DLL injection

from Wikipedia, the free encyclopedia

In computer science called DLL injection is a technique that lets you code in the address space of another process takes to run, forces in which one this process, a non-native dynamic link library (DLL) files. In principle, this technique is available on all operating systems that support dynamic libraries , but the term DLL injection usually refers to the Microsoft Windows operating system .

This technique is only required if the source code of a program whose behavior you want to influence is not available. Thus, DLL injection is often used by so-called third-party providers to adapt the behavior of a program in a way that was not intended by the developer of the original program. A typical example of an application using the technology of DLL injection is a profiler .

Techniques available on Windows

Under Microsoft Windows there are different techniques for accomplishing a DLL injection. The most important are:

  • Windows registry: In the registry ( registry ) can be specified under the key "HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ AppInit_DLLs" DLLs that are globally also loaded at the start of each program.
  • Hooks: By using Windows hooks , it is possible to attach your own DLLs to external processes (both selectively and globally). In addition, this technology can be used to intercept / prevent certain program actions (see Windows hooks ).
  • CreateRemoteThread: The CreateRemoteThread API enables a thread to be started from any memory address by passing an argument. This makes it possible, when calling the memory address in which the LoadLibrary API of a process is located, to load this DLL into an external process with the argument of the DLL name to be loaded.
  • Direct memory access: With the help of the Windows functions AllocMemory and WriteMemory, it is possible to access the memory of external processes directly. In this way, new memory (AllocMemory) can be requested and a separate function for reloading one's own DLL can be written to it.
  • By using operating system functions ( APIs ) to manipulate processes ( process manipulations functions ), an additional DLL can be reloaded.

Use by malicious software

The use of DLL injection is very attractive to malicious software . This technique allows code to be executed under the guise of another program. This is interesting because it can hide access to the Internet in front of a desktop firewall . For example, passwords spied out on the infected computer can be sent without being noticed. To counter this problem, some desktop firewalls attempt to detect a DLL injection by analyzing the system, but they do not always succeed.

Countermeasures

  • Administrator rights are required to write to the memory of third-party applications
  • Protected processes ( protected process , introduced with Windows Vista for the Protected Media Path) cannot be accessed unless the writing process is also a protected process

literature

  • Jeffrey Richter: Programming Applications for Microsoft Windows. 4th edition. Microsoft Press, Redmond WA 1999, ISBN 1-57231-996-8 ( Microsoft Programming Series ).