KInject

From aldeid
Jump to navigation Jump to search

Description

kInject allows you to inject an arbitrary DLL into an arbitrary process. For more information about injecting DLLs, please refer to this page.

Installation

Usage

Syntax

kInject.exe [process path/Pid] [dll path] [--create / --runtime] [--resolve] [--force]

Options

--create
program will create the process before injecting
--runtime
inject already existing process
--resolve
get process id from executable name
--force
load SeDebugPrivilege to break into target process

Example

Proof of Concept

In this example, we will inject kntillusion.dll into notepad.exe. Let's do it as follows:

C:\malware>kinject.exe notepad.exe kntillusion.dll --create
 ** Running kInject v1.0 by Kdm ([email protected]) **

Creating process notepad.exe... OK.
Injecting DLL kntillusion.dll... OK

As a consequence to the above command, notepad has been opened and, as you can see, Listdlls (Sysinternals) confirms that the DLL has successfully been injected into the process:

C:\malware>listdlls.exe -d kntillusion.dll

ListDLLs v2.25 - DLL lister for Win9x/NT
Copyright (C) 1997-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

------------------------------------------------------------------------------
notepad.exe pid: 1780
Command line: notepad.exe

  Base        Size      Version         Path
  0x10000000  0x10000                   C:\malware\kntillusion.dll

Explanation

Let's open kinject.exe into OllyDbg to see what happens:

Kinject-ollydbg-001.png

Let's try to find the different steps explained in the CreateRemoteThread technique:

Kinject-ollydbg-002.png

Kinject-ollydbg-003.png

  1. The victim process is opened by calling OpenProcess at address Ox401A95.
  2. Memory is allocated in the victim process by calling VirtualAllocEx at address Ox4014C1.
  3. The name of the DLL to inject is written to the victim process by calling WriteProcessMemory at address Ox4014E1.
  4. The address for LoadLibraryA is determined by first calling GetModuleHandleA at address Ox4014F9
  5. The result of GetModuleHandleA is then passed as input (along with the ASCII string "LoadLibraryA") to GetProcAddress on line Ox401504.
  6. Finally, the DLL is loaded into the victim process by calling CreateRemoteThread at address Ox40153E.

Comments

blog comments powered by Disqus