Lecture Notes: Malware Injection and Memory

Key Concepts

• Memory and Execution
  • Software runs in memory, nothing executes on a computer unless loaded from disk to memory and processed by the CPU.
  • Malware must get into memory to operate.
• Types of Processes in Memory
  • Dynamic Link Libraries (DLLs)
  • Threads
  • Buffers
  • Memory management functions
• Malware Execution Methods
  • Runs as its own process in memory.
  • Injects into an existing process in memory.

Process Injection

• Process Structure
  • Starts at a specific memory address, ends at another.
  • Malware injection occurs between these addresses.
  • Benefits: avoids detection by anti-malware and gains rights/permissions of the process it injects into.

DLL Injection

• Dynamic Link Library (DLL)
  • A type of executable used by many processes and applications.
  • Attackers install a malicious DLL on storage accessible by the system.
• Mechanism
  • Attacker places a path to the malicious DLL on a storage drive.
  • The target process references this path during execution.
  • Loads the malicious DLL into memory, thus executing the malware.

Security Implications

• Avoiding Detection
  • Injecting malware into existing processes can evade anti-malware systems.
• Rights and Permissions
  • Malware gains the same rights and permissions as the process it injects into, allowing potential privileged escalation.