Neeraj Godkhindi (OSCP), profile picture
Uploaded byNeeraj Godkhindi (OSCP)
PPTX, PDF478 views

DLL Injection

DLL injection involves loading a dynamic link library file into another running process's address space without the target process's cooperation or knowledge. The summarizes the key steps for DLL injection: 1. Get a handle to the target process using its process ID. 2. Allocate memory in the target process to store the path to the DLL. 3. Write the DLL path to the allocated memory. 4. Resolve the address of LoadLibraryA in kernel32.dll and create a remote thread in the target process using this entry point to load the DLL.

Embed presentation

Download to read offline
“DLL Injection Understanding“ INTERNET SECURITY
A dynamic-link library (DLL) file is an executable file that allows programs to share code and other resources necessary to perform particular tasks. The system calls the entry-point function in the context of the thread that called LoadLibrary. If the system cannot find the DLL or if the entry-point function returns FALSE, LoadLibrary or LoadLibraryEx returns NULL. If LoadLibrary or LoadLibraryEx succeeds, it returns the DLL handle to the DLL module. A process handle is a number that uniquely identifys a process kernal object, which can be optained using the Pid. QUICK INTRO !
1. Get a handle to the process we are injecting into. 2. Need to resolve the address for LoadLibraryA in any existing DLL such as Kernel 32 DLL 3. Allocate some space for the injecting DLL path, write the DLL path into the allocated space 4. create the remote thread, with the entry point setto LoadLibraryA, pointer to the DLL and with process handle. ACTION ITEMS
Get the process handle:- h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) Allocate the virtual memory to store the DLL path: arg_address = kernel32.VirtualAllocEx(h_process, 0, dll_len, VIRTUAL_MEM,PAGE_READWRITE) Write the DLL path into the allocated memory: kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, byref(written)) ACTION ITEMS
Resolve address : h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll") h_loadlib = kernel32.GetProcAddress(h_kernel32,"LoadLibraryA") Create the thread an injectDLL kernel32.CreateRemoteThread(h_process,None,0,h_loadlib,arg_address,0, byref(thread_id)): ACTION ITEMS
d3m0 T1m3 LET’S LEARN
THANK YOU!!!s @NeerajRG GREAT TIME

More Related Content

PPT
Dll injection
byKarlFrank99
 
PDF
DLL Injection
byHossein Yavari
 
PDF
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
bySam Bowne
 
PDF
Practical Malware Analysis Ch13
bySam Bowne
 
PDF
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
PPTX
Network tunneling techniques
byinbroker
 
PDF
Binary Search - Design & Analysis of Algorithms
byDrishti Bhalla
 
PPTX
Logical and shift micro operations
bySanjeev Patel
 
Dll injection
byKarlFrank99
 
DLL Injection
byHossein Yavari
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
bySam Bowne
 
Practical Malware Analysis Ch13
bySam Bowne
 
CNIT 126 Ch 0: Malware Analysis Primer & 1: Basic Static Techniques
bySam Bowne
 
Network tunneling techniques
byinbroker
 
Binary Search - Design & Analysis of Algorithms
byDrishti Bhalla
 
Logical and shift micro operations
bySanjeev Patel
 

What's hot

PDF
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
bySam Bowne
 
PPTX
Cybersecurity
byEng Hasan Shamroukh CISCO Exams Author
 
PDF
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
PDF
Algorithm Analysis.pdf
byMemMem25
 
PDF
Network security
byChristalin Nelson
 
PPTX
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
byEric Vanderburg
 
PDF
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
bySam Bowne
 
PPTX
Intrusion detection
byCAS
 
PDF
Cyber Security Vulnerabilities
bySiemplify
 
PPT
Introduction Network security
byIGZ Software house
 
PPTX
Intrusion Prevention System
byVishwanath Badiger
 
PPTX
INSTRUCTION CYCLE
byParth Panchal
 
PPTX
Denial of Service Attacks (DoS/DDoS)
byGaurav Sharma
 
PDF
The role of big data, artificial intelligence and machine learning in cyber i...
byAladdin Dandis
 
PPT
Digital Signature Standard
bySou Jana
 
PPTX
Types Of Firewall Security
byiberrywifisecurity
 
PPTX
Data encoding
byAkash Bhandari
 
PPTX
Linear data structure concepts
byAkila Krishnamoorthy
 
PPTX
Binary search in data structure
byMeherul1234
 
PDF
Next Generation Memory Forensics
byAndrew Case
 
CNIT 126 Ch 7: Analyzing Malicious Windows Programs
bySam Bowne
 
Cybersecurity
byEng Hasan Shamroukh CISCO Exams Author
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
bySam Bowne
 
Algorithm Analysis.pdf
byMemMem25
 
Network security
byChristalin Nelson
 
Ethical hacking Chapter 6 - Port Scanning - Eric Vanderburg
byEric Vanderburg
 
Practical Malware Analysis Ch 14: Malware-Focused Network Signatures
bySam Bowne
 
Intrusion detection
byCAS
 
Cyber Security Vulnerabilities
bySiemplify
 
Introduction Network security
byIGZ Software house
 
Intrusion Prevention System
byVishwanath Badiger
 
INSTRUCTION CYCLE
byParth Panchal
 
Denial of Service Attacks (DoS/DDoS)
byGaurav Sharma
 
The role of big data, artificial intelligence and machine learning in cyber i...
byAladdin Dandis
 
Digital Signature Standard
bySou Jana
 
Types Of Firewall Security
byiberrywifisecurity
 
Data encoding
byAkash Bhandari
 
Linear data structure concepts
byAkila Krishnamoorthy
 
Binary search in data structure
byMeherul1234
 
Next Generation Memory Forensics
byAndrew Case
 

Viewers also liked

PPT
Shared memory
byAbhishek Khune
 
PPT
Device Driver in WinCE 6.0 R2
byrahul_p_shukla
 
PDF
Shellcode injection
byDhaval Kapil
 
PPTX
Shellcode mastering
byPositive Hack Days
 
PPT
Buckling Analysis in ANSYS
byMaha Hassan
 
PDF
Reverse engineering - Shellcodes techniques
byEran Goldstein
 
DOC
Programming windows
byDepakSudarsanam
 
PPTX
Linux memory-management-kamal
byKamal Maiti
 
Shared memory
byAbhishek Khune
 
Device Driver in WinCE 6.0 R2
byrahul_p_shukla
 
Shellcode injection
byDhaval Kapil
 
Shellcode mastering
byPositive Hack Days
 
Buckling Analysis in ANSYS
byMaha Hassan
 
Reverse engineering - Shellcodes techniques
byEran Goldstein
 
Programming windows
byDepakSudarsanam
 
Linux memory-management-kamal
byKamal Maiti
 

Similar to DLL Injection

PDF
Process injection - Malware style
bySander Demeester
 
PDF
CNIT 126 12: Covert Malware Launching
bySam Bowne
 
PPT
DLL Hijacking
byRashid feroz
 
PDF
Practical Malware Analysis Ch12
bySam Bowne
 
PPTX
Taking Hunting to the Next Level: Hunting in Memory
byJoe Desimone
 
PPTX
Dll Hijacking
bynullowaspmumbai
 
PPTX
Code Injection in Windows
byn|u - The Open Security Community
 
PDF
Formbook - In-depth malware analysis (Botconf 2018)
byRémi Jullian
 
PPTX
MALWARE ANALYSIS CH-01 DTU PRESENTATION PPT
byhemoneshmaheshwarico
 
PPTX
Sp group7 27_53_65_66_68_ppt_dynamic linking library
bySagarSikchi1
 
PDF
Hs P005 Reflective Dll Injection
byKarlFrank99
 
PDF
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
byCode Engn
 
PPT
Backdoor coding
byabdesslem amri
 
ODP
LD_PRELOAD Exploitation - DC9723
byIftach Ian Amit
 
PPTX
Defcamp 2013 - SSL Ripper
byDefCamp
 
PDF
DLL Tutor maXbox starter28
byMax Kleiner
 
PDF
Ch 6: The Wild World of Windows
bySam Bowne
 
PPT
bh-europe-01-clowes
byguest3e5046
 
PDF
Bh Usa 07 Butler And Kendall
byKarlFrank99
 
PDF
CNIT 127 Ch 6: The Wild World of Windows
bySam Bowne
 
Process injection - Malware style
bySander Demeester
 
CNIT 126 12: Covert Malware Launching
bySam Bowne
 
DLL Hijacking
byRashid feroz
 
Practical Malware Analysis Ch12
bySam Bowne
 
Taking Hunting to the Next Level: Hunting in Memory
byJoe Desimone
 
Dll Hijacking
bynullowaspmumbai
 
Code Injection in Windows
byn|u - The Open Security Community
 
Formbook - In-depth malware analysis (Botconf 2018)
byRémi Jullian
 
MALWARE ANALYSIS CH-01 DTU PRESENTATION PPT
byhemoneshmaheshwarico
 
Sp group7 27_53_65_66_68_ppt_dynamic linking library
bySagarSikchi1
 
Hs P005 Reflective Dll Injection
byKarlFrank99
 
[2007 CodeEngn Conference 01] dual5651 - Windows 커널단의 후킹
byCode Engn
 
Backdoor coding
byabdesslem amri
 
LD_PRELOAD Exploitation - DC9723
byIftach Ian Amit
 
Defcamp 2013 - SSL Ripper
byDefCamp
 
DLL Tutor maXbox starter28
byMax Kleiner
 
Ch 6: The Wild World of Windows
bySam Bowne
 
bh-europe-01-clowes
byguest3e5046
 
Bh Usa 07 Butler And Kendall
byKarlFrank99
 
CNIT 127 Ch 6: The Wild World of Windows
bySam Bowne
 

DLL Injection

  • 1.
  • 2.
    A dynamic-link library(DLL) file is an executable file that allows programs to share code and other resources necessary to perform particular tasks. The system calls the entry-point function in the context of the thread that called LoadLibrary. If the system cannot find the DLL or if the entry-point function returns FALSE, LoadLibrary or LoadLibraryEx returns NULL. If LoadLibrary or LoadLibraryEx succeeds, it returns the DLL handle to the DLL module. A process handle is a number that uniquely identifys a process kernal object, which can be optained using the Pid. QUICK INTRO !
  • 3.
    1. Get ahandle to the process we are injecting into. 2. Need to resolve the address for LoadLibraryA in any existing DLL such as Kernel 32 DLL 3. Allocate some space for the injecting DLL path, write the DLL path into the allocated space 4. create the remote thread, with the entry point setto LoadLibraryA, pointer to the DLL and with process handle. ACTION ITEMS
  • 4.
    Get the processhandle:- h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) Allocate the virtual memory to store the DLL path: arg_address = kernel32.VirtualAllocEx(h_process, 0, dll_len, VIRTUAL_MEM,PAGE_READWRITE) Write the DLL path into the allocated memory: kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len, byref(written)) ACTION ITEMS
  • 5.
    Resolve address : h_kernel32= kernel32.GetModuleHandleA("kernel32.dll") h_loadlib = kernel32.GetProcAddress(h_kernel32,"LoadLibraryA") Create the thread an injectDLL kernel32.CreateRemoteThread(h_process,None,0,h_loadlib,arg_address,0, byref(thread_id)): ACTION ITEMS
  • 6.
  • 7.