DLL Injection

Overview

DLL injection is a method that involves inserting a piece of code, structured as a Dynamic Link Library (DLL), into a running process. It allows the inserted code to run within the process's context, to influence its behavior or access its resources.

DLL injection has legitimate use cases, such has hot patching.

Hot patching, a method of dynamically updating a system or application without downloading a new version or, in some cases, even restarting it, helps developers deliver bug fixes or enhancements to users quickly and automatically.

In this section we detail the different DLL injection methods from a theoretical standpoint.

LoadLibrary

The LoadLibrary API is a function provided by the Windows operating system that loads a DLLs into the current process’s memory and returns a handle that can be used to get the addresses of functions within the DLL.

Using this API, we can legitimately load a DLL into the current process:

#include <windows.h>
#include <stdio.h>

int main() {
    // Using LoadLibrary to load a DLL into the current process
    HMODULE hModule = LoadLibrary("example.dll");
    if (hModule == NULL) {
        printf("Failed to load example.dll\n");
        return -1;
    }
    printf("Successfully loaded example.dll\n");

    return 0;
}

We can also use this API for DLL injection into a target proces:

1. Allocate memory within the target process for the DLL path

2. Initiate a remote thread that begins at LoadLibrary and directs towards the DLL path

#include <windows.h>
#include <stdio.h>

int main() {
    // Using LoadLibrary for DLL injection
    // First, we need to get a handle to the target process
    DWORD targetProcessId = 123456 // The ID of the target process
    HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, targetProcessId);
    if (hProcess == NULL) {
        printf("Failed to open target process\n");
        return -1;
    }

    // Next, we need to allocate memory in the target process for the DLL path
    LPVOID dllPathAddressInRemoteMemory = VirtualAllocEx(hProcess, NULL, strlen(dllPath), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    if (dllPathAddressInRemoteMemory == NULL) {
        printf("Failed to allocate memory in target process\n");
        return -1;
    }

    // Write the DLL path to the allocated memory in the target process
    BOOL succeededWriting = WriteProcessMemory(hProcess, dllPathAddressInRemoteMemory, dllPath, strlen(dllPath), NULL);
    if (!succeededWriting) {
        printf("Failed to write DLL path to target process\n");
        return -1;
    }

    // Get the address of LoadLibrary in kernel32.dll
    LPVOID loadLibraryAddress = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
    if (loadLibraryAddress == NULL) {
        printf("Failed to get address of LoadLibraryA\n");
        return -1;
    }

    // Create a remote thread in the target process that starts at LoadLibrary and points to the DLL path
    HANDLE hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadLibraryAddress, dllPathAddressInRemoteMemory, 0, NULL);
    if (hThread == NULL) {
        printf("Failed to create remote thread in target process\n");
        return -1;
    }

    printf("Successfully injected example.dll into target process\n");

    return 0;
}

Manual Mapping

This method is much more complex but provides more stealth because LoadLibrary isn't used.

Simplified overview:

1. Load the DLL as raw data into the injecting process.

2. Map the DLL sections into the targeted process.

3. Inject shellcode into the target process and execute it. This shellcode relocates the DLL, rectifies the imports, executes the Thread Local Storage (TLS) callbacks, and finally calls the DLL main.

Reflective DLL injection

It leverages reflective programming, read more about it here => https://github.com/stephenfewer/ReflectiveDLLInjection

DLL Hijacking

We can hijack DLL when their loaded at runtime if an application doesn't specify the full path to a required DLL

Safe DLL Search Mode

The default DLL search order used by the system depends on whether Safe DLL Search Mode is activated.

If actived (default) the system will look for DLLs in this order:

1. The directory from which the application is loaded.

2. The system directory.

3. The 16-bit system directory.

4. The Windows directory.

5. The current directory.

6. The directories that are listed in the PATH environment variable.

If it's deactivated:

1. The directory from which the application is loaded.

2. The current directory.

3. The system directory.

4. The 16-bit system directory.

5. The Windows directory

6. The directories that are listed in the PATH environment variable

We can see "current directory" is pushed up the list.

We can easily deactive the safe search from the registry:

1. Press Windows key + R to open the Run dialog box.

2. Type in Regedit and press Enter. This will open the Registry Editor.

3. Navigate to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager.

4. In the right pane, look for the SafeDllSearchMode value. If it does not exist, right-click the blank space of the folder or right-click the Session Manager folder, select New and then DWORD (32-bit) Value. Name this new value as SafeDllSearchMode.

5. Double-click SafeDllSearchMode. In the Value data field, enter 1 to enable and 0 to disable Safe DLL Search Mode.

6. Click OK, close the Registry Editor and Reboot the system for the changes to take effect.

Attack Example

Locate vulnerable DLL

We can use tools like Process Explorer (sysinternal suite) or PE explorer. These tools allow us to see the DLL loaded for each process.

Reverse engineer the program

We need to decompile and debug a target program to decide which function imported from the DLL we will target.

Once we found the function to target we have 2 options:

DLL Proxying

• We replace the original DLL by a malicious one

• The malicious DLL will load the function from the original library

• It will then tamper with it (this is where we put our payload)

• Finally it returns the tampered result to the program

Invalid DLL

Replace a valid library the program is attempting to load but cannot find with a crafted library. We will need write access to a location the program attempts to load from.

Each programming language has a specific library function that allows to execute some instructions when the library is loaded. We can put a malicious payload there.