Understanding And Detecting Dll 1nj3ct0n & Process Hollowing
Hello friends, in this blog post I will wirte about process injection, process hollowing and dll injection. I give some examples about attack techniques and I anlyze the attacks for detection purpose. I examine windows API’s which is called during attacks and catgorized and tabled them step by step.
Before We start I present you my Udemy Trainings if you want you can benefit my training for learning deeply;
Process injection is malicious processes code execution in legal processes memory area. Malware authors or threat actors uses this technique for hiding their activities or escalating their priviliges. Please examine the prcoess injection example is given below. As you see CreateRemoteThread is called;
In DLL ınjection method, a legal process is found and opened after that any empty space ( in target process memory boundary) is alloctaed in the memory area which the legal process has once, and malicious dll file path is set to linked this memory area. Let’s give an example for performing this attack. First create a metasploit dll file;
With a simple powershell code upload it to the target;
For dll injection activity Invoke-DLLINjection script was downloaded from Github;
After downloading completed, we use the script like shown below with specified parameters;
Ok got a shell;
Let’s examine the steps of this. First use process hacker for displaying injected process;
As you remember we injected to malicious dll in to notepad.exe;
As you see notepad triggered the rundll32 and if you investigate notepad32 modules you can see the trojan.dll malicious file.
In real life threat actors benefits mispelling like versi0n.dll o1e32.dll vvsock32.dll please be careful about it. Ok now we create a step table for demonstrating windows API’s for malware analysis or threat hunting activities;
Process Hollowing is smilar to DLL injection but this technique has some differences about implementing. In DLL injection method an empty area is found and malicious code is put in this area whereas In process hollowing first a legal process found then legal process is stopped then malicious codes and legal processes codes are changed then process is restarted. Malware perform un-maped opertaion for changing codes.
Thank you for reading. See you..
