Hi Everybody,
Welcome to my blog, the next posts will contain information, source code and projects that i found important to share, hope you like it.
Let’s get into the business :)
DLL Injection got many uses, basically it’s a simple way to intercept programs which running in user-mode (ring-3).
malicious software will inject themselves into system processes,
antivirus programs will intercept processes for detecting malicious behavior,
and some kids just will popup a message box in notepad :)
So now i’ll explain you how its works:
When a new process is executed, before jumping to the process entry point, The Windows OS Loader load all modules which described in the Import-Table,
those modules contains necessary functionalities of the process
for example: CreateFile() function in kernel32.dll, gives the ability to access (creating or opening) a file or I\O devices.
One way to inject a module is to rewrite the import table of the executable, and from now on every time the executable will be executed, the Windows OS Loader will load the injected module like the original imported modules of the executable (This method affect processes that are not running yet).
In order to inject a new module into a running process there is another method,
we need to cause the target process to call LoadLibrary() and passing the path of our injected module as a parameter.
Assuming that the target process can access only his memory space leads us to write the path of the injected module into the memory space of the running process.
After writing the injected module path, all we need to do is make the LoadLibrary() function call in the target process, we will use the function CreateRemoteThread() that will call LoadLibrary() (In the target process) and will pass the address of the path we just written in the target process.
I uploaded a Dll-Injector i wrote, it’s a command-line utility that demonstrate “DLL Injection”:
Duender's Dll Injector - Executable
Duender's Dll Injector - Source Files
Want to make your own DLL Injector? This is the functions call you need to do by the following order:
OpenProcess() - Getting a handle of the target process
VirtualAllocEx() - Allocate memory on the target Process for writing the injected module path
WriteProcessMemory() - Write the path of the injected module
CreateRemoteThread() – Call LoadLibrary in the target process with the path of the injected module
See you next time,
Yaniv.
PurpleAI began as my thought experiment a few years back.
Could the perfect virus be created using Artificial Intelligence?
A weapon so powerful that it c...
2 years ago
No comments:
Post a Comment