This document discusses reflective DLL injection, a technique for remotely injecting a DLL into a process without detection. It works by having the DLL load itself using a minimal PE loader. This allows the DLL to govern its own loading and avoid detection since it is not registered with the host process. The implementation uses a reflective loader that parses needed APIs to load the DLL image into a new memory location and resolve imports before calling DllMain. Detection is difficult since the DLL does not appear in process modules lists and no functions need be hooked.
This PPT discusses the concept of Dynamic Linker as in Linux and its porting to Solaris ARM platform. It starts from the very basics of linking process
Docker's Jérôme Petazzoni: Best Practices in Dev to Production Parity for Con...Heavybit
In this talk, Docker’s Jérôme Petazzoni offers best practices on keeping application containers simple and lean, while retaining the robust libraries and features required to run stable production environments.
Introduction to Level Zero API for Heterogeneous Programming : NOTESSubhajit Sahu
Highlighted notes on Introduction to Level Zero API for Heterogeneous Programming by Juan Fumero
While doing research work under Prof. Dip Banerjee, Prof. Kishore Kothapalli.
Author:
PhD Juan Fumero
Passionate about compilers and parallelism. Research associate at The University of Manchester. Runner
Level-Zero appears quite similar to CUDA, but is very verbose. AS Juan has said, it is quite similar to OpenCL and Vulkan. It has command queues to commands to device for compute or copy. Shared memory (unified memory in CUDA) is used. Synchronization is done with events and fences (need to read what fences are). You can take an OpenCL kernel, compile with clang to SPIRV (used by Vulkan too) and load it up and build to native, and submit in a command list. Similar to CUDA, synchronize is needed to wait for kernel to complete as execution is asynchronous (its just submit to queue).
Like OpenCL, Level-Zero assumes multiple drivers, and devices, queues. Some picking needed for these (atleast for queues=compute).
This PPT discusses the concept of Dynamic Linker as in Linux and its porting to Solaris ARM platform. It starts from the very basics of linking process
Docker's Jérôme Petazzoni: Best Practices in Dev to Production Parity for Con...Heavybit
In this talk, Docker’s Jérôme Petazzoni offers best practices on keeping application containers simple and lean, while retaining the robust libraries and features required to run stable production environments.
Introduction to Level Zero API for Heterogeneous Programming : NOTESSubhajit Sahu
Highlighted notes on Introduction to Level Zero API for Heterogeneous Programming by Juan Fumero
While doing research work under Prof. Dip Banerjee, Prof. Kishore Kothapalli.
Author:
PhD Juan Fumero
Passionate about compilers and parallelism. Research associate at The University of Manchester. Runner
Level-Zero appears quite similar to CUDA, but is very verbose. AS Juan has said, it is quite similar to OpenCL and Vulkan. It has command queues to commands to device for compute or copy. Shared memory (unified memory in CUDA) is used. Synchronization is done with events and fences (need to read what fences are). You can take an OpenCL kernel, compile with clang to SPIRV (used by Vulkan too) and load it up and build to native, and submit in a command list. Similar to CUDA, synchronize is needed to wait for kernel to complete as execution is asynchronous (its just submit to queue).
Like OpenCL, Level-Zero assumes multiple drivers, and devices, queues. Some picking needed for these (atleast for queues=compute).
loader and linker are both system software which capable of loads the object code, assembled by an assembler, (loader) and link a different kind of block of a huge program. both software works at the bottom of the operation (i.e. closer to the hardware). in fact, both have machine dependent and independent features.
This presentation introduces basic concepts about the Java I/O framework based on input and output streams. These slides introduce the following concepts:
- Obtaining streams
- Reading / writing bytes
- Character encodings
- Text input / output
- Random access files
- Processing files
- URLs
- Serialization
The presentation is took from the Java course I run in the bachelor-level informatics curriculum at the University of Padova.
How to implement a simple dalvik virtual machineChun-Yu Wang
This slide is an introduction to Android Dalvik Virtual Machine on a short course.
We use two hand-made JVM and DVM which called Simple JVM and Simple DVM respectively, to tell student how they work. A Foo Class was provided as a target for verifying the execution results of those VM. We hope it will help student to understand JVM and DVM quickly.
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet.
This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox.
The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers.
Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.
My session in Wearable DevCon 2014, Burlingame, CA
[Note: now the conference is called "Wearable Tech Con" ]
The session gives an introduction to using the Java Native Interface (JNI) in Java, and in particular in the Android Platform. The session then covers the use of the Native Development Kit (NDK) for developing Android applications.
loader and linker are both system software which capable of loads the object code, assembled by an assembler, (loader) and link a different kind of block of a huge program. both software works at the bottom of the operation (i.e. closer to the hardware). in fact, both have machine dependent and independent features.
This presentation introduces basic concepts about the Java I/O framework based on input and output streams. These slides introduce the following concepts:
- Obtaining streams
- Reading / writing bytes
- Character encodings
- Text input / output
- Random access files
- Processing files
- URLs
- Serialization
The presentation is took from the Java course I run in the bachelor-level informatics curriculum at the University of Padova.
How to implement a simple dalvik virtual machineChun-Yu Wang
This slide is an introduction to Android Dalvik Virtual Machine on a short course.
We use two hand-made JVM and DVM which called Simple JVM and Simple DVM respectively, to tell student how they work. A Foo Class was provided as a target for verifying the execution results of those VM. We hope it will help student to understand JVM and DVM quickly.
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet.
This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox.
The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers.
Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.
My session in Wearable DevCon 2014, Burlingame, CA
[Note: now the conference is called "Wearable Tech Con" ]
The session gives an introduction to using the Java Native Interface (JNI) in Java, and in particular in the Android Platform. The session then covers the use of the Native Development Kit (NDK) for developing Android applications.
A Brief Introduction of Hack from its Original Meaning. What is happening in Hong Kong on Hack.
Presentation in Software Freedom Day 2010 Hong Kong
Video: https://www.youtube.com/watch?v=dbTihH4lR-g
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.
The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.
Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled "incurable and undetectable".
This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
Twitter: @endrazine
Facebook: toucansystem
https://moabi.com
Gives a brief introduction of the emerging containerization technology, the difference in traditional VMs and Conatiners and the most popular one- Docker
Mistakes to avoid when designing DLLs and thoughts about other platforms to deliever with your DLL.
Some compilers provide mechanisms to automatically export all functions and variables in a library that have external linkage. Avoid using any such mechanisms. Export exactly the interface that you need to export, and no more.
DLL Tutor
Typically, a DLL provides one or more particular functions and a program accesses the functions by creating either a static or dynamic link to the DLL.
Cette présentation donne une vue d’ensemble et les concepts généraux, permettant d’appréhender OpenShift et de faciliter les premières étales de prises en mains.
On y parle de Pods, de services, de source-to-image, etc.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
3. Introduction
Under the Windows platform, library injection techniques both local and remote have
been around for many years. Remote library injection as an exploitation technique was
introduced in 2004 by Skape and JT[1]. Their technique employs shellcode to patch the
host processes ntdll library at run time and forces the native Windows loader to load a
Dynamic Link Library (DLL) image from memory. As an alternative to this technique I
present Reflective DLL Injection.
Reflective DLL injection is a library injection technique in which the concept of
reflective programming is employed to perform the loading of a library from memory
into a host process. As such the library is responsible for loading itself by implementing a
minimal Portable Executable (PE) file loader. It can then govern, with minimal
interaction with the host system and process, how it will load and interact with the host.
Previous work in the security field of building PE file loaders include the bo2k server by
DilDog[2].
The main advantage of the library loading itself is that it is not registered in any way with
the host system and as a result is largely undetectable at both a system and process level.
When employed as an exploitation technique, Reflective DLL Injection requires a
minimal amount of shellcode, further reducing its detection footprint against host and
network based intrusion detection and prevention systems.
4. Overview
The process of remotely injecting a library into a process is two fold. Firstly, the library
you wish to inject must be written into the address space of the target process (Herein
referred to as the host process). Secondly the library must be loaded into that host process
in such a way that the library's run time expectations are met, such as resolving its
imports or relocating it to a suitable location in memory. For any of these steps to occur
you should have some form of code execution in the host process, presumably obtained
through exploitation of a remote code execution vulnerability.
Assuming we have code execution in the host process and the library we wish to inject
has been written into an arbitrary location of memory in the host process, (for example
via a first stage shellcode), Reflective DLL Injection works as follows.
● Execution is passed, via a tiny bootstrap shellcode, to the library's
ReflectiveLoader function which is an exported function found in the library's
export table.
● As the library's image will currently exists in an arbitrary location in memory the
ReflectiveLoader will first calculate its own image's current location in memory
so as to be able to parse its own headers for use later on.
● The ReflectiveLoader will then parse the host processes kernels export table in
order to calculate the addresses of three functions required by the loader, namely
LoadLibraryA, GetProcAddress and VirtualAlloc.
● The ReflectiveLoader will now allocate a continuous region of memory into
which it will proceed to load its own image. The location is not important as the
loader will correctly relocate the image later on.
● The library's headers and sections are loaded into their new locations in memory.
● The ReflectiveLoader will then process the newly loaded copy of its image's
import table, loading any additional library's and resolving their respective
imported function addresses.
● The ReflectiveLoader will then process the newly loaded copy of its image's
relocation table.
● The ReflectiveLoader will then call its newly loaded image's entry point function,
DllMain with DLL_PROCESS_ATTACH. The library has now been successfully
loaded into memory.
● Finally the ReflectiveLoader will return execution to the initial bootstrap
shellcode which called it.
5. Implementation
A skeleton Reflective DLL project for building library's for use with Reflective DLL
Injection is available under the three clause BSD license[7]. Support for Reflective DLL
Injection has also been added to Metasploit[6] in the form of a payload stage and a
modified VNC DLL.
The ReflectiveLoader itself is implemented in position independent C code with a
minimal amount of inlined assembler. The ReflectiveLoader code has been heavily
commented and for a thorough understanding you should read through this code. A good
understanding of the PE file format[3] is recommended when reading through the source
code. Matt Pietrek has written a number of good articles detailing the PE file format[4]
[5] which are also recommended reading.
Under Metasploit, the Ruby module Payload::Windows::ReflectiveDllInject implements
a new stage for injecting a DLL which contains a ReflectiveLoader. This stage will
calculate the offset to the library's exported ReflectiveLoader function and proceed to
generate a small bootstrap shellcode, as show below in Listing 1, which is patched into
the DLL images MZ header. This allows execution to be passed to the ReflectiveLoader
after the Metasploit intermediate stager loads the entire library into the host process.
dec ebp ; M
pop edx ; Z
call 0 ; call next instruction
pop ebx ; get our location (+7)
push edx ; push edx back
inc ebp ; restore ebp
push ebp ; save ebp
mov ebp, esp ; setup fresh stack frame
add ebx, 0x???????? ; add offset to ReflectiveLoader
call ebx ; call ReflectiveLoader
mov ebx, eax ; save DllMain for second call
push edi ; our socket
push 0x4 ; signal we have attached
push eax ; some value for hinstance
call eax ; call DllMain( somevalue,
DLL_METASPLOIT_ATTACH, socket )
push 0x???????? ; our EXITFUNC placeholder
push 0x5 ; signal we have detached
push eax ; some value for hinstance
call ebx ; call DllMain( somevalue,
DLL_METASPLOIT_DETACH, exitfunk )
; we only return if we don't set a valid
EXITFUNC
Listing 1: Bootstrap Shellcode.
The bootstrap shellcode also lets us attach Metasploit by passing in the payloads socket
and finally the payloads exit function via calls to DllMain for compatibility with the
Metasploit payload system.
6. Detection
Successfully detecting a DLL that has been loaded into a host process through Reflective
DLL Injection will be difficult. Previous methods of detecting injected libraries will be
largely obsolete, such as inspecting a process's currently loaded library's for irregularities
or detecting hooked library functions.
As a reflectively loaded library will not be registered in the host processes list of loaded
modules, specifically the list held in the Process Environment Block (PEB) which is
modified during API calls such as kernel32's LoadLibrary and LoadLibraryEx, any
attempt to enumerate the host processes modules will not yield the injected library. This
is because the injected library's ReflectiveLoader does not register itself with its host
process at any stage.
Similarly, detecting hooked library functions is redundant as no library functions are
required to be hooked for the ReflectiveLoader to work.
At a process level the only indicators that the library exists is that their will be a chunk of
allocated memory present, via VirtualAlloc, where the loaded library resides. This
memory will be marked as readable, writable and executable. Their will also be a thread
of execution which will be, periodically at least, executing code from this memory chunk.
By periodically scanning all threads of execution and cross referencing the legitimately
loaded libraries in the process with a call trace of each thread it may be possible to
identify unusual locations of code. This will inevitably lead to many false positives as
there are many reasons to execute code in a location of memory other then a library's
code sections. Examples of this are packed or protected executables and languages that
use techniques like just in time (JIT) compilation, such as Java or .NET.
At a system level when using Reflective DLL Injection in remote exploitation, the library
should be undetectable by file scanners, such as Anti Virus, as it never touches disk. This
leaves the main detection surface being the network, although many IDS evasion
techniques are available[8] to aid circumventing detection such as polymorphic
shellcode.