DLL injection
From Wikipedia, the free encyclopedia
In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could trap system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6]
Approaches on Microsoft Windows
There are at least four ways to force a program to load a DLL on Microsoft Windows:
- DLLs listed under the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLswill be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[7][8][9][5] - Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[10][11][12][13][6][5]
- A handle to the target process is obtained, this can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable's filename.[18]
- Some memory is allocated in the target process,[19] and the name of the DLL to be injected is written to it.[20][10]
- This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
- A new thread is created in the target process,[22] with the thread's start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[23][10]
- Instead of writing the name of a DLL to load to the target and starting the new thread at LoadLibrary, one can of course also write the code to be executed itself to the target and start the thread at that code.[6]
- The operating system will now call DllMain in the injected DLL.[24][10]
- Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
- Windows hooking calls such as SetWindowsHookEx.[25][26][27][6][2][5]
- Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[28][29][4]
[edit] Approaches on Unix-like systems
On Unix-like operating systems with the dynamic linker based on ld.so (on BSD) and ld-linux.so on (Linux), arbitrary libraries can be linked to a new process by giving the library's pathname in the LD PRELOAD environment variable, that can be set globally or individually for a single process.[30]
For example, this command launches the command "prog --help" with the shared library from file "test.so" linked into it at the launchtime:
LD_PRELOAD="./test.so" prog --help
Such a library can be created with GCC by compiling the source file containing the new globals to be linked, with the -fpic or -fPIC option,[31] and linking with the -shared option.[32] The library has access to external symbols declared in the program like any other library.
'Hacking' 카테고리의 다른 글
| Staring Into The Abyss, A Bit Before Cansec (0) | 2009.03.10 |
|---|---|
| Apple Airport Extreme / Time Capsule Multiple Vulnerabilities (0) | 2009.03.07 |
| DLL Injection (0) | 2009.03.04 |
| MS IE Internet Explorer Two Code Execution Vulnerabilities (0) | 2009.02.11 |
| Technical Server Problem in Soldier Front By Mitch1490 (0) | 2009.02.10 |
