Windows-based CLI susceptible to process injection attack

The fresh hacking technique could hide malware in legitimate apps

Hacking

Hackers could exploit a fresh process injection technique to conceal malware in a Windows-based CLI app

Rotem Kerner, a security researcher with cybersecurity firm enSilo, discovered and dubbed the technique "Ctrl-Inject". It abuses the Windows "CtrlRoutine" function, a function that provides the mechanism for handling Ctrl signals in console application.

Ctrl-Inject basically causes malicious threads to spawn inside the processes of legitimate CLI apps, which then allows malicious code to be run. 

Every time a user (or a process) sends Ctrl + C (or Break) signal to a console-based process (such as cmd.exe or powershell.exe), a system process called csrss.exe will invoke the function CtrlRoutine in a new thread on the targeted process.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

"Essentially, in this process injection technique, we inject our code to the target process, but we never invoke it directly, that is, we never call CreateRemoteThread ourselves or alter execution flow using SetThreadContext. Instead, we are making csrss.exe invoke it for us which is far less suspicious since this a normal behaviour," said Kerner.

Among the applications that hackers could abuse are cmd.exe or powershell.exe, commonly found in most Windows systems. Normally, app processes can't be tampered with as Windows uses security protections such as Control Flow Guard and pointer encoding to verify such processes.

However, Kerner said in a blog post detailing the technical aspects of the flaw, that it was possible to bypass such protections.

Kerner said that a hacker could use the same function to create their own thread in a legitimate CLI app's process and run malware code. He said the main advantage of this technique over classic thread injection technique is that the remote thread is created by a trusted windows process, csrss.exe, which makes it much stealthier.

"The disadvantage is that it's limited to console application," he added.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/business-strategy/public-sector/354608/uk-gov-launches-ps300000-sen-edtech-initiative
public sector

UK gov launches £300,000 SEN EdTech initiative

22 Jan 2020
Visit/hardware/354584/windows-10-and-the-tools-for-agile-working
Sponsored

Windows 10 and the tools for agile working

20 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020