DLL injection

In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.^[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend.^[1][2][3] For example, the injected code could trap system function calls,^[4][5] or read the contents of password textboxes, which cannot be done the usual way.^[6]

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

• DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.^[5][7][8][9] Beginning with Windows Vista, AppInit_DLLs are disabled by default.^[10] Beginning with Windows 7, the AppInit_DLL infrastructure supports code signing.
• Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.^{[5][6][11][12][13][14]}
  1. Get a handle to the target process. This can be done by spawning the process^[15][16] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,^[17] or by obtaining a list of running processes^[18] and scanning for the target executable's filename.^[19]
  2. Allocate some memory in the target process,^[20] and the name of the DLL to be injected is written to it.^[11][21]

     This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.^[22]

  3. Create a new thread in the target process^[23] with the thread's start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.^[11][24]

     Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.^[6]

  4. The operating system will now call DllMain in the injected DLL.^[11][25]

  Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.^[25]

• Windows hooking calls such as SetWindowsHookEx.^{[2][5][6][26][27][28]}
• Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.^[4][29][30]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are (almost) immune from DLL Injection.^[31]

Approaches on Unix-like systems

On Unix-like operating systems with the dynamic linker based on ld.so (on BSD) and ld-linux.so (on Linux), arbitrary libraries can be linked to a new process by giving the library's pathname in the LD PRELOAD environment variable, that can be set globally or individually for a single process.^[32]

For example, in bash, this command launches the command "prog" with the shared library from file "test.so" linked into it at the launchtime:

LD_PRELOAD="./test.so" prog

Such a library can be created with GCC by compiling the source file containing the new globals to be linked, with the -fpic or -fPIC option,^[33] and linking with the -shared option.^[34] The library has access to external symbols declared in the program like any other library.

It is also possible to use debugger-based techniques on Unix-like systems.^[35]

External links

• WarpZone Entertainment: A universal DLL injector, inject by either creating a remote thread or modifying the context thread

References

1. ^ James Shewmaker (2006). "Analyzing DLL Injection" (PDF). GSM Presentation. Bluenotch. http://bluenotch.com/files/Shewmaker-DLL-Injection.pdf. Retrieved August 31, 2008. 
2. ^ Iczelion (August 2002). "Tutorial 24: Windows Hooks". Iczelion's Win32 Assembly Homepage. http://win32assembly.online.fr/tut24.html. Retrieved August 31, 2008. 
3. Rocky Pulley (May 19, 2005). "Extending Task Manager with DLL Injection". CodeProject. CodeProject. http://secure.codeproject.com/KB/threads/taskex.aspx. Retrieved September 1, 2008. 
4. ^ Nasser R. Rowhani (October 23, 2003). "DLL Injection and function interception tutorial". CodeProject. CodeProject. http://www.codeproject.com/KB/DLL/DLL_Injection_tutorial.aspx. Retrieved August 31, 2008. 
5. ^ Ivo Ivanov (December 2, 2002). "API hooking revealed". CodeProject. CodeProject. http://www.codeproject.com/KB/system/hooksys.aspx. Retrieved August 31, 2008. 
6. ^ Robert Kuster (August 20, 2003). "Three Ways to Inject Your Code into Another Process". CodeProject. CodeProject. http://www.codeproject.com/KB/threads/winspy.aspx. Retrieved August 31, 2008. 
7. "Working with the AppInit_DLLs registry value". Microsoft Help and Support. Microsoft. November 21, 2006. http://support.microsoft.com/kb/197571. Retrieved August 31, 2008. 
8. Raymond Chen (December 13, 2007). "AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs". The Old New Thing. Microsoft. http://blogs.msdn.com/oldnewthing/archive/2007/12/13/6648400.aspx. Retrieved August 31, 2008. 
9. "dllmain.c". ReactOS. ReactOS Foundation. July 8, 2008. http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/user32/misc/dllmain.c?view=markup. Retrieved August 31, 2008. 
10. AppInit_DLLs in Windows 7 and Windows Server 2008 R2
11. ^ Trent Waddington. "InjectDLL". http://www.quantumg.net/injectdll.php. Retrieved August 31, 2008. 
12. "Dll Injection". DreamInCode.net. MediaGroup1. May 4, 2006. http://www.dreamincode.net/code/snippet407.htm. Retrieved August 31, 2008. 
13. Greg Jenkins (November 2007). "DLL Injection Framework". Ring3 Circus. WordPress. http://www.ring3circus.com/downloads/dll-injection-framework/. Retrieved August 31, 2008. 
14. Drew Benton (August 17, 2007). "A More Complete DLL Injection Solution Using CreateRemoteThread". CodeProject. CodeProject. http://69.10.233.10/KB/threads/completeinject.aspx. Retrieved September 1, 2008. 
15. "CreateProcess". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms682425.aspx. Retrieved August 31, 2008. 
16. "PROCESS_INFORMATION". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms684873(VS.85).aspx. Retrieved August 31, 2008. 
17. "GetWindowThreadProcessId Function". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms633522(VS.85).aspx. Retrieved August 31, 2008. 
18. "EnumProcesses". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms682629(VS.85).aspx. Retrieved August 31, 2008. 
19. "GetModuleBaseName". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms683196(VS.85).aspx. Retrieved August 31, 2008. 
20. "VirtualAllocEx". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/aa366890(VS.85).aspx. Retrieved August 31, 2008. 
21. "WriteProcessMemory". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms681674.aspx. Retrieved August 31, 2008. 
22. "Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability". Matousec. December 1, 2006. http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-via-Advanced-DLL-injection-with-handle-stealing.php. Retrieved August 31, 2008. 
23. "CreateRemoteThread". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx. Retrieved August 31, 2008. 
24. "LoadLibrary". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms684175(VS.85).aspx. Retrieved August 31, 2008. 
25. ^ "DllMain". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms682583.aspx. Retrieved August 31, 2008. 
26. "SetWindowsHookEx Function". Platform SDK for Windows XP SP2. Microsoft. http://msdn.microsoft.com/en-us/library/ms644990.aspx. Retrieved August 31, 2008. 
27. "AppInit_DLLs Registry Value and Windows 95". Microsoft Help and Support. Microsoft. March 1, 2005. http://support.microsoft.com/kb/134655. Retrieved August 31, 2008. 
28. "Dll Injection using SetWindowsHookEx() Method". Game Reversal. April 3, 2008. http://www.gamereversal.com/index.php?option=com_content&view=article&id=56%3Adll-injection-using-setwindowshookex-method&catid=39%3Ac--c-core-concepts&Itemid=1. Retrieved September 1, 2008. 
29. "SetThreadContext DLL Injection". January 16, 2007. http://nerd.egloos.com/2940083. Retrieved September 1, 2008. 
30. Ben Botto (September 6, 2008). "DLL Injector". http://busybin.com/busybin/C++/dll_injector/. Retrieved September 1, 2008. 
31. "Protected Media Path". http://msdn.microsoft.com/en-us/library/aa376846(VS.85).aspx. Retrieved September 11, 2010. 
32. Linus Torvalds; David Engel, Eric Youngdale, Peter MacDonald, Hongjiu Lu, Lars Wirzenius and Mitch D'Souza (March 14, 1998). "ld.so/ld-linux.so – dynamic linker/loader". UNIX man pages. http://unixhelp.ed.ac.uk/CGI/man-cgi?ld.so+8. Retrieved August 31, 2008. 
33. "Code Gen Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. http://gcc.gnu.org/onlinedocs/gcc-4.3.2/gcc/Code-Gen-Options.html#Code-Gen-Options. Retrieved August 31, 2008. "-fpic Generate position-independent code (PIC) suitable for use in a shared library, if supported for the target machine. sqq." 
34. "Link Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. http://gcc.gnu.org/onlinedocs/gcc-4.3.2/gcc/Link-Options.html#Link-Options. Retrieved August 31, 2008. "-shared Produce a shared object which can then be linked with other objects to form an executable. sqq." 
35. Gregory Shpitalnik (February 12, 2009). "Code Injection into Running Linux Application". Code Project. http://www.codeproject.com/KB/DLL/code_injection.aspx. Retrieved November 18, 2010.