process injection is a common Evasion tactic that used by malware authors in order to hide malicious code into legitimate processes and execute it on a system, also allow malware to gain access to other processes for example Banjan trojan access on web browser to steal credentials.
Attackers use process injection as a type of anti reverse engineering to evade detect by both malware analyst and solutions, communicate with systems across c2 and in this post i will write about DLL injection technique.
DLL-Injection is the most common technique that used by malware to inject malicious code into other processes to evade detection, and every processes need to load dynamic link Libraries to work, So it became easy to load malicious code in legitimate processes
The malware authors use some of Windows API functions that have a set of features, these features enable malware authors to attach and manipulate DLL-injection steps in legitimate processes in order to make a valuable attack.
In the first, malware determined the process that’s been injected with malicious code, Malware follows some steps to get a list of running processes on a system.
- Takes a snapshot of the specified process, or all processes, also it used for enumerating heap, modules and thread states by using this process using by CreateToolhelp32Snapshot API function.
- After taking a snapshot of running processes, the malware will search for the target process to inject malicious code by two API functions, the first API function is called Process32First which retrieves information about the first process encountered in a system snapshot.
- The second API function is called Process32Next which retrieves information about the next process recorded in a system snapshot.
- After the previous steps, the malware determine a process that used to inject malicoius code.
- To connect to the victim process, the malware uses a normal Windows API call OpenProces. Because of Windows’ privilege model, the malware can only bind to a process of the same or lower privilege as itself.
- VirtualAllocEx is used to allocate a limited amount of memory to the victim process. This memory is allocated by the use of “write” access. After that, the malware would use WriteProcessMemory to save the DLL’s path to that memory place.
- Inside the victim process’ region, the malware searches for the LoadLibrary function’s address. This is the address that will be used in Step_7.
- The malware invokes CreateRemoteThread, passing in the LoadLibrary address obtained in Step_6.It will also transfer the DLL path that was generated in Step_5. CreateRemoteThread now runs in the victim process and calls LoadLibrary, which loads the malicious DLL. The DLL entry form, DLLMain, will be called when the malicious DLL loads.
- In this demo I will discusse the functions on debugger that used by attackers to execute payload on a system and extract the payload from a sample.
This sample use DLL-Injection to inject payload into legitimate process, malware determine the region of memory to write malicious payload onto and execute the payload. So we will set breakpoint on
F9and execute VitualAllocEX() that allocates space for the entire path of the DLL if we use LoadLibraryA(), and we’ll allocate space for the DLL’s full contents.
Now that malware spaces allocated in our target process to write payload using WriteProcessMemory() into this process , and stores the paylaod into one parameters of WriteProcessMemory() called buffer which have DLL Path or the Full DLL into that process, we can dump buffer into the dump in order to see paylaod.
Dump1into the memory map to dump it
Nice, I finish my work.
- mastering malware analysis