Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Dll Injection - What is possible with it?

Tags:

I was browsing the internet lately, when I stumbled upon Dll Injection.

I think its an interesting subject but, I have no clue what the purpose of it is?

I have read that it can be used for cracking/hacking games and software but is it also possible to do something positive with it?

if so, what can it be used for?

And what languages support this?

For the record, I am not going to try and Crack/hack any game with knowledge gained, no intention to do someting illegal!

Thanks for the time,

Emerion

ps: Websites/books that are on this subject would be appreciated!

like image 293
Emerion Avatar asked Sep 29 '10 07:09

Emerion


People also ask

How is DLL injected?

DLL injection is a method of executing arbitrary code in the address space of a separate live process. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread.

Can DLL injection be detected?

And finally, Reflective DLL Injection uses custom function that can easily avoid detection. However at DEF CON 20 Andrew King demonstrated that he was able to detect DLL's injected using reflective DLL injection. His presentation was called "Detecting Reflective Injection".

What is in memory DLL injection?

DLL Injection is a technique that allows users to run any code in the memory of another process, by forcing the process to load a foreign DLL file. To attach DLL to a process, we need to use the software 'Injector' to mount libraries in memory, which is allocated by a program.

What is DLL injection cyber security?

DLL injection is another privilege escalation method that attackers are using. It also involves the compromising of legitimate processes and services of the Windows operating system. DLL injection is used to run malicious code using the context of a legitimate process.


1 Answers

There are several uses that come to my mind:

  • Hot patching: Allows you to update/patch parts of your code without actually shutting down the process or restarting. Microsoft itself made sure large parts of Windows are hot-patchable by prefixing functions with a 5-byte NOP block. Why? Because you can JMP to any other part of your code in 5 bytes, so hot-patching basically overwrites the prefix bytes with a JMP to the updated/patched code and voila, your code does something entirely new. This is often used together with DLL injection to load the new code into the target process, and while not mandatory, it's one of its uses.

  • Logging: In the same spirit, detouring code is often used to prefix a function for logging purposes, i.e. to see with what parameters it is called. Also, some applications that record screen output from DirectX applications do this by detouring the DirectX calls, which again involves injecting a DLL into the process that monitors calls.

  • Subclassing: Not in the OOP sense, but in the Windows sense, i.e. providing a new WndProc for an existing window to alter its behavior. While you can simply set a different message handling routine via SetWindowLongPtr, the limiting factor to this is that the function needs to reside in the target process address space. This is where injection comes in once again: you provide a new implementation in a DLL, inject this into the target process and call SetWindowLongPtr. This can be used to provide custom, additional drawing on a foreign window, for example.

I have personally had to deal with all of the above use cases in the past, in regular business applications, from using hot patching to ensure uptime on a critical notification system in medical services to using detours/logging to allow a proprietary record management (by a then already dead software shop) to talk to a full-blown CRM solution in real-time.

As always, it's just a tool in your box, and there is nothing inherently "evil" about it. It's for whatever purpose you make use of it that counts.

like image 108
Jim Brissom Avatar answered Sep 19 '22 13:09

Jim Brissom