Ten process injection (1)
Analysis of DLL Remote Thread Hijacking Injection Technology
Process injection is a technique widely used to avoid detection in malware or fileless attacks. It needs to run specially crafted code in the address space of another process, process injection improves invisibility, and some technologies also achieve persistence.
The so-called DLL injection is the most commonly used technique among many process injection methods. The malware writes the path of the malicious dynamic link library into the virtual address space of another process, and ensures that the remote process loads it by creating a remote thread in the target process. And because the DLL itself is loaded by the infected process and the PE file does not perform too many sensitive operations on the system, this technology has a very strong kind of concealment.
0x01 injection principle
The key function: CreateRemoteThread ()
uses the Windows remote thread mechanism, you need to open and run a thread in other processes through the CreateRemoteThread function in the local process. Therefore, the LoadLibrary function is used as the thread function opened by CreateRemoteThread, and the path of the DLL to be loaded is used as the parameter of the thread function.
In order to enable the remote process to execute the LoadLibrary function to load the DLL file, it faces two difficult problems:
how to pass the DLL path to be loaded to the remote process? ----------- ①
How to get the address of the LoadLibrary function in the remote process? ----------- ②
In order to solve these problems, we will give solutions one by one later
0x02 injection process
In order to solve the problem ①, we can write the path to the remote process through the Windows API function, mainly including: OpenProcess (), VirtualAllowEx (), WriteProcessMemory (), VirtualFreeEx (), etc. to load the DLL path into the remote process. The specific process is as follows
- Get the handle of the target process
Use the OpenProcess () function to open the handle of the remote process.
- Allocate memory space in the target process
Use the VirtualAllowEx () function to allocate sufficient memory space in the target process to save the path to load the DLL.
- Write the DLL path to the target process
Use the WriteProcessMemory () function to write the DLL path to be loaded to the memory space allocated by the remote process.
- Obtain the LoadLibraryW address
In order to solve the problem ②, we need to make clear that Kernel32.dll is the basic library of the system, and in Windows system, the base address of Kernel32.dll module is fixed and consistent in all processes, so only need to get the LoadLibrary address in the local process. Similarly, the LoadLibraryW function is located in kernel32.dll, and the system core DLL will be loaded to a fixed address, so the LoadLibraryW function address of all processes in the system is the same. Use the GetProcAddress function to obtain the local process LoadLibraryW address.
- Run the remote thread in the target process
Use the CreateRemoteThread function to create a thread in the remote process, let the new thread call the correct LoadLibrary function and pass in the memory address allocated in step 2 in the parameters. At this time, the DLL has been injected into the address space of the remote process, and the DllMain function of the DLL will receive the DLL_PROCESS_ATTACH notification and can execute the code we want to execute. When DllMain returns, the remote thread will return to the BaseThreadStart function from the LoadLibraryW / A call. The BaseThreadStart function then calls ExitThread to terminate the remote thread.
0x03 defense method
- Reinforce its own program, traverse the dll file under the path, and ensure that the MD5 and digital signature are safe before subsequent loading.
- Install a Trojan horse killing tool to monitor real-time remote thread calling
- Check whether there are unknown ports open and monitor the port communication.
- Intercept its own LoadLibraryExW function to prevent remote threads from loading DLLs in their own programs
