Windows-based CLI susceptible to process injection attack

The fresh hacking technique could hide malware in legitimate apps

Hacking

Hackers could exploit a fresh process injection technique to conceal malware in a Windows-based CLI app

Rotem Kerner, a security researcher with cybersecurity firm enSilo, discovered and dubbed the technique "Ctrl-Inject". It abuses the Windows "CtrlRoutine" function, a function that provides the mechanism for handling Ctrl signals in console application.

Ctrl-Inject basically causes malicious threads to spawn inside the processes of legitimate CLI apps, which then allows malicious code to be run. 

Every time a user (or a process) sends Ctrl + C (or Break) signal to a console-based process (such as cmd.exe or powershell.exe), a system process called csrss.exe will invoke the function CtrlRoutine in a new thread on the targeted process.

"Essentially, in this process injection technique, we inject our code to the target process, but we never invoke it directly, that is, we never call CreateRemoteThread ourselves or alter execution flow using SetThreadContext. Instead, we are making csrss.exe invoke it for us which is far less suspicious since this a normal behaviour," said Kerner.

Among the applications that hackers could abuse are cmd.exe or powershell.exe, commonly found in most Windows systems. Normally, app processes can't be tampered with as Windows uses security protections such as Control Flow Guard and pointer encoding to verify such processes.

However, Kerner said in a blog post detailing the technical aspects of the flaw, that it was possible to bypass such protections.

Kerner said that a hacker could use the same function to create their own thread in a legitimate CLI app's process and run malware code. He said the main advantage of this technique over classic thread injection technique is that the remote thread is created by a trusted windows process, csrss.exe, which makes it much stealthier.

"The disadvantage is that it's limited to console application," he added.

Featured Resources

Unleashing the power of AI initiatives with the right infrastructure

What key infrastructure requirements are needed to implement AI effectively?

Download now

Achieve today. Plan tomorrow. Making the hybrid multi-cloud journey

A Veritas webinar on implementing a hybrid multi-cloud strategy

Download now

A buyer’s guide for cloud-based phone solutions

Finding the right phone system for your modern business

Download now

The workers' experience report

How technology can spark motivation, enhance productivity and strengthen security

Download now

Recommended

SonicWall hacked via zero-day flaw in remote access tools
Security

SonicWall hacked via zero-day flaw in remote access tools

25 Jan 2021
Best ransomware removal tools
ransomware

Best ransomware removal tools

22 Jan 2021
Hackers publish over 4,000 files stolen from SEPA in ransomware attack
Security

Hackers publish over 4,000 files stolen from SEPA in ransomware attack

22 Jan 2021
Weekly threat roundup: SAP, Windows 10, Chrome
vulnerability

Weekly threat roundup: SAP, Windows 10, Chrome

21 Jan 2021

Most Popular

How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

21 Jan 2021
WhatsApp could face €50 million GDPR fine
General Data Protection Regulation (GDPR)

WhatsApp could face €50 million GDPR fine

25 Jan 2021
How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021