DLL Injection

Preet kamal
Malware_Autopsy
Published in
4 min readNov 29, 2019

--

A covert malware launching technique that uses windows process as a cloak. It is a process in which a remote process is forced to load a malicious DLL. Remote process could be any process. Example svchost.exe, explorer.exe.

Okay..but what is a DLL?😐

DLL — Dynamic-Link Library — It is Microsoft’s way to use libraries to share code among multiple applications. These libraries contain code and data that can be used by multiple programs at the same time. Examples

  • kernel32.dll — access and manipulation of files and folders.
  • gdi32.dll — used for displaying and manipulating graphics.
  • ntdll.dll — interface to windows kernel.
  • wsock32.dll — used by Internet and network applications to handle network connections.

In-Depth :

In this technique, malware writes the path of malicious DLL inside a remote process using Windows API functions then invokes the execution of that DLL by creating a remote thread in the target application.

As shown in the above picture, we have a launcher file, mal.dll and target.exe present on the disk. Here, the laucher will be responsible for performing injection of mal.dll (dll containing malicious code) into the target.exe (victim — any windows process), as a result, whenever target.exe is executed, mal.dll is also executed. This technique is a type of covert malware launching technique used for hiding malicious activities inside a legitimate process which is target.exe in our case.

How it is achieved?

Problem for malware — Process specific firewall, in order to bypass this firewall, there are certain steps to get access to target.exe.

  • Preparing the path of mal.dll

First, the launcher uses GetCurrentDirectoryA to get the current working directory and uses string concatenation function — lstrcatA twice to prepare the path of mal.dll , example:- C:\Users\user_name\directory\mal.dll

  • Retrieving PID of target.exe

The next step is to retrieve the process id of target.exe, EnumProcesses is a function that retrieves the process identifier for each process object in the system and stores them into an array, after which the launcher can traverse that array and do the string comparison of string “target.exe” with the name of the processes associated with a PID in that array and loop until the correct PID is found.

  • Obtain handle to the target.exe

Once the PID is retrieved, it can be used as a parameter to OpenProcess function to obtain a handle to target.exe.

VirtualAllocEx- This function allocates memory inside target.exe using the handle (hProcess) retrieved from the previous step.

  • Write mal.dll full path at newly created memory in the previous step.

In this code, the Buffer parameter point to a string which contains the full pathname to mal.dll, lpBaseAddress is the starting point of newly created memory and hProcess contains a handle to target.exe. Then WriteProcessMemory function is called to write the Buffer at lpBaseAddress which means that the directory path of mal.dll is now written inside target.exe.

In order to execute DLL, LoadLibraryA function from kernel32.dll is needed, therefore it manually resolves the address of LoadLibraryA and stores it into a variable.

  • Execution

Finally, CreateRemoteThread is called which creates a thread that runs in the virtual address space of target.exe eventually executing mal.dll.

Above shown example is one of the ways through which DLL injection can be achieved, but it is not limited to a single approach.

--

--