search

18.DLL-injection

hashtag
Windows API Calls (DLL Injection)

# Open a handle to the target process
OpenProcess

# Allocate memory in the target process
VirtualAllocEx

# Write data into the allocated memory
WriteProcessMemory

# Retrieve the address of an exported function from a DLL
GetProcAddress

# Create a thread in the target process
CreateRemoteThread

# Load a DLL into the process
LoadLibrary

# Free the loaded DLL
FreeLibrary

hashtag
Registry (DLL Hijacking)

hashtag
Process Monitoring (DLL Hijacking)

hashtag
Key Concepts:

  • DLL Injection:

    • Inserting a DLL into a running process to execute arbitrary code.

    • Used for legitimate purposes (hot patching) and malicious activities.

  • LoadLibrary:

    • Windows API function for loading DLLs.

    • Can be used for remote DLL injection.

  • Manual Mapping:

    • Directly mapping DLL sections into a process's memory.

    • Bypasses LoadLibrary monitoring.

  • Reflective DLL Injection:

    • DLL loads itself from memory, minimizing host interaction.

  • DLL Hijacking:

    • Exploiting the Windows DLL search order to load a malicious DLL.

    • Relies on missing or weakly specified DLL paths.

  • DLL Proxying:

    • Creating a proxy DLL that loads the original DLL, modifies its functions, and returns the modified result.

Approach, Commands, Tools, and Techniques:

  1. LoadLibrary Injection:

    • OpenProcess, VirtualAllocEx, WriteProcessMemory, GetProcAddress, CreateRemoteThread (Windows API calls).

  2. Manual Mapping:

    • Load DLL as raw data, map sections, inject shellcode.

  3. Reflective DLL Injection:

    • ReflectiveLoader function within the DLL.

    • Parses PE headers, resolves imports, relocates DLL.

  4. DLL Hijacking:

    • Process Explorer, PE Explorer (DLL analysis).

    • Process Monitor (procmon) to monitor file access.

    • Create malicious DLLs.

    • Regedit to modify the SafeDllSearchMode.

  5. DLL Proxying:

    • Create a proxy DLL that loads the original DLL.

    • Modify the desired function within the proxy DLL.

    • Replace the original DLL with the proxy DLL.

Commands:

  • Windows API calls: OpenProcess, VirtualAllocEx, WriteProcessMemory, GetProcAddress, CreateRemoteThread, LoadLibrary, FreeLibrary.

  • Regedit.

  • Process Monitor(procmon).

Tools:

  • Process Explorer.

  • PE Explorer.

  • Compilers (C).

  • Debuggers/Disassemblers.

Techniques:

  • Creating malicious DLLs.

  • Modifying DLL functions.

  • Monitoring process activity.

  • Reverse engineering.

Previous17.Vulnerable-servicesNext5.Credential Theft

Last updated