The principle of remote thread injection is to use the CreateRemoteThread() API in the Windows system, where the fourth parameter is the thread to be run, we can fill in LoadLibrary(), so that the LoadLibrary() function in the remote process can be executed, and then Load our own prepared DLL into the remote process space for execution.
Select LoadLibrary function reasons: First, it can load a Dll into the memory space and execute the DLL initialization function. Second, LoadLibrary is in Kernel32.dll, and the loading base address of Kernel32.dll is the same in each process. Therefore, the address of LoadLibrary in each process is the same.
Note: In the DLL, the "dialog mode" must be used in the load window command! For example, loading (window 1, , true)
message hook injection
message hook injection principle is to use the API SetWindowsHookEx() in the Windows system, which can intercept the message of the target process to the function exported in the specified DLL. Using this feature, we can You can inject the DLL into the specified process.
Before using SetWindowsHookEx(), you first need to load the DLL of the HOOK into your own process to get the module handle of the DLL, and then use GetProcAddress() to get the function of the function XXX() exposed in the DLL. address, and finally traverse the thread ID of the process to be injected, so that SetWindowsHookEx() can use these parameters to HOOK.
Note: message hook injection requires window
input method injection
The principle of input method injection is to use the Windows system to switch the input method to input characters, the system will load the ime file required by the input method into the current process, and because the Ime file is essentially just a file stored in C:\WINDOWS The special DLL file in the \system32 directory, so we can use this feature to inject the DLL file using IMESetPubString() in the Ime file
or directly write the IME file and use the loadLibrary() function to load the injected DLL file.
Registry injection
The registry injection principle is used in the Windows system. When there is a DLL file path in the following key value of the registry, the DLL file in the DLL file path will be loaded following the startup of the EXE file. When encountering multiple DLL files, you need to separate the paths of multiple DLL files with commas or spaces.
This injector uses the Appinit_Dlls registry key. Each dll file under this registry key will be loaded into the process along with the loading of User32.dll.
The full path written by the injector to the registry is: HKEY_LOCAL_MACHINE\ SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs
Note: Registry injection will be valid for every process. For a certain process, you need to write
EIP injection in DLL to
suspend the target process and stop the target process EIP The transformation, open the space in the target process, then copy the relevant instruction machine code and data into it, then modify the target process EIP to force it to jump to the relevant machine code location we copied in, execute the correlation, and then jump back .
The assembly idea of modifying EID to achieve code injection is as follows
SuspendThread();
get eip
push ad
push fd
push AddressDllFilePath
call LoadLibrary
pop fd
pop ad
jmp eip //This is to let the program jump back to continue executing
ResumeThread() after executing our code;
APC injection (application layer)
APC The principle of injection is to use the mechanism that the registered function in APC will be executed when the thread is awakened, and use this to execute our DLL loading code to complete the purpose of DLL injection. The specific process is as follows:
1) When a certain When a thread executes to SleepEx() or WaitForSingleObjectEx(), the system will generate a soft interrupt (or it can be injected when the Messagebox popup window does not click OK).
2) When the thread is awakened again, the thread will first execute the registered function in the APC queue.
3) Using the QueueUserAPC() API, we can insert a function pointer into the thread's APC queue during soft interrupt. If we insert the Loadlibrary() execution function, we can achieve the purpose of injecting DLL.
Note: The target program must execute SleepEx() or WaitForSingleObjectEx(), otherwise the DLL will not be loaded.
Memory injection
Memory injection is similar to remote thread injection. The difference is that the entire DLL file is written into the memory of the target process, the assembly instructions are used to load the DLL, and the DLL function is called, but the core still uses VirtualAllocEx, WriteProcessMemory, CreateRemoteThread
Notes: Debug by yourself Several times the DLL needs to be compiled by Black Moon and the
IAT is permanently injected
by adding a new section, changing the size of the PE file, copying the original import table into the new section, adding your own import table descriptor, and finally injecting the data directory entry The entry of the import table pointed to in , points to a new section, and a new file is generated.
Note: Some packed files and self-checking files cannot be injected, and a new file will be generated. The DLL needs to be compiled by
Black
. Injection, not only adds a section, but also writes the DLL into the memory, and uses assembly to load the DLL
. Note: Some packed files and self-checking files cannot be injected, and a new file will be generated.