Testing Platform Invoke as a Tool for Shellcode Injection in Windows Applications

• Published in: Journal of physics. Conference series Vol. 2096; no. 1; pp. 12048 - 12058
• Main Authors: Fedorov, V K, Balenko, E G, Gololobov, N V, Izrailov, K E
• Format: Journal Article
• Language: English
• Published: IOP Publishing 01.11.2021
• ISSN: 1742-6588; 1742-6596
• DOI: 10.1088/1742-6596/2096/1/012048

Abstract This paper investigates software attacks based on shellcode injection in Windows applications. The attack uses platform invoke to inject binary code by means of system calls. This creates a separate threat that carries the payload. The paper overviews protections against shellcode injection and thus analyzes the injection methods as well. Analysis models the injection of malicious code in a Windows app process. As a result, the paper proposes a step-by-step injection method. Experimental injection of user code in PowerShell is performed to test the method. The paper further shows the assembly code of the system call as an example of finding their IDs in the global system call table; it also shows part of the source code for the injection of binary executable code. Various counterattacks are proposed in the form of software control modules based on architecture drivers. The paper analyzes the feasibility of using dynamic invoke, which the authors plan to do later on.