Overview of DLL Injection Techniques

In the past I showcased a technique called DLL injection. It allows us to inject a DLL inside a target-head process and then execute the code inside the library just like that. While it was useful in executing a C2 implant or perform any other malicious activity, it has one major problem and that's... It's complex. Right. It's not worth it because you have to first drop your files to a target-head environment, you have to make sure that all the paths inside the executable are correctly set up and... that makes the whole process just not worth it so can we do something about it my idea is to implement dl injection alongside with staging technique staging is a technique that allows us to store files or shellcode on a remote server and then access it when you need it for instance you can you can stage your shellcode for a remote http server and just send a dropper without any kind of malicious data and when the dropper is executed it's gonna fetch the shellcode out of the remote server dynamically We can use the same technique but with an SMB server. Let's first start by explaining the DLL and how does it work. I have a standard DLL project inside my Visual Studio. I renamed the file name to be DLLMain.c and I also renamed the library to be DSH.c which is the default is C++. But that does not really matter. What matters is how I structure the DLL. So here this is the main DLL function called DLLMain. and that's initially the main function where the DLL starts. Based on how you actually engage with the DLL, different segments of the function are engaged. For instance, if you attach the DLL into a process, this switch case is gonna get triggered and inside that, this function would get executed. And these are all the possibilities that can actually engage with the DLL, but for the most of the cases, we wanna work with DLL process attach. In that case, with DLL process attach, I create a new thread, to be equal to my custom exec function keep in mind that you cannot directly call functions like that because that's not how dls are actually working and the best way of actually create a function or actually call the function is to use create red api which is gonna do that work for you now without being done this is the main method of the dll and i have one custom function as i mentioned which is called exec now this function is super simple is the standard shellcode running function. This is the shellcode generated from MSF Venom command in C format. It's not encrypted, it just stands there as it is right now. And here I have three rows of syntax. So we have the LP void PADDR is going to be equal to virtual alloc. Here we allocate space inside the memory of the process. Now here we allocate the size of the buffer, which in that case is 460 bytes. We allocate that with mem reserve, mem commit flags, and then page. execute read write we can either read the process memory write to the process memory and execute the process memory yep you heard me right now on the next page we have mem copy mem copy is a function that allows us to copy bytes to the memory from the variable or to the variable or to the memory address just transfer bytes now with that i can do mem copy then i had i can specify the patdr which is going to be my destination so i want to copy bytes to there then i have buff which is my array which is allocated here this is my source and then this size of the buffer so in a nutshell that's how the mem copy works you just send where is the destination where is the source and how many bytes you want to transfer so with that syntax all this array is going to get copied to the memory and the next part is of course to execute it to execute it i use the same create red api which I specify just like that. Most of the flags are zero because we don't really need them. And here I just need to specify the address of the allocated memory. With that, our DLL is ready. It's all weaponized and ready to go. So let's transfer that to a share and let's see if it works. On the cutting machine, I can host the SMB server with in-packet SMB server, specify the share to be SMB, and then specify dot to host the current folder for the smb server with that the smb server is already up and running so let me go back and transfer my file now i can copy the file and navigate to my smb server which is 192.168.64.130 go to the smb share and just paste my file there of course you can copy it this various ways but i decided to do it just like that now let's pay attention to the actual dropper and let's see what modifications we have thank you so much for watching and thank you so much for my patreon subscriber you don't have an idea how much that means to me and how much that keeps me motivated to build better and more detailed content so if you have further appreciation for my channel you can become my patron as well you can support me and buy me a coffee and of course you can subscribe to my channel make sure to also join my discord site where we share a lot of knowledge and experience so don't miss that out you have my deepest appreciation and let's move on well on the previous example we had more complex dropper which was able to actually get process on runtime by process name and scan the process structure and so on it was more interactive i decided to keep things simple in this video i use an example based on ira team notes so highly appreciate you guys you make an awesome content and i use that poc just to make the thing simple and explain the code better now we have only one main method nothing else and we have only two include libraries we have windows.h because obviously we want to need to include the windows apis and then the stdo.h because you know that's library is super important now on the neck on the first rows of our main function we have a handle for a remote process we're going to open and that we have a pivot address p add p address which is going to be the address of the allocated memory kind of something similar as the previous example now here this is the most crucial interesting part we can specify the dll path to be a unc path Now just by specifying a UNC path it works just like that. Firstly I got myself into some ideas of actually engaging with some Windows APIs that allows me to read a share in the file and so on but I decided you know why I just don't try to use a UNC path here and it worked. So we specify the UNC path to the data itself and now let's proceed forward to open process. In this API call we open a process specify by our command line argument so we should already know the process id as i mentioned that's not the most user-friendly code but you know that's most easy for me to explain the code after we open the process we allocate the memory to the process the same as virtual alloc but the virtual alloc ex allocates the memory to a remote process instead of the current one that's the main difference of the functions now we specify the process we opened we opened we specified the size of the dll path and again as you can see we specify the main commit but this case this time we specify page read write only because we don't really need to execute stuff then we have right process memory which is doing the same thing as mem copy but again for the remote process so we specify the process specify our destination specify our source and how many bytes we want and that's about it and then we have one key component which is thread start routine address what that do it gets the load library w from kernel 32. so with that call get proc address we pretty much read a module and then we get the address of its function in that case we need kernel 32 and i'll and actually get and retrieve the load library w function because we're gonna need to load library because we're doing the other injection right we need to load a dll into somewhere and basically loading is done with that load library with a windows call then on the next part we have create remote thread which is actually doing the same stuff as before but again for the remote process now here we have defined our already open process we define our address of what library w and then we specify actually the allocated memory which contains the dl path so by using that it actually reads the dll and executes it we then close the handle because we don't want to have any some and some kind of handle weeks and so on and with that our program is done executing all right so my smb server is being set up but i want to see if i have my netcat listener which i'm not so i have to set up that as well i'm going to do nc nvlp443 and the 443 is the port i already created the shellcode with so if you create the port to be 800 just do 800 there now with that i can go to my command vm and actually compile the code it is being compiled here so i can already execute that but of course as i mentioned we need the process to inject our dll into right and for that case i'm going to use notepad so i'm going to start a new notepad process a real quick right there the notepad pid is one three oh eight four and now let's cross our fingers let's do share water.exe and then specify the pid to be 13084 run that injection is set to be done now if i go back to my card machine voila we have our call back there now with that flexibility it's so much easier and we can do so much better stuff we can have a huge dll which contains a shellcode for mythic have oxito or any other c2 framework you want you can actually dynamically change the DLLs inside and that's going to result into different payloads to be executed and now you can be a little bit more free in using that technique. Keep in mind that this is optimized for internal networks only, meaning that most of the environments the SMB traffic is disabled outbound, but if you are already inside a network, this is super nice techniques that can allow you to implement DLL injection. Now it comes one more things to do and that's to tested against various av vendors so let's drop the dropper and let's see if we can have some detection there now again i'm gonna do anti-scan me but to be honest i didn't see that to be working for several months so let me try to actually scan that and see if we can get any results and now we don't but don't get me wrong now i have an alternative and that's the meta defender opswa.com which actually does kind of the same weird thing as the actual uh anti-scan me they say that they don't provide samples so uh i cannot be 100 sure about that but let's see the result so i'll pull my scanner there and let's see if we can get in detection two out of 32 actually found that to be malicious so let's go to a new to the full report and we found that the asset and ecarus actually say that hey that's a bad file but all others can so uh no web root, various, softwares, all the other stuff, say that it's alright. That was from the video, I hope it was useful and insightful to you guys. If that was the case, smash that subscribe and like button and I'll see you right in the next one.

Right. It's not worth it because you have to first drop your files to a target-head environment, you have to make sure that all the paths inside the executable are correctly set up and... that makes the whole process just not worth it so can we do something about it my idea is to implement dl injection alongside with staging technique staging is a technique that allows us to store files or shellcode on a remote server and then access it when you need it for instance you can you can stage your shellcode for a remote http server and just send a dropper without any kind of malicious data and when the dropper is executed it's gonna fetch the shellcode out of the remote server dynamically We can use the same technique but with an SMB server. Let's first start by explaining the DLL and how does it work.

I have a standard DLL project inside my Visual Studio. I renamed the file name to be DLLMain.c and I also renamed the library to be DSH.c which is the default is C++. But that does not really matter. What matters is how I structure the DLL.

So here this is the main DLL function called DLLMain. and that's initially the main function where the DLL starts. Based on how you actually engage with the DLL, different segments of the function are engaged.

For instance, if you attach the DLL into a process, this switch case is gonna get triggered and inside that, this function would get executed. And these are all the possibilities that can actually engage with the DLL, but for the most of the cases, we wanna work with DLL process attach. In that case, with DLL process attach, I create a new thread, to be equal to my custom exec function keep in mind that you cannot directly call functions like that because that's not how dls are actually working and the best way of actually create a function or actually call the function is to use create red api which is gonna do that work for you now without being done this is the main method of the dll and i have one custom function as i mentioned which is called exec now this function is super simple is the standard shellcode running function. This is the shellcode generated from MSF Venom command in C format. It's not encrypted, it just stands there as it is right now.

And here I have three rows of syntax. So we have the LP void PADDR is going to be equal to virtual alloc. Here we allocate space inside the memory of the process.

Now here we allocate the size of the buffer, which in that case is 460 bytes. We allocate that with mem reserve, mem commit flags, and then page. execute read write we can either read the process memory write to the process memory and execute the process memory yep you heard me right now on the next page we have mem copy mem copy is a function that allows us to copy bytes to the memory from the variable or to the variable or to the memory address just transfer bytes now with that i can do mem copy then i had i can specify the patdr which is going to be my destination so i want to copy bytes to there then i have buff which is my array which is allocated here this is my source and then this size of the buffer so in a nutshell that's how the mem copy works you just send where is the destination where is the source and how many bytes you want to transfer so with that syntax all this array is going to get copied to the memory and the next part is of course to execute it to execute it i use the same create red api which I specify just like that.

Most of the flags are zero because we don't really need them. And here I just need to specify the address of the allocated memory. With that, our DLL is ready. It's all weaponized and ready to go.

So let's transfer that to a share and let's see if it works. On the cutting machine, I can host the SMB server with in-packet SMB server, specify the share to be SMB, and then specify dot to host the current folder for the smb server with that the smb server is already up and running so let me go back and transfer my file now i can copy the file and navigate to my smb server which is 192.168.64.130 go to the smb share and just paste my file there of course you can copy it this various ways but i decided to do it just like that now let's pay attention to the actual dropper and let's see what modifications we have thank you so much for watching and thank you so much for my patreon subscriber you don't have an idea how much that means to me and how much that keeps me motivated to build better and more detailed content so if you have further appreciation for my channel you can become my patron as well you can support me and buy me a coffee and of course you can subscribe to my channel make sure to also join my discord site where we share a lot of knowledge and experience so don't miss that out you have my deepest appreciation and let's move on well on the previous example we had more complex dropper which was able to actually get process on runtime by process name and scan the process structure and so on it was more interactive i decided to keep things simple in this video i use an example based on ira team notes so highly appreciate you guys you make an awesome content and i use that poc just to make the thing simple and explain the code better now we have only one main method nothing else and we have only two include libraries we have windows.h because obviously we want to need to include the windows apis and then the stdo.h because you know that's library is super important now on the neck on the first rows of our main function we have a handle for a remote process we're going to open and that we have a pivot address p add p address which is going to be the address of the allocated memory kind of something similar as the previous example now here this is the most crucial interesting part we can specify the dll path to be a unc path Now just by specifying a UNC path it works just like that. Firstly I got myself into some ideas of actually engaging with some Windows APIs that allows me to read a share in the file and so on but I decided you know why I just don't try to use a UNC path here and it worked. So we specify the UNC path to the data itself and now let's proceed forward to open process.

In this API call we open a process specify by our command line argument so we should already know the process id as i mentioned that's not the most user-friendly code but you know that's most easy for me to explain the code after we open the process we allocate the memory to the process the same as virtual alloc but the virtual alloc ex allocates the memory to a remote process instead of the current one that's the main difference of the functions now we specify the process we opened we opened we specified the size of the dll path and again as you can see we specify the main commit but this case this time we specify page read write only because we don't really need to execute stuff then we have right process memory which is doing the same thing as mem copy but again for the remote process so we specify the process specify our destination specify our source and how many bytes we want and that's about it and then we have one key component which is thread start routine address what that do it gets the load library w from kernel 32. so with that call get proc address we pretty much read a module and then we get the address of its function in that case we need kernel 32 and i'll and actually get and retrieve the load library w function because we're gonna need to load library because we're doing the other injection right we need to load a dll into somewhere and basically loading is done with that load library with a windows call then on the next part we have create remote thread which is actually doing the same stuff as before but again for the remote process now here we have defined our already open process we define our address of what library w and then we specify actually the allocated memory which contains the dl path so by using that it actually reads the dll and executes it we then close the handle because we don't want to have any some and some kind of handle weeks and so on and with that our program is done executing all right so my smb server is being set up but i want to see if i have my netcat listener which i'm not so i have to set up that as well i'm going to do nc nvlp443 and the 443 is the port i already created the shellcode with so if you create the port to be 800 just do 800 there now with that i can go to my command vm and actually compile the code it is being compiled here so i can already execute that but of course as i mentioned we need the process to inject our dll into right and for that case i'm going to use notepad so i'm going to start a new notepad process a real quick right there the notepad pid is one three oh eight four and now let's cross our fingers let's do share water.exe and then specify the pid to be 13084 run that injection is set to be done now if i go back to my card machine voila we have our call back there now with that flexibility it's so much easier and we can do so much better stuff we can have a huge dll which contains a shellcode for mythic have oxito or any other c2 framework you want you can actually dynamically change the DLLs inside and that's going to result into different payloads to be executed and now you can be a little bit more free in using that technique. Keep in mind that this is optimized for internal networks only, meaning that most of the environments the SMB traffic is disabled outbound, but if you are already inside a network, this is super nice techniques that can allow you to implement DLL injection. Now it comes one more things to do and that's to tested against various av vendors so let's drop the dropper and let's see if we can have some detection there now again i'm gonna do anti-scan me but to be honest i didn't see that to be working for several months so let me try to actually scan that and see if we can get any results and now we don't but don't get me wrong now i have an alternative and that's the meta defender opswa.com which actually does kind of the same weird thing as the actual uh anti-scan me they say that they don't provide samples so uh i cannot be 100 sure about that but let's see the result so i'll pull my scanner there and let's see if we can get in detection two out of 32 actually found that to be malicious so let's go to a new to the full report and we found that the asset and ecarus actually say that hey that's a bad file but all others can so uh no web root, various, softwares, all the other stuff, say that it's alright.

That was from the video, I hope it was useful and insightful to you guys. If that was the case, smash that subscribe and like button and I'll see you right in the next one.

Transcript for:Overview of DLL Injection Techniques

Transcript for:
Overview of DLL Injection Techniques