Process Injection: Reflective DLL Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process

  • Process Injection, Technique T1055 — Enterprise | MITRE ATT&CK® [https://attack.mitre.org/techniques/T1055/]

What is Process Injection?

  • It’s malware that can encapsulate its malicious code within a legitimate process

It will hide on the infected system:

  • Runs arbitrary code within the address space of another process and
  • Enabling access to the target processes resources, like memory, system, network resources.

Which processes are commonly targeted by actors employing process injection?

  • Built-in native Windows ones, including Explorer, service host and others.
  • Processes linked to the common software, including Internet Explorer, Opera, Chrome, Firefox, Outlook, and other common software. This is because these processes are whitelisted and not commonly monitored by security devices.

Browsers can access the internet and potentially download anything. So, if we can inject a malware code into chrome.exe, our malware code will also be able to access the internet, download other malware, and upload any sort of information on the internet.

Reflective DLL Injection

This is one of the most used injection methods. It allows to inject and execute a dynamic library (DLL) inside another process by creating a DLL that maps itself into the legitimate target processes memory when executed, instead of relying on Windows API loader calls. The process will use Windows API, just not the loader calls.

We call it reflective because the malware maps itself:

  • The malware retrieves information about a group of target processes.
  • Using other API calls (steps 2 and 3), the malware writes the path to its DLL in the allocated memory.
  • Finally, to eventually have the code executed in the target process, the malware calls APIs such as CreateRemoteThread so that a remote process has to execute the DLL on behalf of the malware.

CreateRemoteThread is tracked and flagged by many security products.

--

--

--

Trusted Veteran | Compassionate. Aspiring. Resourceful.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CyberDacians Awarded as Top B2B Company by Clutch!

Evaluating Crypto Libraries Without Being a Cr ypto Expert

United DAO Launch Giveaway

Rise Of Defenders $100+NFT Giveaway

AMA BCT Blockchain with Utopia

Online subscription scams costing UK victims millions

Deposit and Trade Chimps on CDC NFT Marketplace

Sensitive data exposure with Nuclei: The new big gun with exploit bullets

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Austin Songer

Austin Songer

Trusted Veteran | Compassionate. Aspiring. Resourceful.

More from Medium

Getting started with Voltaic

What is Net Zero and Is it Enough

Covidian Rhapsody

Major League Sandbox Part 3: Rosters and Schedule