![Page 1: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/1.jpg)
Information Security Inc.
DLL Injection
![Page 2: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/2.jpg)
Information Security Confidential - Partner Use Only
Contents
2
• What is process injection?
• Classic DLL injection
• Testing environment
• Demo
• References
![Page 3: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/3.jpg)
Information Security Confidential - Partner Use Only
What is process injection?
3
◎ Process injection is a widespread defense evasion
technique employed often within malware and fileless adversary
tradecraft, and entails running custom code within the address space
of another process
![Page 4: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/4.jpg)
Information Security Confidential - Partner Use Only
Classic DLL Injection
4
◎ The malware writes the path to its malicious dynamic-link library
(DLL) in the virtual address space of another process, and ensures
the remote process loads it by creating a remote thread in the target
process
![Page 5: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/5.jpg)
Information Security Confidential - Partner Use Only
Testing environment
5
◎Windows 7 Ultimate SP1 32bit
◎ Injected DLL (InjectedDLL.dll); Injecting program source
(Injector.c)
◎ Target process (Wordpad)
![Page 6: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/6.jpg)
Information Security Confidential - Partner Use Only
Demo
6
◎ Injecting a test DLL in Wordpad
▲ Step 1 (Attach)
Obtain a handle to the target process. Two ways to do it (CreateProcess or OpenProcess
functions)
This demo uses OpenProcess (https://msdn.microsoft.com/en-
us/library/ms684320(VS.85).aspx)
The return value of OpenProcess is a handle to the process on success and NULL on
failure
![Page 7: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/7.jpg)
Information Security Confidential - Partner Use Only
Demo
7
◎ Injecting a test DLL in Wordpad
▲ Step 2 (Allocate memory)
Allocating memory inside the target process (VirtualAllocEx)
Using VirtualAllocEx function (https://msdn.microsoft.com/en-
us/library/aa366890(VS.85).aspx)
The return value is a pointer (inside the target process) to the allocated memory on
success, and NULL on failure
![Page 8: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/8.jpg)
Information Security Confidential - Partner Use Only
Demo
8
◎ Injecting a test DLL in Wordpad
▲ Step 3 (Copy DLL)
Writing the path of the injected DLL into the allocated memory
Using WriteProcessMemory function (https://msdn.microsoft.com/en-
us/library/ms681674(VS.85).aspx)
The return value is a boolean value which is true when the function succeeds, and false
when it fails
![Page 9: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/9.jpg)
Information Security Confidential - Partner Use Only
Demo
9
◎ Injecting a test DLL in Wordpad
▲ Step 4 (Execute)
Call LoadLibraryA inside the target process
Using CreateRemoteThread function (https://msdn.microsoft.com/en-
us/library/ms682437(VS.85).aspx)
The return value handle to the new thread on success, and NULL on failure
![Page 10: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/10.jpg)
Information Security Confidential - Partner Use Only
Demo
10
◎ Injecting a test DLL in Wordpad
▲ The Code
![Page 11: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/11.jpg)
Information Security Confidential - Partner Use Only
Demo
11
◎ Injecting a test DLL in Wordpad
▲ Demo: InjectDLL.exe inject a custom DLL into wordpad.exe
![Page 12: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/12.jpg)
Information Security Confidential - Partner Use Only
Demo
12
◎ Injecting a test DLL in Wordpad
▲ Demo: dll injected into wordpad.exe (CreateRemoteThread, LoadLibrary functions)
![Page 13: DLL Injection - 情報セキュリティ株式会社 · 2017. 9. 5. · Classic DLL Injection 4 The malware writes the path to its malicious dynamic-link library (DLL) in the virtual](https://reader035.vdocument.in/reader035/viewer/2022062415/5fde480cd9c87e216c3ae116/html5/thumbnails/13.jpg)
Information Security Confidential - Partner Use Only
References
13
• Wikipedia https://en.wikipedia.org/wiki/DLL_injection
• MSDN Libraryhttps://msdn.microsoft.com/en-us/library/ms123401.aspx