also observe that demo.pdf file size has changed to 3MB from 165KB proving that this trick did indeed work.
From a RE point of view, we should keep a look out on the CREATE_INFO’s AdditionalFileAccess mask and the usage of undocumented API as shown below.
As presented in RECON 2016 by James Forshaw. He demonstrated that he is able to execute a DLL as a standalone process. According to his presentation, the reason why a DLL can’t be executed as a process is due to a check on the ProhibitedImageCharacteristics field. His POC is in the form of C#/Powershell. I simply converted it to C/Executable.
So by simply resetting this field to 0, we could then run a DLL as a process!
The following is a DLL with a .txt extension; just for fun… using regsvr32 is one of the way to execute a DLL and as you can see, a messagebox shows up stating that it is a DLL.
Now using James approach, we can now execute pikachu.txt as an executable!
Looking it from IDA Pro
Note that one do not necessary need to clear the field with 0. Other values work as well.
The first project will be on Process Mode Failures by James Forshaw as presented in Recon 2016. The POC given by James is in Powershell/C#. I reproduced some of his work into C. Over the next few days you will find the following executables in github.
Executing DLL as a process [Uploaded]
Overwriting the physical file of a binary while it is still running as a process [Uploaded]