DLL injection

DLL injection

In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could trap system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6]

Contents

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable's filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread's start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are (almost) immune from DLL Injection.[30]

Approaches on Unix-like systems

On Unix-like operating systems with the dynamic linker based on ld.so (on BSD) and ld-linux.so (on Linux), arbitrary libraries can be linked to a new process by giving the library's pathname in the LD_PRELOAD environment variable, that can be set globally or individually for a single process.[31]

For example, in bash, this command launches the command "prog" with the shared library from file "test.so" linked into it at the launchtime:

LD_PRELOAD="./test.so" prog

Such a library can be created with GCC by compiling the source file containing the new globals to be linked, with the -fpic or -fPIC option,[32] and linking with the -shared option.[33] The library has access to external symbols declared in the program like any other library.

It is also possible to use debugger-based techniques on Unix-like systems.[34]

External links

References

  1. ^ a b James Shewmaker (2006). "Analyzing DLL Injection" (PDF). GSM Presentation. Bluenotch. http://bluenotch.com/files/Shewmaker-DLL-Injection.pdf. Retrieved 2008-08-31. 
  2. ^ a b Iczelion (August 2002). "Tutorial 24: Windows Hooks". Iczelion's Win32 Assembly Homepage. http://win32assembly.online.fr/tut24.html. Retrieved 2008-08-31. 
  3. ^ Rocky Pulley (2005-05-19). "Extending Task Manager with DLL Injection". CodeProject. CodeProject. http://secure.codeproject.com/KB/threads/taskex.aspx. Retrieved 2008-09-01. 
  4. ^ a b Nasser R. Rowhani (2003-10-23). "DLL Injection and function interception tutorial". CodeProject. CodeProject. http://www.codeproject.com/KB/DLL/DLL_Injection_tutorial.aspx. Retrieved 2008-08-31. 
  5. ^ a b c d Ivo Ivanov (2002-12-02). "API hooking revealed". CodeProject. CodeProject. http://www.codeproject.com/KB/system/hooksys.aspx. Retrieved 2008-08-31. 
  6. ^ a b c d Robert Kuster (2003-08-20). "Three Ways to Inject Your Code into Another Process". CodeProject. CodeProject. http://www.codeproject.com/KB/threads/winspy.aspx. Retrieved 2008-08-31. 
  7. ^ "Working with the AppInit_DLLs registry value". Microsoft Help and Support. Microsoft. 2006-11-21. http://support.microsoft.com/kb/197571. Retrieved 2008-08-31. 
  8. ^ Raymond Chen (2007-12-13). "AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs". The Old New Thing. Microsoft. http://blogs.msdn.com/oldnewthing/archive/2007/12/13/6648400.aspx. Retrieved 2008-08-31. 
  9. ^ "dllmain.c". ReactOS. ReactOS Foundation. 2008-07-08. http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/user32/misc/dllmain.c?view=markup. Retrieved 2008-08-31. 
  10. ^ a b c d Trent Waddington. "InjectDLL". http://www.quantumg.net/injectdll.php. Retrieved 2008-08-31. 
  11. ^ "Dll Injection". DreamInCode.net. MediaGroup1. 2006-05-04. http://www.dreamincode.net/code/snippet407.htm. Retrieved 2008-08-31. 
  12. ^ Greg Jenkins (November 2007). "DLL Injection Framework". Ring3 Circus. WordPress. http://www.ring3circus.com/downloads/dll-injection-framework/. Retrieved 2008-08-31. 
  13. ^ Drew Benton (2007-08-17). "A More Complete DLL Injection Solution Using CreateRemoteThread". CodeProject. CodeProject. http://69.10.233.10/KB/threads/completeinject.aspx. Retrieved 2008-09-01. 
  14. ^ ‹The template Cite api is being considered for deletion.›  CreateProcess ms-help://MS.PSDKXPSP2.1033/dllproc/base/createprocess.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  15. ^ ‹The template Cite api is being considered for deletion.›  PROCESS_INFORMATION ms-help://MS.PSDKXPSP2.1033/dllproc/base/process_information_str.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  16. ^ ‹The template Cite api is being considered for deletion.›  GetWindowThreadProcessId Function ms-help://MS.PSDKXPSP2.1033/winui/winui/windowsuserinterface/windowing/windows/windowreference/windowfunctions/getwindowthreadprocessid.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  17. ^ ‹The template Cite api is being considered for deletion.›  EnumProcesses ms-help://MS.PSDKXPSP2.1033/perfmon/base/enumprocesses.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  18. ^ ‹The template Cite api is being considered for deletion.›  GetModuleBaseName ms-help://MS.PSDKXPSP2.1033/perfmon/base/getmodulebasename.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  19. ^ ‹The template Cite api is being considered for deletion.›  VirtualAllocEx ms-help://MS.PSDKXPSP2.1033/memory/base/virtualallocex.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  20. ^ ‹The template Cite api is being considered for deletion.›  WriteProcessMemory ms-help://MS.PSDKXPSP2.1033/debug/base/writeprocessmemory.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  21. ^ "Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability". Matousec. 2006-12-01. http://www.matousec.com/info/advisories/Outpost-Bypassing-Self-Protection-via-Advanced-DLL-injection-with-handle-stealing.php. Retrieved 2008-08-31. 
  22. ^ ‹The template Cite api is being considered for deletion.›  CreateRemoteThread ms-help://MS.PSDKXPSP2.1033/dllproc/base/createremotethread.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  23. ^ ‹The template Cite api is being considered for deletion.›  LoadLibrary ms-help://MS.PSDKXPSP2.1033/dllproc/base/loadlibrary.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  24. ^ a b ‹The template Cite api is being considered for deletion.›  DllMain ms-help://MS.PSDKXPSP2.1033/dllproc/base/dllmain.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  25. ^ ‹The template Cite api is being considered for deletion.›  SetWindowsHookEx Function ms-help://MS.PSDKXPSP2.1033/winui/winui/windowsuserinterface/windowing/hooks/hookreference/hookfunctions/setwindowshookex.htm Platform SDK for Windows XP SP2. Microsoft. Retrieved on 2008-08-31.
  26. ^ "AppInit_DLLs Registry Value and Windows 95". Microsoft Help and Support. Microsoft. 2005-03-01. http://support.microsoft.com/kb/134655. Retrieved 2008-08-31. 
  27. ^ "Dll Injection using SetWindowsHookEx() Method". Game Reversal. 2008-04-03. http://www.gamereversal.com/index.php?option=com_content&view=article&id=56%3Adll-injection-using-setwindowshookex-method&catid=39%3Ac--c-core-concepts&Itemid=1. Retrieved 2008-09-01. 
  28. ^ "SetThreadContext DLL Injection". 2007-01-16. http://nerd.egloos.com/2940083. Retrieved 2008-09-01. 
  29. ^ Ben Botto (2008-09-06). "DLL Injector". http://busybin.com/busybin/C++/dll_injector/. Retrieved 2008-09-01. 
  30. ^ "Protected Media Path". http://msdn.microsoft.com/en-us/library/aa376846(VS.85).aspx. Retrieved 2010-09-11. 
  31. ^ ‹The template Cite api is being considered for deletion.›  Linus Torvalds; David Engel, Eric Youngdale, Peter MacDonald, Hongjiu Lu, Lars Wirzenius and Mitch D'Souza (1998-03-14). ld.so/ld-linux.so – dynamic linker/loader man ld.so UNIX man pages. Retrieved on 2008-08-31.
  32. ^ "Code Gen Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. http://gcc.gnu.org/onlinedocs/gcc-4.3.2/gcc/Code-Gen-Options.html#Code-Gen-Options. Retrieved 2008-08-31. "-fpic Generate position-independent code (PIC) suitable for use in a shared library, if supported for the target machine. sqq." 
  33. ^ "Link Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. http://gcc.gnu.org/onlinedocs/gcc-4.3.2/gcc/Link-Options.html#Link-Options. Retrieved 2008-08-31. "-shared Produce a shared object which can then be linked with other objects to form an executable. sqq." 
  34. ^ Gregory Shpitalnik (12 February 2009). "Code Injection into Running Linux Application". Code Project. http://www.codeproject.com/KB/DLL/code_injection.aspx. Retrieved 18 November 2010. 

Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • DLL-Injection — In der Informatik bezeichnet DLL Injection eine Technik, mit der man Code im Adressraum eines anderen Prozesses zur Ausführung bringt, in dem man diesen Prozess zwingt, eine programmfremde Dynamic Link Library (DLL) zu laden. Im Prinzip ist diese …   Deutsch Wikipedia

  • Dll-injection — In der Informatik bezeichnet DLL Injection eine Technik, mit der man Code im Adressraum eines anderen Prozesses zur Ausführung bringt, in dem man diesen Prozess zwingt, eine Dynamic Link Library (DLL) zu laden. Im Prinzip ist diese Technik bei… …   Deutsch Wikipedia

  • Code injection — is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by an attacker to introduce (or inject ) code into a computer program to change the course of execution. The results of a code injection… …   Wikipedia

  • Lethal Injection (album) — Infobox Album | Name = Lethal Injection Type = Album Artist = Ice Cube Released = December 7, 1993 Recorded = 1993 Genre = Gangsta rap Length = 56:21 Label = Priority Records Producer = QD3, Madness 4 Real, Sir Jinx, Ice Cube Reviews = *Allmusic… …   Wikipedia

  • Hell Injection — Infobox Album Name = Hell Injection Type = studio Artist = Arkhon Infaustus Released = 2001 Recorded = Genre = Blackened death metal Length = 43:53 Label = Osmose Productions Producer = Reviews = Last album = Dead Cunt Maniac (2000) This album =… …   Wikipedia

  • Dynamic Link Library — Vorlage:Infobox Dateiformat/Wartung/MagischeZahl fehltVorlage:Infobox Dateiformat/Wartung/Standard fehltVorlage:Infobox Dateiformat/Wartung/Website fehlt Dynamic Link Library Dateiendung: .dll, .DLL MIME Type …   Deutsch Wikipedia

  • Beast Trojan (trojan horse) — Infobox Software name = Beast Trojan|website = No caption = screenshot of the Beast RAT developer = Tataye operating system = Microsoft Windows latest release version = 2.07 latest release date = August 3, 2004 genre = remote administration,… …   Wikipedia

  • Cheat — Cheatmodul „Gameshark“ für Nintendos N64 Als Cheat (englisch für Betrug, Schwindel) wird die Möglichkeit bezeichnet, in einem Computerspiel selbst oder durch externe Programme das Spiel in einer nicht dem gewöhnlichen Spielverlauf entsprechenden… …   Deutsch Wikipedia

  • Windows Vista — Part of the Microsoft Windows family …   Wikipedia

  • Security and safety features new to Windows Vista — There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.Beginning in early 2002 with Microsoft s announcement of their Trustworthy Computing… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”