🛡️

Overview of DLL Injection Techniques

Nov 23, 2024

DLL Injection Technique Overview

Introduction to DLL Injection

  • DLL Injection allows for injecting a Dynamic Link Library (DLL) into a target process and executing its code.
  • Historically useful for malicious activities (e.g., executing a C2 implant).
  • Major Problem: Complexity of the process.
    • Need to drop files in the target environment.
    • Ensure all paths are correctly set up.
    • Complexity often makes it not worth the effort.

Proposed Solution: Staging Technique

  • Staging Technique: Store files or shellcode on a remote server to dynamically access them.
    • Example: Stage shellcode on a remote HTTP server and send a dropper without malicious data.
    • When the dropper executes, it fetches shellcode from the remote server dynamically.
    • This can also be done via an SMB server.

Understanding the DLL Structure in Visual Studio

  • **DLL Structure:
    • Main function: DLLMain - entry point of the DLL.
    • Engage with DLL through different segments of the function.
    • Primarily focus on DLL_PROCESS_ATTACH where a new thread is created to execute custom functions.

Key Functions Inside the DLL

  • Custom Function: exec
    • Executes shellcode generated from MSF Venom command in C format.
    • Not encrypted; is in plaintext.

Memory Management Functions

  1. VirtualAlloc: Allocates memory inside the process.
    • Size: 460 bytes.
    • Flags: MEM_RESERVE | MEM_COMMIT | PAGE_EXECUTE_READWRITE.
  2. memcpy: Copies bytes to the allocated memory.
    • Syntax: memcpy(destination, source, size).
  3. CreateRemoteThread: Executes the allocated memory.
    • Most flags are set to zero, as they are not needed.

Setting Up the SMB Server

  • Use In-Packet SMB Server to host the SMB share.
  • Specify the share and host the current folder for the SMB server.
  • Copy the DLL file to the SMB server (e.g., 192.168.64.130).

Creating a Simple Dropper

  • Based on existing POC to keep it simple.
  • Include libraries: windows.h and stdio.h.
  • Handle for remote process and pivot address for allocated memory.
  • UNC Path: Specify the DLL path as a UNC path.

Key API Calls

  1. OpenProcess: Opens a target process specified by command line arguments (PID).
  2. VirtualAllocEx: Allocates memory to a remote process.
  3. WriteProcessMemory: Similar to memcpy, but for remote processes.
  4. GetProcAddress: Retrieves the address of the LoadLibraryW function.
  5. CreateRemoteThread: Loads the DLL into the target process.

Testing the Setup

  • Set up a Netcat listener (e.g., nc -nvlp 443).
  • Compile the code and ensure the target process (e.g., Notepad) is running.
  • Execute the dropper with the target PID to inject the DLL.

Advantages and Caveats

  • Flexibility: Dynamically change the DLLs and execute different payloads.
  • Target Environment: Optimized for internal networks (SMB traffic may be disabled outbound).

Antivirus Testing

  • Test against various antivirus vendors using scanning tools.
  • Example results: 2 out of 32 detected as malicious.

Conclusion

  • The technique offers a streamlined way to implement DLL injection while managing complexity.
  • Encouragement to support the content creator by subscribing and joining their community.

Full transcript