DLL Injection Attacks in a Nutshell

Circle Ninja
Oct 16, 2019 · 2 min read
© opensecurityresearch.com

Before we see what a DLL injection attack is, it is necessary to have knowledge of what a DLL file actually represents. A DLL (dynamic link library) is a Windows file that is used by a program to call existing functions. The main role of DLL files is to help to get certain functionality which may not be necessarily built-in with the application.

Various applications call the DLL files which in turns perform the required activity for them.

So it becomes necessary to determine whether genuine DLL files are getting called or the infected DLL files may attack malware with them. The best way to secure a system from a malicious DLL file is to have a updated antivirus software and never risk downloading software from phishy sites.

DLL Injection

DLL injection is used to manipulate the execution of a running process. Most DLL injection attacks are performed to do reverse engineering attacks.

As the name suggests, “DLL injection” primarily tricks an application to call a malicious DLL file which then gets executed as part of the target process.

DLL injection can be divided into 4 steps-
1. Attach to the process
2. Allocate Memory within the process
3. Copy the DLL or the DLL Path into the processes memory and determine appropriate memory addresses
4. Instruct the process to Execute your DLL

For detailed info of each step, please refer http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html .

Some ways to inject a DLL file in Windows are-

  1. DLLs within registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs are loaded into every process that calls the Win32 API functions.

2. DLLs within registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs are loaded into every process that loads User32.dll . So if we put our DLL file here, it will be run by the victim application.

3. One other way to perform DLL injection attacks is to call process manipulation functions like CreateRemoteThread .

Injection in Unix systems can be performed using ld-Linux.so (on Linux). Libraries can be linked to a new process by giving the library’s pathname in the LD PRELOAD environment variable.

Remediation -

To prevent DLL injection, we need to ensure no untrusted process gets Administrator access as your application. The other way is to have an updated antivirus software; though antivirus software can’t be fully trusted always, it is generally recommended to download software from genuine websites.

You may watch this video to get more insights to learn how to perform DLL injection attacks using PowerSploit and Metasploit.

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Circle Ninja

Written by

Wannabe Security JCB | BTech CSE Student from India

Bug Bounty Hunting

Learn bug bounty hunting and other hacking tips from bug bounty hunters and security researchers around the world. White hat hacking to make legal money and read public security writeups and bug bounty stories for free!

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade