DLL Injection Attacks in a Nutshell

Before we see what a DLL injection attack is, it is necessary to have knowledge of what a DLL file actually represents. A DLL (dynamic link library) is a Windows file that is used by a program to call existing functions. The main role of DLL files is to help to get certain functionality which may not be necessarily built-in with the application.
Various applications call the DLL files which in turns perform the required activity for them.
So it becomes necessary to determine whether genuine DLL files are getting called or the infected DLL files may attack malware with them. The best way to secure a system from a malicious DLL file is to have a updated antivirus software and never risk downloading software from phishy sites.
DLL Injection
DLL injection is used to manipulate the execution of a running process. Most DLL injection attacks are performed to do reverse engineering attacks.
As the name suggests, “DLL injection” primarily tricks an application to call a malicious DLL file which then gets executed as part of the target process.
DLL injection can be divided into 4 steps-
1. Attach to the process
2. Allocate Memory within the process
3. Copy the DLL or the DLL Path into the processes memory and determine appropriate memory addresses
4. Instruct the process to Execute your DLL
For detailed info of each step, please refer http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html .
Some ways to inject a DLL file in Windows are-
- DLLs within registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs are loaded into every process that calls the Win32 API functions.
2. DLLs within registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs are loaded into every process that loads User32.dll . So if we put our DLL file here, it will be run by the victim application.
3. One other way to perform DLL injection attacks is to call process manipulation functions like CreateRemoteThread .
Injection in Unix systems can be performed using ld-Linux.so (on Linux). Libraries can be linked to a new process by giving the library’s pathname in the LD PRELOAD environment variable.
Remediation -
To prevent DLL injection, we need to ensure no untrusted process gets Administrator access as your application. The other way is to have an updated antivirus software; though antivirus software can’t be fully trusted always, it is generally recommended to download software from genuine websites.
You may watch this video to get more insights to learn how to perform DLL injection attacks using PowerSploit and Metasploit.

