code injection by Fibers - ties2/Red-Team GitHub Wiki

Bypassing antivirus software is a key objective of attackers seeking to deploy malware on a target system. One way to achieve this is through code injection, a technique that involves inserting malicious code into a legitimate process. In recent years, attackers have been increasingly turning to fibers, a lightweight alternative to threads, as a way to bypass antivirus software. This essay will explore the concept of code injection by fibers and the methods used to bypass antivirus software.

Fibers are a lightweight alternative to threads that can be used to achieve high concurrency in software. Unlike threads, fibers are not managed by the operating system and rely on the application to manage their execution. Fibers can be created and switched between using a simple set of APIs, making them an attractive choice for developers seeking to achieve high concurrency in their applications.

However, fibers can also be used as a tool for attackers seeking to bypass antivirus software. By injecting malicious code into a fiber, attackers can evade detection by antivirus software that is designed to monitor the system for suspicious behavior. When the malicious code is injected into the fiber, it is executed within the context of the legitimate process, making it difficult for antivirus software to distinguish between legitimate and malicious code.

There are several methods that attackers can use to inject code into a fiber. One common technique is to use the SetThreadContext API to set the context of the target fiber to the context of the attacker's code. This allows the attacker's code to be executed within the context of the target fiber, effectively hijacking its execution.

Another technique that can be used to inject code into a fiber is to use the SuspendThread and GetThreadContext APIs to suspend the execution of the target fiber and retrieve its context. The attacker can then modify the context to point to their malicious code and resume the execution of the fiber.

A third technique that can be used to inject code into a fiber is to use the QueueUserAPC API to queue an asynchronous procedure call (APC) to the target fiber. When the APC is executed, it will run within the context of the target fiber, allowing the attacker's code to be executed within the context of the legitimate process.

In order to detect and prevent code injection by fibers, antivirus software can use a variety of techniques. One approach is to monitor the system for suspicious behavior, such as the creation of new fibers or the modification of existing fibers. Another approach is to use heuristics to detect patterns of behavior that are indicative of code injection, such as the modification of thread contexts.

In conclusion, code injection by fibers is a technique that is increasingly being used by attackers seeking to bypass antivirus software. By injecting malicious code into a fiber, attackers can evade detection and execute their code within the context of a legitimate process. However, there are several techniques that can be used to detect and prevent code injection by fibers, including monitoring for suspicious behavior and using heuristics to detect patterns of behavior indicative of code injection.

Sources:

Wang, Q., & Jiang, X. (2015). Stealthy malware detection through vmm-based out-of-the-box semantic view reconstruction. IEEE Transactions on Dependable and Secure Computing, 12(6), 687-700.

Robertson, W., & Vigna, G. (2018, October). A practical guide to fiber hijacking. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (pp. 1783-1795).