For my COMP6841 Something Awesome project I chose to do DLL Injection. DLL Injection is exactly what it sounds like – you inject, or insert, a DLL into a process. It can be used for malicious purposes, which was the goal of my project.

Repository

https://github.com/TwelfthGhast/DLL-Injection—IAT

What is a DLL?

“The use of DLLs helps promote modularization of code, code reuse, efficient memory usage, and reduced disk space… A DLL is a library that contains code and data that can be used by more than one program at the same time.” – Microsoft Documentation [1]

Basically you can think of a DLL as a “library” of common functions that multiple programs can use. Most of Window’s functionality is based on libraries with APIs to syscalls being implemented in DLLs.

I implemented a basic example of a program that uses a Windows API – I use Process32Next() [2] combined with CreateToolhelp32Snapshot() [3] to list all currently running processes…

How do you ‘inject’ DLLs?

There are quite a few different methods of DLL injection – some more sneakier than others. [4] I went with the easiest and laziest – VirtualAllocEx() and CreateRemoteThread().

How do you ‘weaponise’ DLLs?

So DLLs are just a library of functions right? If you simply load them into memory it doesn’t really do anything… Luckily there’s this thing called DLL_PROCESS_ATTACH which allows you to run initialization code. [5]

” The entry-point function should perform only simple initialization or termination tasks.”

I’m not sure where I saw it, but I think I remembered creating threads (for persistency) in DLL_PROCESS_ATTACH was a bad idea – so instead we weaponise through something like IAT hooking.

IAT Hooking is when we override the address of a function in the process’s memory with our own function – which emulates the original function and adds some other code as well 🙂 [6]

What did I learn? 

  • Had minimal experience with C++ before this – surprisingly it was quite similar to Python once I figured out that their strings are classes.
  • Also, why does Windows even use wide strings? Conversions between char_t and wchar_t and all their variations are very painful.
  • I hate socket programming (in C++) and ended up giving up on implementing sending binary files across sockets in C++. 

Appendices

[1] https://support.microsoft.com/en-us/help/815065/what-is-a-dll

[2] https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-process32next

[3] https://docs.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot

[4] https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

[5] https://docs.microsoft.com/en-us/windows/win32/dlls/dllmain

[6] https://f3real.github.io/iat_hooking.html