Process Injection: Reflective DLL Injection

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process

  • Process Injection, Technique T1055 — Enterprise | MITRE ATT&CK® [https://attack.mitre.org/techniques/T1055/]

What is Process Injection?

  • It’s malware that can encapsulate its malicious code within a legitimate process

It will hide on the infected system:

  • Runs arbitrary code within the address space of another process and
  • Enabling access to the target processes resources, like memory, system, network resources.

Which processes are commonly targeted by actors employing process injection?

  • Built-in native Windows ones, including Explorer, service host and others.
  • Processes linked to the common software, including Internet Explorer, Opera, Chrome, Firefox, Outlook, and other common software. This is because these processes are whitelisted and not commonly monitored by security devices.

Browsers can access the internet and potentially download anything. So, if we can inject a malware code into chrome.exe, our malware code will also be able to access the internet, download other malware, and upload any sort of information on the internet.

Reflective DLL Injection

This is one of the most used injection methods. It allows to inject and execute a dynamic library (DLL) inside another process by creating a DLL that maps itself into the legitimate target processes memory when executed, instead of relying on Windows API loader calls. The process will use Windows API, just not the loader calls.

We call it reflective because the malware maps itself:

  • The malware retrieves information about a group of target processes.
  • Using other API calls (steps 2 and 3), the malware writes the path to its DLL in the allocated memory.
  • Finally, to eventually have the code executed in the target process, the malware calls APIs such as CreateRemoteThread so that a remote process has to execute the DLL on behalf of the malware.

CreateRemoteThread is tracked and flagged by many security products.

Trusted Veteran | Compassionate. Aspiring. Resourceful.