DLL injection - detection and prevention
Dynamically Loaded Libraries (DLL) are used in almost any project, because of their unique properties: modularity, ease to support, updatability. Unfortunately, this can be easily exploited and all it takes is for the attacker to simply replace the original DLL file with the malicious one (especially if project is no longer being maintained and does not have hashing to verify that the valid DLL is being loaded). Moreover attacker can load their DLL into a remote process (usually done to stay hidden, since after DLL is injected you can run malicious code "from within" a target process).
To make is easier to visualize, here is a small diagram:
For example, we have a program that displays number of seconds passed since it started (not to over complicate things):
An attacker can create a malicious DLL that logs pressed keys, but in this case it simply displays a message box:
And attacker also has an injector that will load their DLL into the target process:
The way an injector works is it allocates memory in the target process and writes a path to the DLL there (if you want to know more about writing to process memory check out my previous post). Then an attacker remotely calls 'LoadLibrary' function using 'CreateRemoteThread' and passes previously mentioned address as a parameter. Resulting in a target process loading a malicious DLL.
As we can see, it is relatively easy for an attacker to implement and stay hidden from users and it is up to the software developers and anti-malware services to ensure integrity of the programs.
One of the ways to do so is by overwriting 'LoadLibrary' function to do nothing (after we loaded all our libraries), this way an attacker will not be able to inject a DLL after program has started.
One security hole is fixed, but what if an attacker decides to load a DLL before we overwrote 'LoadLibrary'? A potential solution for this would be to check what DLLs are currently loaded (after overwriting 'LoadLibrary').
References and useful links:
https://msdn.microsoft.com/en-us/library/dtba4t8b.aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682583(v=vs.85).aspx
http://www.rohitab.com/discuss/topic/29440-anti-dll-injection/
https://github.com/fortiguard-lion/anti-dll-hijacking/tree/master/ReflectiveDLLInjection
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682621(v=vs.85).aspx
https://en.wikipedia.org/wiki/DLL_injection
To make is easier to visualize, here is a small diagram:
For example, we have a program that displays number of seconds passed since it started (not to over complicate things):
An attacker can create a malicious DLL that logs pressed keys, but in this case it simply displays a message box:
And attacker also has an injector that will load their DLL into the target process:
The way an injector works is it allocates memory in the target process and writes a path to the DLL there (if you want to know more about writing to process memory check out my previous post). Then an attacker remotely calls 'LoadLibrary' function using 'CreateRemoteThread' and passes previously mentioned address as a parameter. Resulting in a target process loading a malicious DLL.
As we can see, it is relatively easy for an attacker to implement and stay hidden from users and it is up to the software developers and anti-malware services to ensure integrity of the programs.
One of the ways to do so is by overwriting 'LoadLibrary' function to do nothing (after we loaded all our libraries), this way an attacker will not be able to inject a DLL after program has started.
One security hole is fixed, but what if an attacker decides to load a DLL before we overwrote 'LoadLibrary'? A potential solution for this would be to check what DLLs are currently loaded (after overwriting 'LoadLibrary').
References and useful links:
https://msdn.microsoft.com/en-us/library/dtba4t8b.aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682583(v=vs.85).aspx
http://www.rohitab.com/discuss/topic/29440-anti-dll-injection/
https://github.com/fortiguard-lion/anti-dll-hijacking/tree/master/ReflectiveDLLInjection
https://msdn.microsoft.com/en-us/library/windows/desktop/ms682621(v=vs.85).aspx
https://en.wikipedia.org/wiki/DLL_injection
Comments
Post a Comment