Process Injection - Part II

Hello All,

In the series of learning various process injection techniques and enhancing my knowledge about C# leveraging Windows API I started to explore and understand about another very famous process injection technique known as DLL Injection.

What is DLL ?

Dynamic Link Library (DLL) is a file which contains the code and is been loaded by the program to perform one or more actions during run time.

What is DLL Injection ?

DLL Injection is a process of injecting an DLL into the running process which might contains malicious code and can be used for performing malicious activities.

In this post I will provide an overview about the technique and a demo using the process injection tool which I created. It can be found on my github repo.

In this DLL Injection technique 6 Windows API are used.
  • OpenProcess - The OpenProcess function returns a handle of an existing process object.
  • VirtualAllocEX - The VirtualAllocEx function is used to allocate the memory and grant the access permissions to the memory address.
  • WriteProcessMemory - The WriteProcessMemory function writes data to an area of memory in a specified process.
  • CreateRemoteThread - The CreateRemoteThread function creates a thread that runs in the virtual address space of another process.
  • GetModuleHandleA - The GetModuleHandleA function retrieves a module handle for the specified module which is already loaded by the calling process.
  • GetProcAddress - The GetProcAddress function retrieves the address of an exported function or variable from the specified dynamic-link library (DLL).

Overview of DLL Injection

DLL Injection is a very old technique which is still used by many malware's & frameworks which are used for performing security assessments or simulate the behavior of an attacker. This technique can also be used for evading controls which are used for detection or prevention of malicious activities.

Below are the steps followed while adding the DLL Injection technique in the tool.

Step 1:- Used OpenProcess to Obtain the handle of the target process in which we intend to inject our DLL.

Step 2:- Find the address of the LoadLibraryA function using GetProcAddress & GetModuleHandleA functions. LoadLibraryA function is used for loading the DLL into the calling process.

Step 3:-  Used VirtualAllocEX to allocate the memory space for the DLL path from where we will be loading the DLL.

Step 4:- Used WriteProcessMemory for writing the DLL path into the allocated memory space.

Step 5:- Used CreateRemoteThread for creating a new thread and passed the address of LoadLibraryA as the start address and the address of the DLL file as the parameter for LoadLibraryA function.

Demo

In this demo I have used MSFVenom to generate the DLL. You are free to use any tool or write your own DLL.

I have added /t as the additional parameter to determine the technique.
The tool currently supports 2 techniques of process injection and I intend to add more techniques in future.
  1. Vanilla Process Injection
  2. DLL Injection

Generate the DLL using MSFVenom & used the same for performing DLL Injection.
MSFVenom Command - msfvenom -p windows/x64/exec CMD=calc exitfunc=thread -b "\x00" -f dll > Desktop/calc.dll
ProcessInjection Command - ProcessInjection.exe /pid:2828 /path:"C:\Users\User\Desktop\calc.dll" /t:2



Detection

Monitoring Windows API calls such as CreateRemoteThread and those that can be used to modify memory within another process, such as WriteProcessMemory. Also monitor process which are making network connections and loading DLL apart from default paths (C:\Windows or C:\Windows\System32).

Reference

http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
https://i.blackhat.com/USA-19/Thursday/us-19-Kotler-Process-Injection-Techniques-Gotta-Catch-Them-All-wp.pdf
https://attack.mitre.org/techniques/T1055/

Thanks for reading the post.

Special thanks to all my friends who help / supported / motivated me for writing blogs. 🙏


Comments

  1. Great Job done your content is very help full.I have got more information through your blogUltrasound guided injection is good. blog like these are very helpful for us. It is always good to read and upgrade ourselves.
    Regards
    Ultrasound guided injection

    ReplyDelete
  2. This might be a stupid question but where are you getting the process ID for the ProcessInjector.exe command?

    ReplyDelete
    Replies
    1. Process ID can be manually found or else we can add a logic to the code to auto search for the process & it's information

      Delete
  3. I have appreciated getting a lot of good and reliable, legislative information with your post. Thanks for your post.
    Your post is so informative! I’m amazed at how you described your experience, even the pros and cons. I also admittedly find it a bit expensive,

    Regards,
    Ultrasound guided Injection in Basildon


    ReplyDelete
  4. Hey cant we generate a managed dll in covenant? or is there any way to convert covenant binary to a dll , so that we can perform dll injection

    ReplyDelete
  5. Thank you so much for your story. This is a little bit of my story. I’m excited to discover this web site. I wanted to thank you for your time due to this fantastic read!

    Regards,
    Ultrasound guided Injection in Bexleyheath

    ReplyDelete
  6. Nice blog..! I really loved reading through this article... Thanks for sharing such an amazing post with us and keep blogging..

    Regards,
    Ultrasound guided Injection in Maidstone

    ReplyDelete

Post a Comment

Popular posts from this blog

Process Injection - Part I

Introduction to Callidus

Exploring the Dark Side of Package Files and Storage Account Abuse