Category:Digital-Forensics/Computer-Forensics/Process-Injection
Jump to navigation
Jump to search
| You are here | Process-Injection
|
DLL Injection
Description
Pseudo-code explaining DLL Injection:
hVictimProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, victimProcessID); pNameInVictimProcess = VirtualAllocEx(hVictimProcess,...,sizeof(maliciousLibraryName),...,...); WriteProcessMemory(hVictimProcess,...,maliciousLibraryName, sizeof(maliciousLibraryName),...); GetModuleHandle("Kernel32.dll"); GetProcAddress(...,"LoadLibraryA"); CreateRemoteThread(hVictimProcess,...,...,LoadLibraryAddress,pNameInVictimProcess,...,...);
Once you have identified that you have to deal with a process injection, the objective is to determine what code is being injected and into which process.
Example
.text:00401251 mov ecx, [ebp+eax*4+dwProcessId]
.text:00401258 push ecx ; dwProcessId
.text:00401259 push 0 ; bInheritHandle
.text:0040125B push 43Ah ; dwDesiredAccess
.text:00401260 call ds:OpenProcess
.text:00401266 mov [ebp+hProcess], eax
.text:0040126C cmp [ebp+hProcess], 0FFFFFFFFh
.text:00401273 jnz short loc_40127D
.text:00401275 or eax, 0FFFFFFFFh
.text:00401278 jmp loc_401342
.text:0040127D ; ---------------------------------------------------------------------------
.text:0040127D
.text:0040127D loc_40127D: ; CODE XREF: _main+1A3�j
.text:0040127D mov [ebp+var_112C], 7D0h
.text:00401287
.text:00401287 loc_401287: ; CODE XREF: _main+179�j
.text:00401287 jmp loc_4011EB
.text:0040128C ; ---------------------------------------------------------------------------
.text:0040128C
.text:0040128C loc_40128C: ; CODE XREF: _main+136�j
.text:0040128C push 4 ; flProtect
.text:0040128E push 3000h ; flAllocationType
.text:00401293 push 104h ; dwSize
.text:00401298 push 0 ; lpAddress
.text:0040129A mov edx, [ebp+hProcess]
.text:004012A0 push edx ; hProcess
.text:004012A1 call ds:VirtualAllocEx
.text:004012A7 mov [ebp+lpBaseAddress], eax
.text:004012AD cmp [ebp+lpBaseAddress], 0
.text:004012B4 jnz short loc_4012BE
.text:004012B6 or eax, 0FFFFFFFFh
.text:004012B9 jmp loc_401342
.text:004012BE ; ---------------------------------------------------------------------------
.text:004012BE
.text:004012BE loc_4012BE: ; CODE XREF: _main+1E4�j
.text:004012BE push 0 ; lpNumberOfBytesWritten
.text:004012C0 push 104h ; nSize
.text:004012C5 lea eax, [ebp+Buffer]
.text:004012CB push eax ; lpBuffer
.text:004012CC mov ecx, [ebp+lpBaseAddress]
.text:004012D2 push ecx ; lpBaseAddress
.text:004012D3 mov edx, [ebp+hProcess]
.text:004012D9 push edx ; hProcess
.text:004012DA call ds:WriteProcessMemory
.text:004012E0 push offset ModuleName ; "kernel32.dll"
.text:004012E5 call ds:GetModuleHandleA
.text:004012EB mov [ebp+hModule], eax
.text:004012F1 push offset aLoadlibrarya ; "LoadLibraryA"
.text:004012F6 mov eax, [ebp+hModule]
.text:004012FC push eax ; hModule
.text:004012FD call ds:GetProcAddress
.text:00401303 mov [ebp+lpStartAddress], eax
.text:00401309 push 0 ; lpThreadId
.text:0040130B push 0 ; dwCreationFlags
.text:0040130D mov ecx, [ebp+lpBaseAddress]
.text:00401313 push ecx ; lpParameter
.text:00401314 mov edx, [ebp+lpStartAddress]
.text:0040131A push edx ; lpStartAddress
.text:0040131B push 0 ; dwStackSize
.text:0040131D push 0 ; lpThreadAttributes
.text:0040131F mov eax, [ebp+hProcess]
.text:00401325 push eax ; hProcess
.text:00401326 call ds:CreateRemoteThread
Direct Injection
INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.
Thank you for your comprehension.
Subcategories
This category has the following 2 subcategories, out of 2 total.
Pages in category "Digital-Forensics/Computer-Forensics/Process-Injection"
The following 10 pages are in this category, out of 10 total.