DLL Injection | What it is


In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could trap system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6]

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable’s filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread’s start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are immune from DLL Injection.[30]

Source: Wikipedia

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable’s filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread’s start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are immune from DLL Injection.[30]

Advertisements