Process Injection: Внедрение DLL-библиотек
Other sub-techniques of Process Injection (12)
Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.
DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LoadLibrary API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)
Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of LoadLibrary).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)
Another variation of this method, often referred to as Module Stomping/Overloading or DLL Hollowing, may be leveraged to conceal injected code within a process. This method involves loading a legitimate DLL into a remote process then manually overwriting the module's AddressOfEntryPoint before starting a new thread in the target process.(Citation: Module Stomping for Shellcode Injection) This variation allows attackers to hide malicious injected code by potentially backing its execution with a legitimate DLL file on disk.(Citation: Hiding Malicious Code with Module Stomping)
Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.
Примеры процедур |
|
| Название | Описание |
|---|---|
| Bumblebee |
The Bumblebee loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022) |
| Stuxnet |
Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
| Get2 |
Get2 has the ability to inject DLLs into processes.(Citation: Proofpoint TA505 October 2019) |
| Emissary |
Emissary injects its DLL file into a newly spawned Internet Explorer process.(Citation: Lotus Blossom Dec 2015) |
| PS1 |
PS1 can inject its payload DLL Into memory.(Citation: BlackBerry CostaRicto November 2020) |
| PowerSploit |
PowerSploit contains a collection of CodeExecution modules that inject code (DLL, shellcode) into a process.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
| Matryoshka |
Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.(Citation: CopyKittens Nov 2015) |
| Aria-body |
Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.(Citation: CheckPoint Naikon May 2020) |
| Emotet |
Emotet has been observed injecting in to Explorer.exe and other processes. (Citation: Picus Emotet Dec 2018)(Citation: Trend Micro Banking Malware Jan 2019)(Citation: US-CERT Emotet Jul 2018) |
| BADHATCH |
BADHATCH has the ability to execute a malicious DLL by injecting into `explorer.exe` on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019) |
| SombRAT |
SombRAT can execute |
| Conti |
Conti has loaded an encrypted DLL into memory and then executes it.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020) |
| Kazuar |
If running in a Windows environment, Kazuar saves a DLL to disk that is injected into |