Code dll injection
1 / 25

Code/DLL Injection - PowerPoint PPT Presentation

  • Uploaded on

Code/DLL Injection. ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington. Agenda. Background: Processes and DLLs Code Injection Static Injection Dynamic Injection Trojans and Firewall Evasion Defenses. Processes and DLLs (1).

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Code/DLL Injection' - aladdin-delaney

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Code dll injection

Code/DLL Injection

ECE4112 – Internetwork Security

Georgia Institute of Technology

By Andrei Bersatti and Brandon Harrington


  • Background: Processes and DLLs

  • Code Injection

    • Static Injection

    • Dynamic Injection

  • Trojans and Firewall Evasion

  • Defenses

Processes and dlls 1
Processes and DLLs (1)

  • What are processes?

  • What are DLL files?

    • More on this later

  • Processes are running tasks that are managed by the Operating System. Processes may load DLL files (Dynamic Link Libraries, in Windows).

  • Dynamic Link Libraries are executable code that can only be executed when called by a process.

Processes and dlls 2
Processes and DLLs (2)

  • At the Lab:

    • We will have a brief review of Processes.

    • Use Windows Task Managers to Observe Processes.

    • Use Sysinternals Process Explorer (view processes and .dll files loaded by processes).

    • Process Name, Process User, Process Description, Process ID, Process DLL’s.

Code injection
Code Injection

  • Code Injection: ‘Injecting’ code (putting executable code within) into another program.

  • Two Kinds:

    • Static Injection: Occurs prior to program execution.

    • Dynamic Injection: Occurs on or after program execution.

  • Original Program/Process + Injected Code = Malicious Program/Process

Code Injection – Static Injection (1)

  • Occurs prior to execution of a program.

  • Example:

    • A program innocent.exe is modified so that prior to executing itself it executes code that has been injected to do some nasty thing.

    • Then the program is delivered to the victim who thinks the program is innocent (a virus? A trojan? A technique!).

Code injection static injection 2
Code Injection – Static Injection (2)

  • How is it done?

    • Programs have a memory space.

    • Not all of the memory space is used, some parts of the memory space (usually at the end) is full of NOOPs. This area is known as a “cave.”

    • A cave can be overwritten without corrupting (other than by adding a desired functionality) the victim program.

Code injection static injection 3
Code Injection – Static Injection (3)

  • In order to execute the code in the cave, the program has to be able to reach the code.

  • How?

  • Every program has an Entry Point. By changing the first instruction in the Entry Point into a JUMP to our added code, as soon as the program starts our code executes.

  • At the end of our code we add any instructions overwritten by the JUMP and then enter a JUMP back to the 2nd Instruction of the Entry Point.

  • Program execution continues normally.

Code injection static injection 4
Code Injection – Static Injection (4)

  • In the Lab:

    • We will use OllyDbg (a debugger or decompiler) to modify the memory space of winmine.exe (Minesweeper) so that it displays a Message Box prior to executing.

  • Need some basic ASM:

    • JMP -> A jump to an address (to an instruction).

    • PUSH -> Pushes a variable into the stack.

    • CALL -> Calls a Function, our function, user32.MessageBoxA, will pop the stack and take those variables as parameters.

Code injection static injection 5
Code Injection – Static Injection (5)

  • Static Code Injection is not widely exploited by Trojans.

  • Understanding how Static Code Injection works helps to understand Dynamic Code Injection.

  • Static Code Injection is harder to detect since it may have occurred before the victim program arrived at a particular location.

Dynamic code injection
Dynamic Code Injection

  • Used by rootkits, trojans, viruses, spyware

  • Inserting code into the program’s memory space.

  • No signs of tampering in the executable file. Changes done on-the-fly while the process is running.

Dynamic link libraries dll
Dynamic Link Libraries (DLL)

  • DLLs are shared libraries used across many programs.

    • Instead of including the shared code in every executable, common functions are stored in a separate file accessible by the programs.

      • Reduces executable size

      • Increases code re-use

    • Accessed by memory location

      • Import/Export Look-up table

Api hooking
API Hooking

  • Closely related to functional overloading in programming

  • Common practice in programming mainly for debugging purposes.

  • Uses DLL injection to implant its hook DLL

Api hooking continued
API Hooking (continued)

  • Malicious uses

    • Override functions in programs to intercept data

    • Maintain functionality but add “bad features”

    • Examples:

      • An encryption algorithm in a DLL could be overwritten to output the data before encrypted.

      • A send web data function could be overwritten to send duplicate data to another server.

Lab procedures dynamic injection
Lab Procedures (Dynamic Injection)

  • Inject DLLs into running processes using

    • APM

    • Aphex’s DLL Injector

  • Use Process Explorer (PE) to show the new DLL loaded

Trojans and firewall evasion 1
Trojans and Firewall Evasion (1)

  • What is the relevance of Code Injection to an Internetwork Security class?

  • Trojans often use code/dll injection in an attempt to evade the Firewall and communicate with the Internet.

  • Reverse Connection: Attacker’s computer does not contact you; your computer contacts the attacker’s computer!

  • Access to data prior to encryption!

Trojans and firewall evasion 2
Trojans and Firewall Evasion (2)

  • Static code injection scenario:

    • Install.exe was downloaded from Kazaa. (Assume Install.exe is your favorite videogame).

    • Install.exe is in reality MultiPlayerGame.exe wrapped with invisible Keylogger.exe.

    • MultiPlayerGame.exe was injected with code to connect to the Internet and deliver Keylog.txt to an attacker’s IP address.

    • Because you willingly ran a Multiplayer Game, you will tell your Firewall “Yes, allow MultiPlayerGame.exe to go outbound.”

Trojans and firewall evasion 3
Trojans and Firewall Evasion (3)

  • But like we said before, while harder to detect, Static Code Injection is not commonly used by trojans.

  • Dynamic Code/DLL Injection is far more common and far more dangerous!

  • Dynamic Code/DLL Injection scenario:

    • warningIamAtrojanServer.exe was somehow executed by some irresponsible person.

    • This installed in the Run registry a program that runs upon startup for 1 second and injects a trojan.dll into iexplore.exe. Trojan was a Remote Administration Tool and because iexplore.exe has Firewall privileges, this RAT does too!

Trojans and firewall evasion 4
Trojans and Firewall Evasion (4)

  • At the lab:

    • We will install a firewall (Sygate Personal Firewall)

    • We will test a firewall using Atelier Web Firewall Tester (tests Firewalls by trying to inject different processes that should already have privileges in the Firewall.

    • Atelier claims that most firewalls fail these tests!!

Trojans and firewall evasion 5
Trojans and Firewall Evasion (5)

  • Some Trojans that use injection:

    • Assassin 2.0 – Uses dynamic DLL injection for reverse connection.

    • Beast 2.0 – Uses dynamic DLL injection for reverse connection.

    • Nuclear Uploader – Uses dynamic DLL injection for reverse connection.

    • Flux – Uses dynamic code injection for reverse connection.

    • Institution 2004 – Claims to use DLL injection for reverse connection. Allows to remotely patch a process.

Trojans and firewall evasion 6
Trojans and Firewall Evasion (6)

  • In the lab:

  • We will play with Assassin 2.0; show the loaded .dll using Process Explorer.

  • We will play with Institution 2004; show ability to patch processes remotely.

  • We will play with Flux; show that it does indeed use Internet Explorer to evade the Firewall and yet no loaded .dll is detected.

  • Tools: Process Explorer, Sygate Personal Firewall logs.


  • How can you protect yourself from this attack?

  • Anti-Hook

    • Essentially a firewall for DLL’s

    • Rule-based

      • Allow only “trusted” dll’s to be loaded by programs


  • Static Injection

    • File Fingerprinting

  • Dynamic Injection

    • Scan memory for rogue DLL currently loaded

    • Check import/export addresses of linked functions and compare with known addresses

Lab procedures defenses
Lab Procedures (Defenses)

  • Use Advanced Process Manipulation (APM) to unload DLL injected into current processes

  • Use TDS-3 to scan memory for rogue DLLs


  • This is a common technique.

  • Comparable to buffer overflows.

  • If you know how the technique works, you can defend yourself against various malware that uses it