WindowsDLLInjector
Some DLL Injection techniques written in C++ for both 32bit and 64bit windows OS
Intro
There are several ways for injecting a dll or generally a process in another target process
It has many advantages such as accessing that process memory address and extending it's functionality
In abuse cases it can be used to hide malicious activity in another process and somehow bypass antivirus detection
each one has it's pros and cons
Here we have implemented 5/7 techniques
- CreateRemoteThread (windows Win32 API through windows.h)
- NtCreateThread (windows native API through ntdll.dll)
- QueueUserAPC
- SetWindowsHookEx
- RtlCreateUserThread (windows native API through ntdll.dll)
- SetThreadContext
- ReflectiveDllInjection
CreateRemoteThread
Maybe it's the first google search result for dll injection
This API is mapped to NtCreateThread native API
Very well documented and easy to code!
Pros.
Easy to implement (maybe just 5 lines of code)
well documented on internet
Cons.
Easy to detect
not possible on all processes (specially windows NT native processes)
NtCreateThread
Acually not as easy as CreateRemoteThread method
It needs some header definitin and function pointer casting to get the address of NtCreateThread in ntdll.dll
A little hard to implement but very effective against windows native system processes
Pros.
Can be used for windows native NT processes (like : svchost, smss, ...)
Harder to be detected
Cons.
A little hard to implement and debug
no official documentation
QueueUserAPC
This method is about hijacking and using a thread in target process
As documented in msdn, the function call QueueUserAPC() adds user-mode asychronous procedure call(APC) object to the APC queue of specified thread
Actually we don't create our own thread and just use the target process's threads for loading our dll into the process address space
Notice that to make this method work, The remote target thread should be in suspended state and with alertable flag (Example SleepEx() in TargetProgram.cpp)
Pros.
No need for creating new Threads
It adds some stealthy abilities for injection (cause no new thead would be created)
Cons.
Not always possible on all threads (just suspended threads with alertable flag)
SetWindowsHookEx
This method actually is for setting Windows Hook for specific events like keyboard or mouse event
But since the hook procedure should be in form of exported function in a dll file in the target process,
This makes it possible to use it as a dll injection method
This one is kinda different one because neither thread nor APC is created but A hook is set in target process for a specific thread
Pros.
No need for creating new Threads or APC call
Easy to use spcially with thread ID equals 0 :)
Cons.
Too suspicious for antivirus detection because of using hooks
RtlCreatUserThread
Same as NtCreateThread with some possible wrapping
Pros.
Can be used for windows native NT processes (like : svchost, smss, ...)
Harder to be detected
Cons.
A little hard to implement and debug
no official documentation
Credit
Many thanks for fdiskyou and his InjectAllTheThings (nice name) repository
His Repo : https://github.com/fdiskyou/injectAllTheThings
His website : http://deniable.org