Dll\Code Injection, Hooking, Execution\Loading Hijacking

Hooking Techniques:

  1. Using SetWindowsHookEx function which is designed to allow you to “hook” Windows messages for a given thread
  2. Inline\Detour hooking technique where you override the first assembly instruction of a function with a jump to your code and in the end of your code you jump back to the original function
    1. http://www.malwaretech.com/2015/01/inline-hooking-for-programmers-part-1.html
    2. https://www.exploit-db.com/docs/17802.pdf 
    3. http://newgre.net/node/5

Dll\Code Injection Techniques:

  1. Dll injection using KnownDlls section mechanism. Comment: The Section object where the KnownDlls are loaded at startup are Memory Mapped Files with names of the form: KnownDlls\{dll name}. On 64 bit operating system there is also KnownDlls32\.
    1. http://www.codeproject.com/Articles/325603/Injection-into-a-Process-Using-KnownDlls
    2. http://www.nthelp.com/40/dildog1.htm
  2. Standard way using CreateRemoteThread, VirtualAllocEx, WriteProcessMemory
  3. Using NtCreateThreadEx or RtlCreateUserThread instead of CreateRemoteThread. Better to bypass antivirus than using CreateRemoteThread. “RtlCreateUserThread appears to be a small wrapper for NtCreateThreadEx. The reason we would want to call RtlCreateUserThread is that the syscall option for NtCreateThreadEx could change between versions of Windows. Therefore, it will be more likely to work if we use RtlCreateUserThread. Mimikatz and Meterpreter use RtlCreateUserThread so it is safe to go with that option”. Those functions can\could help bypass zero session isolation.
    1. https://warroom.securestate.com/index.php/dll-injection-part-2-createremotethread-and-more/
    2. http://securityxploded.com/ntcreatethreadex.php
    3. http://0x191unauthorized.blogspot.co.il/2011/08/reverse-shell-through-dll-injection.html
  4. Using NtUnmapViewOfSection, patching, and then using NtMapViewOfSection.
    1. This malware used this technique: http://www.sentinelone.com/wp-content/themes/sentinelone/img/SentinelOne-Intelligence-Report.pdf
  5. Using GetThreadContext, change code and eip, and SetThreadContext
    1. http://www.rohitab.com/discuss/topic/40579-dll-injection-via-thread-hijacking/
    2. http://syprog.blogspot.ru/2012/05/createremotethread-bypass-windows.html
  6. Using QueueUserAPC which adds a user-mode asynchronous procedure call (APC) object to the APC queue of the specified thread
  7. Reflective dll injection – injecting dll without LoadLibrary by copying it into memory and finding the addresses of the functions and jumping to them (tries to implement the code of LoadLibrary but loading from memory instead of loading from file. Sometimes doesn’t fully do all the steps that LoadLibrary does and thus some structures are weird looking and this allows to detect the injection for example by using volatility malfind extension)
    1. https://github.com/stephenfewer/ReflectiveDLLInjection
    2. The following link has a good-understandable explanation about reflective dll injection and also explanation of how to turn your dll into reflective dll.
      The problem with what is stated there is that it requires to change the code of the dll. Maybe with a little change in the injection code, you can make it such that you can inject the code into the target process and the injected code will load your evil dll which you didnt change its code.
      Here the whole library loading process is implemented and used instead of the windows loading functions http://securitycafe.ro/2015/02/26/upgrade-your-dll-to-reflective-dll/
  8. Hooking NT functions that are part of dll loading and then calling LoadLibrary but making sure using the hook that the library is loaded from memory and not from disk
    1. http://hick.org/code/skape/papers/remote-library-injection.pdf
  9. Powerloader technique – writing to shared sections with explorer and then making explorer execution execute malicious address writen using SetWindowLong by using SendNotifyMessage and finally the address written is of KiUserApcDispatcher which together with ROP chains executes the malicious code which was written to the shared sections. Note that the function KiUserApcDispatcher is related to QueueUserAPC from previously mentioned technique. One of the things to note here is that there is no remote thread injection here with CreateRemoteThread or QueueUserAPC or suspicios cross process call to SetThreadContext, and instead a function of a known process which is exposed using some api is used for the trigger – in this case explorer.exe SendNotifyMessage function.
    1. http://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
    2. https://github.com/BreakingMalware/PowerLoaderEx
  10. General technique of overriding remote process function which can be triggered using some api. For example ardbot malware overrides GetMessageW function of explorer.exe and triggers it to execute its code. An interesting thing about ardbot is that it uses NtWriteVirtualMemory instead of WriteProcessMemory which liked mentioned before can be used to evade av. Like before, one of the things to note here is that there is no remote thread injection here with CreateRemoteThread or QueueUserAPC or suspicios cross process call to SetThreadContext.
    1. http://breakingmalware.com/malware/ardbot-a-malware-under-construction/
    2. If first link does not load then: http://webcache.googleusercontent.com/search?q=cache:Tf86478d6BwJ:breakingmalware.com/malware/ardbot-a-malware-under-construction/&strip=1

Execution\Loading Hijacking Techniques:

  1. Dll side-loading using Side-by-side assembly, WinSxS
    1. http://www.rsaconference.com/writable/presentations/file_upload/hta-w04a-dll-side-loading-a-thorn-in-the-side-of-the-anti-virus-_av_-industry.pdf
    2. https://msdn.microsoft.com/en-us/library/windows/desktop/ff951640(v=vs.85).aspx
    3. https://msdn.microsoft.com/en-us/library/ms973843.aspx
  2. Dll Search order hijacking
    1. https://www.mandiant.com/blog/malware-persistence-windows-registry/


  1. Detours – “Software package for re-routing Win32 APIs underneath applications”
    1. http://research.microsoft.com/en-us/projects/detours/
  2. EasyHook  – “EasyHook starts where Microsoft Detours ends. This project supports extending (hooking) unmanaged code (APIs) with pure managed ones, from within a fully managed environment like C# using Windows 2000 SP4 and later, including Windows XP x64, Windows Vista x64 and Windows Server 2008 x64. Also 32- and 64-bit kernel mode hooking is supported as well as an unmanaged user-mode API which allows you to hook targets without requiring a NET Framework on the customers PC. An experimental stealth injection hides hooking from most of the current AV software. ”
    1. http://easyhook.codeplex.com/
    2. https://code.google.com/p/easyhook-continuing-detours/
  3. DllInjector – “dll injection tool that implements various methods”
    1. https://github.com/OpenSecurityResearch/dllinjector
  4. IAT hooking circumventing common detection mechanisms
    1. https://github.com/mieleke/IAT-Hooking-Revisited
  5. Frida – lets you inject snippets of JavaScript into native apps on Windows, Mac, Linux, iOS and Android.
    1. https://github.com/frida/frida
    2. http://www.frida.re/docs/home/
  6. MiniHook – code implementing detour technique
    1. http://www.codeproject.com/Articles/21414/Powerful-x-x-Mini-Hook-Engine

Other Material:

  1. http://resources.infosecinstitute.com/code-injection-techniques/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s