Process Injection - Part II

Hello All,

In the series of learning various process injection techniques and enhancing my knowledge about C# leveraging Windows API I started to explore and understand about another very famous process injection technique known as DLL Injection.

What is DLL ?

Dynamic Link Library (DLL) is a file which contains the code and is been loaded by the program to perform one or more actions during run time.

What is DLL Injection ?

DLL Injection is a process of injecting an DLL into the running process which might contains malicious code and can be used for performing malicious activities.

In this post I will provide an overview about the technique and a demo using the process injection tool which I created. It can be found on my github repo.

In this DLL Injection technique 6 Windows API are used.
  • OpenProcess - The OpenProcess function returns a handle of an existing process object.
  • VirtualAllocEX - The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
  • WriteProcessMemory - The WriteProcessMemory function writes data to an area of memory in a specified process.
  • CreateRemoteThread - The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
  • GetModuleHandleA - The GetModuleHandleA function retrieves a module handle for the specified module which is already loaded by the calling process.
  • GetProcAddress - The GetProcAddress function retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

Overview of DLL Injection

DLL Injection is a very old technique which is still used by many malware's & frameworks which are used for performing security assessments or simulate the behavior of an attacker. This technique can also be used for evading controls which are used for detection or prevention of malicious activities.

Below are the steps followed while adding the DLL Injection technique in the tool.

Step 1:- Used OpenProcess to Obtain the handle of the target process in which we intend to inject our DLL.

Step 2:- Find the address of the LoadLibraryA function using GetProcAddress & GetModuleHandleA functions. LoadLibraryA function is used for loading the DLL into the calling process.

Step 3:-  Used VirtualAllocEX to allocate the memory space for the DLL path from where we will be loading the DLL.

Step 4:- Used WriteProcessMemory for writing the DLL path into the allocated memory space.

Step 5:- Used CreateRemoteThread for creating a new thread and passed the address of LoadLibraryA as the start address and the address of the DLL file as the parameter for LoadLibraryA function.

Demo

In this demo I have used MSFVenom to generate the DLL. You are free to use any tool or write your own DLL.

I have added /t as the additional parameter to determine the technique.
The tool currently supports 2 techniques of process injection and I intend to add more techniques in future.
  1. Vanilla Process Injection
  2. DLL Injection

Generate the DLL using MSFVenom & used the same for performing DLL Injection.
MSFVenom Command - msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -b "\x00" -f dll > Desktop/calc.dll
ProcessInjection Command - ProcessInjection.exe /pid:2828 /path:"C:\Users\User\Desktop\calc.dll" /t:2



Detection

Monitoring Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as WriteProcessMemory. Also monitor process which are making network connections and loading DLL apart from default paths (C:\Windows or C:\Windows\System32).

Reference

http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
https://attack.mitre.org/techniques/T1055/

Thanks for reading the post.

Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏


Comments

Popular posts from this blog

Windows Red Team Lab Journey

Process Injection - Part I

Android Root Detection Bypass