DLL injection

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer programming, DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by malware to influence the behavior of another program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could trap system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6]

Contents

Approaches on Microsoft Windows [edit]

There are multiple ways on Microsoft Windows to force a process to load and execute code in a DLL that the authors did not intend:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll when that DLL attaches itself to the process.[5][7][8][9] Beginning with Windows Vista, AppInit_DLLs are disabled by default.[10] Beginning with Windows 7, the AppInit_DLL infrastructure supports code signing.
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][11][12][13][14]
    1. Open a handle to the target process. This can be done by spawning the process[15][16] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[17] or by obtaining a list of running processes[18] and scanning for the target executable's filename.[19]
    2. Allocate some memory in the target process,[20] and the name of the DLL to be injected is written to it.[11][21]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[22]
    3. Create a new thread in the target process[23] with the thread's start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[11][24]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[11][25]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[25]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][26][27][28]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][29][30]
  • Exploit design limitations in Windows and applications that call the LoadLibrary() function without specifying a full-qualified path to the DLL being loaded.[31]
  • Operating system-level shims.
  • Substituting an application-specific DLL with a rogue replacement that implements the same function exports as the original.[32]

Approaches on Unix-like systems [edit]

On Unix-like operating systems with the dynamic linker based on ld.so (on BSD) and ld-linux.so (on Linux), arbitrary libraries can be linked to a new process by giving the library's pathname in the LD PRELOAD environment variable, that can be set globally or individually for a single process.[33]

For example, in bash, this command launches the command "prog" with the shared library from file "test.so" linked into it at the launchtime:

LD_PRELOAD="./test.so" prog

Such a library can be created with GCC by compiling the source file containing the new globals to be linked, with the -fpic or -fPIC option,[34] and linking with the -shared option.[35] The library has access to external symbols declared in the program like any other library.

It is also possible to use debugger-based techniques on Unix-like systems.[36]

External links [edit]

References [edit]

  1. ^ a b James Shewmaker (2006). "Analyzing DLL Injection" (PDF). GSM Presentation. Bluenotch. Retrieved August 31, 2008. 
  2. ^ a b Iczelion (August 2002). "Tutorial 24: Windows Hooks". Iczelion's Win32 Assembly Homepage. Retrieved August 31, 2008. 
  3. ^ Rocky Pulley (May 19, 2005). "Extending Task Manager with DLL Injection". CodeProject. CodeProject. Retrieved September 1, 2008. 
  4. ^ a b Nasser R. Rowhani (October 23, 2003). "DLL Injection and function interception tutorial". CodeProject. CodeProject. Retrieved August 31, 2008. 
  5. ^ a b c d Ivo Ivanov (December 2, 2002). "API hooking revealed". CodeProject. CodeProject. Retrieved August 31, 2008. 
  6. ^ a b c d Robert Kuster (August 20, 2003). "Three Ways to Inject Your Code into Another Process". CodeProject. CodeProject. Retrieved August 31, 2008. 
  7. ^ "Working with the AppInit_DLLs registry value". Microsoft Help and Support. Microsoft. November 21, 2006. Retrieved August 31, 2008. 
  8. ^ Raymond Chen (December 13, 2007). "AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs". The Old New Thing. Microsoft. Retrieved August 31, 2008. 
  9. ^ "dllmain.c". ReactOS. ReactOS Foundation. July 8, 2008. Retrieved August 31, 2008. 
  10. ^ AppInit_DLLs in Windows 7 and Windows Server 2008 R2
  11. ^ a b c d Trent Waddington. "InjectDLL". Retrieved August 31, 2008. 
  12. ^ "Dll Injection". DreamInCode.net. MediaGroup1. May 4, 2006. Retrieved August 31, 2008. 
  13. ^ Greg Jenkins (November 2007). "DLL Injection Framework". Ring3 Circus. WordPress. Retrieved August 31, 2008. 
  14. ^ Drew Benton (August 17, 2007). "A More Complete DLL Injection Solution Using CreateRemoteThread". CodeProject. CodeProject. Retrieved September 1, 2008. 
  15. ^ "CreateProcess". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  16. ^ "PROCESS_INFORMATION". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  17. ^ "GetWindowThreadProcessId Function". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  18. ^ "EnumProcesses". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  19. ^ "GetModuleBaseName". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  20. ^ "VirtualAllocEx". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  21. ^ "WriteProcessMemory". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  22. ^ "Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability". Matousec. December 1, 2006. Retrieved August 31, 2008. 
  23. ^ "CreateRemoteThread". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  24. ^ "LoadLibrary". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  25. ^ a b "DllMain". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  26. ^ "SetWindowsHookEx Function". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008. 
  27. ^ "AppInit_DLLs Registry Value and Windows 95". Microsoft Help and Support. Microsoft. March 1, 2005. Retrieved August 31, 2008. 
  28. ^ "Dll Injection using SetWindowsHookEx() Method". Game Reversal. April 3, 2008. Retrieved September 1, 2008. 
  29. ^ "SetThreadContext DLL Injection". January 16, 2007. Retrieved September 1, 2008. 
  30. ^ Ben Botto (September 6, 2008). "DLL Injector". Retrieved September 1, 2008. 
  31. ^ "Secure loading of libraries to prevent DLL preloading attacks". Microsoft. 10 June 2011. Retrieved 8 Aug 2012. 
  32. ^ Nicolas Falliere (26 September 2010). "Stuxnet Infection of Step 7 Projects". Symantec. 
  33. ^ Linus Torvalds; David Engel, Eric Youngdale, Peter MacDonald, Hongjiu Lu, Lars Wirzenius and Mitch D'Souza (March 14, 1998). "ld.so/ld-linux.so – dynamic linker/loader". UNIX man pages. Retrieved August 31, 2008. 
  34. ^ "Code Gen Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. Retrieved August 31, 2008. "-fpic Generate position-independent code (PIC) suitable for use in a shared library, if supported for the target machine. sqq." 
  35. ^ "Link Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. Retrieved August 31, 2008. "-shared Produce a shared object which can then be linked with other objects to form an executable. sqq." 
  36. ^ Gregory Shpitalnik (February 12, 2009). "Code Injection into Running Linux Application". Code Project. Retrieved November 18, 2010. 
Retrieved from "http://en.wikipedia.org/w/index.php?title=DLL_injection&oldid=552878673"