dll injection
play

DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL - PowerPoint PPT Presentation

Sep 09, 2022 •284 likes •655 views

DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020 DLL INJECTION - ADAM FURMANEK About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET

  1. DLL Injection CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 1 18.07.2020 DLL INJECTION - ADAM FURMANEK

  2. About me Experienced with backend, frontend, mobile, desktop, ML, databases. Blogger, public speaker. Author of .NET Internals Cookbook. http://blog.adamfurmanek.pl contact@adamfurmanek.pl furmanekadam 2 18.07.2020 DLL INJECTION - ADAM FURMANEK

  3. Agenda What and why Preliminaries How + Demos Summary 3 18.07.2020 DLL INJECTION - ADAM FURMANEK

  4. What and why 4 18.07.2020 DLL INJECTION - ADAM FURMANEK

  5. What we are going to do 1 – inject DLL Our process 2 – execute code Target Our DLL 5 18.07.2020 DLL INJECTION - ADAM FURMANEK

  6. What we are going to do We want to execute our code in different ( target ) process. This means: ◦ Our code should be able to access target process ’ descriptors (memory, security tokens etc.) ◦ Our code should be able to create, modify, and remove handlers, pointers, and resources in target process ◦ In other words, our code should pretend to be normal part of target process We want to do it by injecting DLL We are not modifying the target process ’ source code (especially, we are not recompiling the target) We control the machine (however, we might not be administrators) We want the whole process to be clean, safe, and reliable 6 18.07.2020 DLL INJECTION - ADAM FURMANEK

  7. Demos REAL LIFE USAGES 7 18.07.2020 DLL INJECTION - ADAM FURMANEK

  8. Preliminaries 8 18.07.2020 DLL INJECTION - ADAM FURMANEK

  9. Virtual Address Space Every proces has its own address space. 9 18.07.2020 DLL INJECTION - ADAM FURMANEK

  10. Memory Page Table Every memory address is translated by CPU. Every proces has its own memory page table. 10 18.07.2020 DLL INJECTION - ADAM FURMANEK

  11. Translation 11 18.07.2020 DLL INJECTION - ADAM FURMANEK

  12. How many threads does a notepad have? 12 18.07.2020 DLL INJECTION - ADAM FURMANEK

  13. DLLs Cornerstone of Microsoft Windows All functions in the API are contained in DLLs Three most important: ◦ Kernel32.dll – managing memory, processes, and threads ◦ User32.dll – user-interface tasks (window creation, message sending etc.) ◦ GDI32.dll – drawing graphical images and displaying text How many DLLs does notepad have? 13 18.07.2020 DLL INJECTION - ADAM FURMANEK

  14. DLLs and a Process ’ Address Space Before application can call functions in a DLL, the DLL’s file image must be mapped into the calling process ’ address space Two methods: ◦ Implicit load-time linking ◦ Explicit run-time linking Once an image is mapped into the address space, it is in fact no longer library ◦ During call to a DLL function it looks at the thread’s stack ◦ Object created by code in the DLL’s functions are owned by the calling thread ◦ DLL’s global and static variables are created in a process ’ address space 14 18.07.2020 DLL INJECTION - ADAM FURMANEK

  15. Linking Impli Im licit it lo loading Exp xplic icit lo loadin ing When application’s source code reference Application can load library in runtime symbols contained in the DLL Loader implicitly loads and links the required Requires call to LoadLibrary or LoadLibraryEx library during startup Flexible – allows to load library as a datafile or change search path 15 18.07.2020 DLL INJECTION - ADAM FURMANEK

  16. Search order 1. The directory containing the executable image file 2. The Windows system directory returned by GetWindowsDirectory function 3. The 16-bit system directory (System subfolder under the Windows directory) 4. The Windows directory returned by GetSystemDirectory Can be changed! 5. The process ’ current directory 6. The directories listed in the PATH environment variable 16 18.07.2020 DLL INJECTION - ADAM FURMANEK

  17. Rebasing Modules Every executable and DLL module has a preferred base address This address identifies the ideal memory address where the module should get mapped into a process ’ address space. ◦ Executable has address 0x00400000 ◦ DLL has address 0x10000000 Why is this so important? 17 18.07.2020 DLL INJECTION - ADAM FURMANEK

  18. Rebasing Modules DLL can have a relocation section ◦ It contains a list of byte offsets ◦ Each byte offset identifies a memory address used by a machine code instruction When a DLL cannot be loaded at its preferred address loader can modify relocation section and adjust offsets We can do it using Rebase + Bind utilities 18 18.07.2020 DLL INJECTION - ADAM FURMANEK

  19. Address Space Layout Randomization Security technique involved in protection from buffer overflow attacks ASLR randomly arranges the address space positions of key data areas of a process: ◦ Position of stack ◦ Position of heap ◦ Positions of libraries ◦ Base of the executable 19 18.07.2020 DLL INJECTION - ADAM FURMANEK

  20. Entry-Point function DLL can have a single entry-point function The system calls this function at various Times These calls are informational – DLL is notified when it’s attached to process or thread BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_THREAD_DETACH: EnterCriticalSection(&g_csGlobal); } } 20 18.07.2020 DLL INJECTION - ADAM FURMANEK

  21. Loader Lock Windows holds a loader loack during DLL initialization This is required to block other threads from calling DLL’s functions before the library is initialized This often causes deadlock BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { switch (fdwReason) { case DLL_THREAD_DETACH: EnterCriticalSection(&g_csGlobal); BAD IDEA! } } 21 18.07.2020 DLL INJECTION - ADAM FURMANEK

  22. Demos REGISTRY, HOOKS, REMOTE THREADS 22 18.07.2020 DLL INJECTION - ADAM FURMANEK

  23. Loading DLL on demand 23 18.07.2020 DLL INJECTION - ADAM FURMANEK

  24. Using the Registry 24 18.07.2020 DLL INJECTION - ADAM FURMANEK

  25. Using the Registry 1 – process starts 2 – process loads user32.dll 3 – user32.dll loads our dll Target User32.dll Our DLL (on disk) 25 18.07.2020 DLL INJECTION - ADAM FURMANEK

  26. Using Windows Hooks 26 18.07.2020 DLL INJECTION - ADAM FURMANEK

  27. Using Windows Hooks 1 – process starts 2 – we press some key 3 – windows loads our dll and executes hook function Target Our DLL (on disk) 27 18.07.2020 DLL INJECTION - ADAM FURMANEK

  28. Using Remote Threads 28 18.07.2020 DLL INJECTION - ADAM FURMANEK

  29. 1 – target starts 2 – our process starts Using Remote Threads 3 – our process allocates memory in target 4 – our process writes memory in target 5 – our process creates thread in target Target Our process 6 – thread loads our dll C:\... Our DLL (on disk) 29 18.07.2020 DLL INJECTION - ADAM FURMANEK

  30. Injecting Managed DLL 30 18.07.2020 DLL INJECTION - ADAM FURMANEK

  31. 1 – target starts 2 – our process starts Injecting Managed DLL 3 – our process allocates memory in target 4 – our process writes Target Our process memory in target C:\... 5 – our process creates thread in target 6 – thread loads our dll 7 – our process create another thread to run function inside native dll 8 – our function loads and starts .NET Native DLL Managed (on disk) DLL 31 18.07.2020 DLL INJECTION - ADAM FURMANEK

  32. Other methods ◦ Trojan library ◦ LD_PRELOAD ◦ Just replace the library on the drive with ◦ Linux equivalent of registry injection on custom one having the same methods Windows ◦ Injecting using debugger ◦ DOTNET_STARTUP_HOOKS environment variable ◦ Attach debugger and explicitly load the library ◦ For .NET Core ◦ Injecting into child ◦ ptrace ◦ When starting a process inject the library ◦ Can be used to implement CreateRemoteThread equivalent in Linux ◦ Injecting using Asynchronous Procedure Call (APC) ◦ Replacing classes in jars ◦ Send some code to load the library ◦ To inject code into java process 32 18.07.2020 DLL INJECTION - ADAM FURMANEK

  33. Q&A 33 18.07.2020 DLL INJECTION - ADAM FURMANEK

  34. References Jeffrey Richter - „CLR via C#” Jeffrey Richter, Christophe Nasarre - „Windows via C/C++” Mark Russinovich, David A. Solomon, Alex Ionescu - „Windows Internals” Penny Orwick – „ Developing drivers with the Microsoft Windows Driver Foundation ” Mario Hewardt, Daniel Pravat - „Advanced Windows Debugging” Mario Hewardt - „Advanced .NET Debugging” Steven Pratschner - „ Customizing the Microsoft .NET Framework Common Language Runtime ” Serge Lidin - „Expert .NET 2.0 IL Assembler” Joel Pobar, Ted Neward — „Shared Source CLI 2.0 Internals” Adam Furmanek – „.NET Internals Cookbook” https://github.com/dotnet/coreclr/blob/master/Documentation/botr/README.md — „Book of the Runtime” https://blogs.msdn.microsoft.com/oldnewthing/ — Raymond Chen „The Old New Thing” 34 18.07.2020 DLL INJECTION - ADAM FURMANEK

  35. Bonus 35 18.07.2020 DLL INJECTION - ADAM FURMANEK

  36. Thanks! CONTACT@ADAMFURMANEK.PL HTTP://BLOG.ADAMFURMANEK.PL FURMANEKADAM 36 18.07.2020 DLL INJECTION - ADAM FURMANEK

Recommend

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a

A1 (Part 2): Injection SQL Injection SQL injection is prevalent SQL injection is impactful Why a password manager is a good idea! SQL injection is ironic SQL injection is funny Overviewtrated Account Summary Account: Account: "SELECT

445 views • 32 slides
5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring

5.2) Injections (part 2) Shell Injection, XML Injection, LDAP injection Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Injection in PHP

995 views • 73 slides
A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks

A1 (Part 3): Injection Blind SQL Injection Blind SQL Injection SQL injectio ion that tricks ks databases into reveal l information by way of the success or failure of injected querie ies Analogous example le: Login prompt that stops ps

602 views • 14 slides
Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch type of injection mismatch will lead to an emittance blow-up. Off axis

Injection mismatch: As a rule, proton/ion accelerators need their full aperture at injection, thus avoiding mismatch allows a beam of larger normalized emittance * and containing more Protons. In proton/ion ring accelerators any Injection

454 views • 4 slides
A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application

A1 (Part 1): Injection Command and Code injection A1 Injection Tricking an application into executing commands or code embedded in data Data and code mixing! Often injected into interpreters SQL, PHP, Python, JavaScript, LDAP,

377 views • 14 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

487 views • 21 slides
INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible

TECHNOLOGY APPLICATIONS FOR HYDRO ISOLATION AND REPAIR OF UNDERGROUND FACILITIES INJECTION GEL www.eurastechnology.com WHAT IS INJECTION GEL? An injectable gel is a flexible mass of mineral origin, for both dry and wet surfaces solvent-free,

466 views • 29 slides
Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection

Injection Safety Every Provider s Responsibility Outline Safe Injection Practices The ONE and ONLY Campaign Outbreak History Mistaken Beliefs A Call to Action Resources and Information

591 views • 20 slides
Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry

Reaction Injection Molding (RIM)- Low Quantity Injection Molding for the Life Sciences Industry Presented by: Ken Schweitz, President and Doug Culbertson, VP Business Development of Premold Corp Section I. Advantages of RIM Economical

441 views • 29 slides
C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore

C0 2 / Acid Gas Injection Well Injection Well Conversion Prepared for the 5 Th Well Bore Integrity Network Meeting. Calgary Alberta May 14, 2009 Agenda Wellbore integrity Well design with annular integrity Well design without

443 views • 22 slides
Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits

Underground Injection Control (UIC) Permitting, Testing and Monitoring Injection-Storage Permits Unit February, 2019 1 Railroad Commission of Texas | June 27, 2016 (Change Date In First Master Slide) Session Overview Overview: UIC Online

1.01k views • 79 slides
Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro

1S-1 An Automatic Place-and-Routed Two- Stage Fractional- N Injection-Locked PLL Using Soft Injection Dongsheng Yang, Wei Deng, Tomohiro Ueno, Teerachot Siriburanon, Satoshi Kondo, Kenichi Okada, and Akira Matsuzawa Tokyo Institute of

423 views • 10 slides
NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for

NEVO sequential gas injection system New sequential gas injection system NEVO Answer for market expectations Modern cars Demanding users Workshop time saving KME trademark Major assumptions of NEVO system Simple Quick to

222 views • 21 slides
AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

Saurabh Jha, Subho S. Banerjee , James Cyriac, Zbigniew T. Kalbarczyk and Ravishankar K. Iyer Computer Science, Electrical and Computer Engineering AVFI: Fault Injection for Autonomous Vehicles Fault Injection to Measure Resilience of AVs

215 views • 8 slides
www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL

HIGH QUALITY INJECTION www.adduxi.com HIGH QUALITY INJECTION ADDUXI IS A MANUFACTURER OF HIGH-PRECISION INDUSTRIAL PARTS. INJECTION MOLDING OF MISCELLANEOUS THERMOPLASTICS. HIGH QUALITY INJECTION MAIN OBJECTIVE: PERFORMANCE BASED ON

745 views • 33 slides
CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of

CS327E: Elements of Databases Cybersecurity and SQL Injection Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: October 31, 2016 at 12:21 CS327E SQL Injection Slideset: 1 SQL Injection What Id Like

440 views • 39 slides
Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics

Blackout: What Really Happened Jamie Butler and Kris Kendall Outline Code Injection Basics User Mode Injection Techniques Example Malware Implementations Kernel Mode Injection Techniques Advanced Code Injection Detection via

901 views • 60 slides
Polymer Engineering Polymer Engineering (MM3POE) (MM3POE) INJECTION MOULDING INJECTION

Polymer Engineering Polymer Engineering (MM3POE) (MM3POE) INJECTION MOULDING INJECTION

Polymer Engineering Polymer Engineering (MM3POE) (MM3POE) INJECTION MOULDING INJECTION MOULDING http://www.nottingham.ac.uk/~eazacl/MM3POE Injection Moulding 1 Contents Contents Principles of injection moulding Reciprocating

559 views • 29 slides
Challenges of on-axis swap-out injection for fourth-generation storage ring light sources Michael

Challenges of on-axis swap-out injection for fourth-generation storage ring light sources Michael

Challenges of on-axis swap-out injection for fourth-generation storage ring light sources Michael Borland, Ryan Lindberg, Vadim Sajaev, Seungwhan Shin, Yipeng Sun, Aimin Xiao 2 nd RUL Topical Workshop on Injection and Injection Systems April 1,

539 views • 28 slides
DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL?

DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL?

DLL Injection and x86 Hooking Demystified Giorgio Gori Sources: What is a DLL? https://support.microsoft.com/en-ca/kb/815065 Windows DLL Injection Basics by Brad Antoniewicz

936 views • 23 slides
Status and Plans for H - Injection David Johnson Project X Fall Collaboration Meeting October

Status and Plans for H - Injection David Johnson Project X Fall Collaboration Meeting October

Status and Plans for H - Injection David Johnson Project X Fall Collaboration Meeting October 25, 2011 Contents Brief description of the current RDR injection configuration Alternate injection Configuration (long pulse) Main

448 views • 26 slides
LANGUAGE-AGNOSTIC INJECTION LANGUAGE-AGNOSTIC INJECTION DETECTION DETECTION Lars Hermerschmidt,

LANGUAGE-AGNOSTIC INJECTION LANGUAGE-AGNOSTIC INJECTION DETECTION DETECTION Lars Hermerschmidt,

LANGUAGE-AGNOSTIC INJECTION LANGUAGE-AGNOSTIC INJECTION DETECTION DETECTION Lars Hermerschmidt, Andreas Straub, Goran Piskachev injections grow on trees 1 SHOTGUN UNPARSER SHOTGUN UNPARSER 1 if (recursive || print_dir_name) 2 { 3 if

640 views • 27 slides
PRISM-FFAG injection/extraction studies Akira SATO Osaka University FFAG05 @ Fermi Lab.

PRISM-FFAG injection/extraction studies Akira SATO Osaka University FFAG05 @ Fermi Lab.

PRISM-FFAG injection/extraction studies Akira SATO Osaka University FFAG05 @ Fermi Lab. Injection/Extraction Issue B.Palmer proposed vertical injection/extraction Sept um Conclusions on Inject ion/ Ext ract ion 1.0 1710 G 930 G/ m K

925 views • 13 slides
SELF SE SELF SE SE SELF SE SELF LF-INJECTION LF LF LF-INJECTION INJECTION INJECTION

SELF SE SELF SE SE SELF SE SELF LF-INJECTION LF LF LF-INJECTION INJECTION INJECTION

SELF SE SELF SE SE SELF SE SELF LF-INJECTION LF LF LF-INJECTION INJECTION INJECTION INJECTION INJECTION INJECTION INJECTION Tes Tes Tes Tes est est est est t Ex t Ex t Ex t Ex Expe Expe Expe Expe perime perime

637 views • 52 slides

More recommend