The
principle of remote thread injection DLL remote thread injection is to use the CreateRemoteThread() API in the Windows system. The fourth parameter is the thread to be run. We can fill in LoadLibrary() so that LoadLibrary() in the remote process can be executed. ) Function, and then load the DLL prepared by ourselves into the remote process space for execution.
Reasons for choosing LoadLibrary function: First, it can load a Dll into the memory space and execute the DLL initialization function. Second, LoadLibrary is in Kernel32.dll, and the load base address of Kernel32.dll is the same in each process. Therefore, the address of LoadLibrary in each process is the same.
Note: In the DLL, the window command must be loaded in the "dialog box"! For example, load (window 1, true)
reference materials: https://bbs.125.la/forum.php?mod=viewthread&tid=13724049&highlight=ע ר
Message hook injection The
principle of message hook injection is to use the SetWindowsHookEx() API in the Windows system. It can intercept the message of the target process to the function exported in the specified DLL. Using this feature, we can inject the DLL into the specified process
using SetWindowsHookEx( ) Before you first need to load the HOOK DLL into its own process to get the module handle of the DLL, and then use GetProcAddress() to get the function address of the function XXX() public in the DLL, and finally traverse the thread ID of the process to be injected , So SetWindowsHookEx() can use these parameters to HOOK.
Note: Message hook injection requires a window.
Reference materials: https://bbs.125.la/forum.php?mod=viewthread&tid=13722272&highlight=ע ר
Input method injection The
principle of input method injection is to use the Windows system when switching input methods to input characters, the system will load the ime file required by this input method into the current process, and because this Ime file is essentially just stored in C :\WINDOWS\system32 is a special DLL file in the directory, so we can use this feature to use IMESetPubString() in the Ime file to inject the DLL file,
or you can directly write the IME file and use the oadLibrary() function to load the injected DLL file
Reference material: https://www.52pojie.cn/forum.php?mod=viewthread&tid=428396
Registry injection The
principle of registry injection is to use in the Windows system, when there is a DLL file path in the following keys of the registry, the DLL file in the DLL file path will be loaded following the startup of the EXE file. When you encounter multiple DLL files, you need to separate the paths of multiple DLL files with commas or spaces.
This injector uses the Appinit_Dlls registry key. Each dll file under this registry key will be loaded into the process as User32.dll is loaded.
The full path that the injector writes to the registry is: HKEY_LOCAL_MACHINE\ SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Note: Registry injection will be effective for every process. For a certain process, it needs to be written in a DLL.
Reference materials: http://blog.csdn. net/programmingring/article/details/18954193
EIP injection
suspends the target process, stops the conversion of the target process EIP, opens the space in the target process, and then copies the relevant instruction machine code and data into it, and then modifies the target process EIP to forcefully jump to the relevant we copied Machine code location, execution correlation, and then jump back.
The assembly ideas for modifying EID to implement code injection are as follows:
SuspendThread();
get eip
push ad
push fd
push AddressDllFilePath
call LoadLibrary
pop fd
pop ad
jmp eip //This is to let the program execute our code and jump back to continue executing
ResumeThread( );
Reference materials: http://blog.csdn.net/u013761036/article/details/52885552
APC injection (application layer)
The principle of APC injection is to use the mechanism that the registration function in the APC will be executed when the thread is awakened, and use this to execute our DLL loading code to complete the purpose of DLL injection. The specific process is as follows :
1) When a thread in the EXE executes to SleepEx() or WaitForSingleObjectEx(), the system will generate a soft interrupt (or it can be injected without clicking OK when the Messagebox pops up).
2) When the thread is awakened again, the thread will first execute the registered function in the APC queue.
3) Use the QueueUserAPC() API to insert a function pointer into the APC queue of the thread during soft interruption. If we insert the Loadlibrary() execution function, we can achieve the purpose of injecting the DLL.
Note: The target program must execute SleepEx() or WaitForSingleObjectEx(), otherwise the DLL will not be loaded.
References: http://blog.csdn.net/u013761036/article/details/53338322
Memory injection
Memory injection is similar to remote thread injection. The difference is that the entire DLL file is written into the target process memory, assembly instructions are used to load the DLL and call DLL functions, but the core still uses VirtualAllocEx, WriteProcessMemory, CreateRemoteThread.
Note: I have debugged a few DLLs and need to be compiled by Black Moon.
Reference: super module source code
IAT permanent injection
by adding a new section injection, changing the size of the PE file, copying the original import table to the new section, adding your own import table descriptor, and finally pointing the entry of the import table pointed to in the data directory item New section, generate new files.
Note: Some packed files and self-checking files cannot be injected. A new file will be generated. DLL needs to be compiled with Black Moon.
Reference: http://www.pudn.com/Download/ item/id/1996578.html
Permanent memory injection The
high-profile version of IAT is permanently injected. It not only adds sections, but also writes the DLL into the memory. Use assembly to load the DLL.
Note: Some packed files and self-checking files cannot be injected, and a new file
reference will be generated. Information: http://bbs.eyuyan.com/read.php?tid=382106&fpage=2