Category:Digital-Forensics/Computer-Forensics/Process-Injection

From aldeid
Jump to navigation Jump to search
You are here
Process-Injection

DLL Injection

Description

Pseudo-code explaining DLL Injection:

hVictimProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, victimProcessID);
pNameInVictimProcess = VirtualAllocEx(hVictimProcess,...,sizeof(maliciousLibraryName),...,...);
WriteProcessMemory(hVictimProcess,...,maliciousLibraryName, sizeof(maliciousLibraryName),...);
GetModuleHandle("Kernel32.dll");
GetProcAddress(...,"LoadLibraryA");
CreateRemoteThread(hVictimProcess,...,...,LoadLibraryAddress,pNameInVictimProcess,...,...);

Once you have identified that you have to deal with a process injection, the objective is to determine what code is being injected and into which process.

Example

.text:00401251                 mov     ecx, [ebp+eax*4+dwProcessId]
.text:00401258                 push    ecx             ; dwProcessId
.text:00401259                 push    0               ; bInheritHandle
.text:0040125B                 push    43Ah            ; dwDesiredAccess
.text:00401260                 call    ds:OpenProcess
.text:00401266                 mov     [ebp+hProcess], eax
.text:0040126C                 cmp     [ebp+hProcess], 0FFFFFFFFh
.text:00401273                 jnz     short loc_40127D
.text:00401275                 or      eax, 0FFFFFFFFh
.text:00401278                 jmp     loc_401342
.text:0040127D ; ---------------------------------------------------------------------------
.text:0040127D
.text:0040127D loc_40127D:                             ; CODE XREF: _main+1A3�j
.text:0040127D                 mov     [ebp+var_112C], 7D0h
.text:00401287
.text:00401287 loc_401287:                             ; CODE XREF: _main+179�j
.text:00401287                 jmp     loc_4011EB
.text:0040128C ; ---------------------------------------------------------------------------
.text:0040128C
.text:0040128C loc_40128C:                             ; CODE XREF: _main+136�j
.text:0040128C                 push    4               ; flProtect
.text:0040128E                 push    3000h           ; flAllocationType
.text:00401293                 push    104h            ; dwSize
.text:00401298                 push    0               ; lpAddress
.text:0040129A                 mov     edx, [ebp+hProcess]
.text:004012A0                 push    edx             ; hProcess
.text:004012A1                 call    ds:VirtualAllocEx
.text:004012A7                 mov     [ebp+lpBaseAddress], eax
.text:004012AD                 cmp     [ebp+lpBaseAddress], 0
.text:004012B4                 jnz     short loc_4012BE
.text:004012B6                 or      eax, 0FFFFFFFFh
.text:004012B9                 jmp     loc_401342
.text:004012BE ; ---------------------------------------------------------------------------
.text:004012BE
.text:004012BE loc_4012BE:                             ; CODE XREF: _main+1E4�j
.text:004012BE                 push    0               ; lpNumberOfBytesWritten
.text:004012C0                 push    104h            ; nSize
.text:004012C5                 lea     eax, [ebp+Buffer]
.text:004012CB                 push    eax             ; lpBuffer
.text:004012CC                 mov     ecx, [ebp+lpBaseAddress]
.text:004012D2                 push    ecx             ; lpBaseAddress
.text:004012D3                 mov     edx, [ebp+hProcess]
.text:004012D9                 push    edx             ; hProcess
.text:004012DA                 call    ds:WriteProcessMemory
.text:004012E0                 push    offset ModuleName ; "kernel32.dll"
.text:004012E5                 call    ds:GetModuleHandleA
.text:004012EB                 mov     [ebp+hModule], eax
.text:004012F1                 push    offset aLoadlibrarya ; "LoadLibraryA"
.text:004012F6                 mov     eax, [ebp+hModule]
.text:004012FC                 push    eax             ; hModule
.text:004012FD                 call    ds:GetProcAddress
.text:00401303                 mov     [ebp+lpStartAddress], eax
.text:00401309                 push    0               ; lpThreadId
.text:0040130B                 push    0               ; dwCreationFlags
.text:0040130D                 mov     ecx, [ebp+lpBaseAddress]
.text:00401313                 push    ecx             ; lpParameter
.text:00401314                 mov     edx, [ebp+lpStartAddress]
.text:0040131A                 push    edx             ; lpStartAddress
.text:0040131B                 push    0               ; dwStackSize
.text:0040131D                 push    0               ; lpThreadAttributes
.text:0040131F                 mov     eax, [ebp+hProcess]
.text:00401325                 push    eax             ; hProcess
.text:00401326                 call    ds:CreateRemoteThread

Direct Injection

INCOMPLETE SECTION OR ARTICLE
This section/article is being written and is therefore not complete.
Thank you for your comprehension.

Subcategories

This category has the following 2 subcategories, out of 2 total.

Pages in category "Digital-Forensics/Computer-Forensics/Process-Injection"

The following 10 pages are in this category, out of 10 total.