DLL injection

In computer programming, DLL injection is a technique used for running code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by external programs to influence the behavior of another program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could hook system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6] A program used to inject arbitrary code into arbitrary processes is called a DLL injector.

Approaches on Microsoft Windows

There are multiple ways on Microsoft Windows to force a process to load and execute code in a DLL that the authors did not intend:

Approaches on Unix-like systems

On Unix-like operating systems with the dynamic linker based on ld.so (on BSD) and ld-linux.so (on Linux), arbitrary libraries can be linked to a new process by giving the library's pathname in the LD_PRELOAD environment variable, that can be set globally or individually for a single process.[36]

For example, in bash, this command launches the command "prog" with the shared library from file "test.so" linked into it at the launchtime:

LD_PRELOAD="./test.so" prog

Such a library can be created with GCC by compiling the source file containing the new globals to be linked, with the -fpic or -fPIC option,[37] and linking with the -shared option.[38] The library has access to external symbols declared in the program like any other library.

It is also possible to use debugger-based techniques on Unix-like systems.[39]

References

  1. 1 2 James Shewmaker (2006). "Analyzing DLL Injection" (PDF). GSM Presentation. Bluenotch. Retrieved August 31, 2008.
  2. 1 2 Iczelion (August 2002). "Tutorial 24: Windows Hooks". Iczelion's Win32 Assembly Homepage. Retrieved August 31, 2008.
  3. Rocky Pulley (May 19, 2005). "Extending Task Manager with DLL Injection". CodeProject. CodeProject. Retrieved September 1, 2008.
  4. 1 2 Nasser R. Rowhani (October 23, 2003). "DLL Injection and function interception tutorial". CodeProject. CodeProject. Retrieved August 31, 2008.
  5. 1 2 3 Ivo Ivanov (December 2, 2002). "API hooking revealed". CodeProject. CodeProject. Retrieved August 31, 2008.
  6. 1 2 3 4 Robert Kuster (August 20, 2003). "Three Ways to Inject Your Code into Another Process". CodeProject. CodeProject. Retrieved August 31, 2008.
  7. "Working with the AppInit_DLLs registry value". Microsoft Help and Support. Microsoft. November 21, 2006. Retrieved August 31, 2008.
  8. Raymond Chen (December 13, 2007). "AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs". The Old New Thing. Microsoft. Retrieved August 31, 2008.
  9. "dllmain.c". ReactOS. ReactOS Foundation. July 8, 2008. Retrieved August 31, 2008.
  10. AppInit_DLLs in Windows 7 and Windows Server 2008 R2
  11. "AppInit DLLs and Secure Boot". MSDN. Retrieved March 29, 2016.
  12. 1 2 3 4 Trent Waddington. "InjectDLL". Retrieved August 31, 2008.
  13. "Dll Injection". DreamInCode.net. MediaGroup1. May 4, 2006. Retrieved August 31, 2008.
  14. Greg Jenkins (November 2007). "DLL Injection Framework". Ring3 Circus. WordPress. Retrieved August 31, 2008.
  15. Drew Benton (August 17, 2007). "A More Complete DLL Injection Solution Using CreateRemoteThread". CodeProject. CodeProject. Retrieved September 1, 2008.
  16. "CreateProcess". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  17. "PROCESS_INFORMATION". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  18. "GetWindowThreadProcessId Function". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  19. "EnumProcesses". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  20. "GetModuleBaseName". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  21. "VirtualAllocEx". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  22. "WriteProcessMemory". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  23. "Outpost Bypassing Self-Protection via Advanced DLL injection with handle stealing Vulnerability". Matousec. December 1, 2006. Retrieved August 31, 2008.
  24. "CreateRemoteThread". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  25. "LoadLibrary". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  26. 1 2 "DllMain". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  27. "SetWindowsHookEx Function". Platform SDK for Windows XP SP2. Microsoft. Retrieved August 31, 2008.
  28. "AppInit_DLLs Registry Value and Windows 95". Microsoft Help and Support. Microsoft. March 1, 2005. Retrieved August 31, 2008.
  29. "Dll Injection using SetWindowsHookEx() Method". Game Reversal. April 3, 2008. Retrieved September 1, 2008.
  30. "SetThreadContext DLL Injection". January 16, 2007. Retrieved September 1, 2008.
  31. Ben Botto (September 6, 2008). "DLL Injector". Retrieved September 1, 2008.
  32. "Insecure Library Loading Could Allow Remote Code Execution". Microsoft. 10 June 2011. Retrieved 20 Apr 2016.
  33. "Secure loading of libraries to prevent DLL preloading attacks". Microsoft. 10 June 2011. Retrieved 8 Aug 2012.
  34. "Microsoft Security Advisory: Insecure library loading could allow remote code execution". Microsoft. 10 June 2011. Retrieved 20 Apr 2016.
  35. Nicolas Falliere (26 September 2010). "Stuxnet Infection of Step 7 Projects". Symantec.
  36. Linus Torvalds; David Engel; Eric Youngdale; Peter MacDonald; Hongjiu Lu; Lars Wirzenius; Mitch D'Souza (March 14, 1998). "ld.so/ld-linux.so – dynamic linker/loader". UNIX man pages. Retrieved August 31, 2008.
  37. "Code Gen Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. Retrieved August 31, 2008. -fpic Generate position-independent code (PIC) suitable for use in a shared library, if supported for the target machine. sqq.
  38. "Link Options". Using the GNU Compiler Collection (GCC). Free Software Foundation. Retrieved August 31, 2008. -shared Produce a shared object which can then be linked with other objects to form an executable. sqq.
  39. Gregory Shpitalnik (February 12, 2009). "Code Injection into Running Linux Application". Code Project. Retrieved November 18, 2010.
This article is issued from Wikipedia - version of the Wednesday, April 20, 2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.