DYNAMIC DLL INJECTION

As in my previous post I describe about the static dll injection Now we will look at the dynamic dll injection. which is mostly used by Trojan’s.
After a program has been executed, a process is created in the OS. When an attacker attempts to load code into the process memory space, then the attacker is using dynamic injection. When .dll libraries are loaded through dynamic injection, the process is known as dynamic dll injection.
Loading a .dll into a process.
For this we will install DiamondCS APM (Advanced Process Manipulation).or any other advanced process manipulator just Google it
After installation start APM.
you should see a list of running processes along with their Process ID number as we have seen in our static dll injection post. Select explorer.exe.
Make sure apm.dll is not present.If it is for some strange reason, right click on top of it and select Unload DLL.
Now right click on top of explorer.exe on the APM window and select Load DLL.Now select apm.dll from the APM directory.
It should show success.
Now use PE to make sure the dll has been loaded.
Advanced Process Manipulation lets you load dlls into processes
Injecting dlls dynamically
Microsoft's Platform SDK provides some API calls to manipulate processes. Let's look at a couple of them. Make sure you read it and understand it before proceeding:
OpenProcess: opens an existing process object
WriteProcessMemory: writes data to an area of memory in a specified process. The entire area to be written to must be accessible or the operation fails.
CreateRemoteThread: creates a thread that runs in the virtual address space of another process
LoadLibrary: maps the specified executable module into the address space of the calling process.
VirtualAllocEx: reserves or commits a region of memory within the virtual address space of a specified process
Open a process using OpenProcess. One of the parameters is the Process ID which you can get from using PE from my previous post of static dll injection. Next, Allocate memory using VirtualAllocEx (one of the parameters of VirtualAllocEx will be the process opened by OpenProcess)
Write something into the memory space we allocated within the process. We will pass in the Process into which we want to write, the address of the memory into which we want to write ,the number of bytes to write, and a pointer to the DLL we want to load.
Now we will create a new thread which will call a function. The address of the function is the address of LoadLibrary and as parameters we pass the address of the memory we allocated...so the process will call the code we injected into the process. We do this using CreateRemoteThread and passing in the addresses.
Follows a simple example
program ddlli;
uses
Windows;
var
PID, BytesWritten, Process, Thread, ThreadId: dword;
Paramaters: pointer;
DLL: pchar;
function xCreateRemoteThread(hProcess: dword; lpThreadAttributes: Pointer; dwStackSize: dword; lpStartAddress: Pointer; lpParameter: Pointer; dwCreationFlags: dword; lpThreadId: dword): dword; stdcall; external 'RT.dll';
function xVirtualAllocEx(hProcess: dword; lpAddress: Pointer; dwSize: dword; flAllocationType: dword; flProtect: dword): Pointer; stdcall; external 'RT.dll';
function xVirtualFreeEx(hProcess: dword; lpAddress: Pointer; dwSize: dword; dwFreeType: dword): boolean; stdcall; external 'RT.dll';
begin
DLL := 'c:\Inject\Library.dll'; //full path!
PID := 1784; //process id!
Process := OpenProcess(PROCESS_ALL_ACCESS, False, PID);
Paramaters := xVirtualAllocEx(Process, nil, 4096, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(Process, Paramaters, Pointer(DLL), 4096, BytesWritten);
Thread := xCreateRemoteThread(Process, nil, 0, GetProcAddress(GetModuleHandle('KERNEL32.DLL'), 'LoadLibraryA'), Paramaters, 0, ThreadId);
WaitForSingleObject(Thread, INFINITE);
xVirtualFreeEx(Process, Paramaters, 0, MEM_RELEASE);
CloseHandle(Thread);
CloseHandle(Process);
end.
As soon as EXE.exe is executed an Internet Explorer window should come up.
The DLL in this example is actually not loaded because we are using Windows XP and there is a security issue with the isBadWritePtr() function. However in earlier versions of Windows it would have injected successfully.
This is all about dynamic dll injection
Reference:
www.microsoft.com
ECE lab manual
www.iamaphex.net (for codes)