1. Code/DLL Injection
ECE4112 – Internetwork Security
Georgia Institute of Technology
By Andrei Bersatti and Brandon Harrington
1

2. Agenda
•Background: Processes and DLLs
•Code Injection
•Static Injection
•Dynamic Injection
• Trojans and Firewall Evasion
• Defenses
2

3. Processes and DLLs (1)
• What are processes?
• What are DLL files?
 More on this later
• Processes are running tasks that are managed by the
Operating System. Processes may load DLL files
(Dynamic Link Libraries, in Windows).
• Dynamic Link Libraries are executable code that can
only be executed when called by a process.
3

4. Processes and DLLs (2)
• At the Lab:
 We will have a brief review of Processes.
 Use Windows Task Managers to Observe
Processes.
 Use Sysinternals Process Explorer (view processes
and .dll files loaded by processes).
 Process Name, Process User, Process Description,
Process ID, Process DLL’s.
4

5. Code Injection
• Code Injection: ‘Injecting’ code (putting
executable code within) into another program.
• Two Kinds:
• Static Injection: Occurs prior to program execution.
• Dynamic Injection: Occurs on or after program
execution.
• Original Program/Process + Injected Code =
Malicious Program/Process
5

6. Code Injection – Static
Injection (1)
• Occurs prior to execution of a program.
• Example:
• A program innocent.exe is modified so that
prior to executing itself it executes code that
has been injected to do some nasty thing.
• Then the program is delivered to the victim
who thinks the program is innocent (a virus? A
trojan? A technique!).
6

7. Code Injection – Static Injection
(2)
• How is it done?
• Programs have a memory space.
• Not all of the memory space is used, some parts of
the memory space (usually at the end) is full of
NOOPs. This area is known as a “cave.”
• A cave can be overwritten without corrupting
(other than by adding a desired functionality) the
victim program.
7

8. Code Injection – Static Injection
(3)
•In order to execute the code in the cave, the program has to
be able to reach the code.
•How?
•Every program has an Entry Point. By changing the first
instruction in the Entry Point into a JUMP to our added code,
as soon as the program starts our code executes.
•At the end of our code we add any instructions overwritten
by the JUMP and then enter a JUMP back to the 2nd
Instruction of the Entry Point.
•Program execution continues normally.
8

9. Code Injection – Static Injection
(4)
• In the Lab:
•We will use OllyDbg (a debugger or decompiler) to
modify the memory space of winmine.exe
(Minesweeper) so that it displays a Message Box prior to
executing.
• Need some basic ASM:
•JMP -> A jump to an address (to an instruction).
•PUSH -> Pushes a variable into the stack.
•CALL -> Calls a Function, our function,
user32.MessageBoxA, will pop the stack and take those 9
variables as parameters.

10. Code Injection – Static Injection
(5)
• Static Code Injection is not widely exploited
by Trojans.
• Understanding how Static Code Injection
works helps to understand Dynamic Code
Injection.
• Static Code Injection is harder to detect since it
may have occurred before the victim program
arrived at a particular location.
10

11. Dynamic Code Injection
• Used by rootkits, trojans, viruses, spyware
• Inserting code into the program’s memory
space.
• No signs of tampering in the executable
file. Changes done on-the-fly while the
process is running.
11

12. Dynamic Link Libraries (DLL)
• DLLs are shared libraries used across
many programs.
 Instead of including the shared code in every
executable, common functions are stored in a
separate file accessible by the programs.
– Reduces executable size
– Increases code re-use
 Accessed by memory location
– Import/Export Look-up table
12

13. API Hooking
• Closely related to functional overloading in
programming
• Common practice in programming mainly
for debugging purposes.
• Uses DLL injection to implant its hook DLL
13

14. API Hooking (continued)
• Malicious uses
 Override functions in programs to intercept
data
 Maintain functionality but add “bad features”
 Examples:
– An encryption algorithm in a DLL could be
overwritten to output the data before encrypted.
– A send web data function could be overwritten to
send duplicate data to another server.
14

15. Lab Procedures
(Dynamic Injection)
• Inject DLLs into running processes using
 APM
 Aphex’s DLL Injector
• Use Process Explorer (PE) to show the
new DLL loaded
15

16. Trojans and Firewall Evasion (1)
•What is the relevance of Code Injection to an
Internetwork Security class?
•Trojans often use code/dll injection in an attempt
to evade the Firewall and communicate with the
Internet.
•Reverse Connection: Attacker’s computer does not
contact you; your computer contacts the attacker’s
computer!
•Access to data prior to encryption!
16

17. Trojans and Firewall Evasion (2)
• Static code injection scenario:
 Install.exe was downloaded from Kazaa. (Assume
Install.exe is your favorite videogame).
 Install.exe is in reality MultiPlayerGame.exe wrapped with
invisible Keylogger.exe.
 MultiPlayerGame.exe was injected with code to connect to
the Internet and deliver Keylog.txt to an attacker’s IP
address.
 Because you willingly ran a Multiplayer Game, you will
tell your Firewall “Yes, allow MultiPlayerGame.exe to go
outbound.”
17

18. Trojans and Firewall Evasion (3)
•But like we said before, while harder to detect, Static
Code Injection is not commonly used by trojans.
•Dynamic Code/DLL Injection is far more common
and far more dangerous!
•Dynamic Code/DLL Injection scenario:
•warningIamAtrojanServer.exe was somehow executed by
some irresponsible person.
•This installed in the Run registry a program that runs upon
startup for 1 second and injects a trojan.dll into iexplore.exe.
Trojan was a Remote Administration Tool and because
iexplore.exe has Firewall privileges, this RAT does too!
18

19. Trojans and Firewall Evasion (4)
•At the lab:
•We will install a firewall (Sygate Personal
Firewall)
•We will test a firewall using Atelier Web
Firewall Tester (tests Firewalls by trying to
inject different processes that should already
have privileges in the Firewall.
•Atelier claims that most firewalls fail these
tests!! 19

20. Trojans and Firewall Evasion (5)
• Some Trojans that use injection:
 Assassin 2.0 – Uses dynamic DLL injection for
reverse connection.
 Beast 2.0 – Uses dynamic DLL injection for reverse
connection.
 Nuclear Uploader – Uses dynamic DLL injection for
reverse connection.
 Flux – Uses dynamic code injection for reverse
connection.
 Institution 2004 – Claims to use DLL injection for
reverse connection. Allows to remotely patch a
process.
20

21. Trojans and Firewall Evasion (6)
• In the lab:
• We will play with Assassin 2.0; show the loaded .dll using Process
Explorer.
• We will play with Institution 2004; show ability to patch processes
remotely.
• We will play with Flux; show that it does indeed use Internet
Explorer to evade the Firewall and yet no loaded .dll is detected.
• Tools: Process Explorer, Sygate Personal Firewall logs.
21

22. Protection
• How can you protect yourself from this
attack?
• Anti-Hook
 Essentially a firewall for DLL’s
 Rule-based
– Allow only “trusted” dll’s to be loaded by programs
22

23. Detection
• Static Injection
 File Fingerprinting
• Dynamic Injection
 Scan memory for rogue DLL currently loaded
 Check import/export addresses of linked
functions and compare with known addresses
23

24. Lab Procedures (Defenses)
• Use Advanced Process Manipulation (APM)
to unload DLL injected into current
processes
• Use TDS-3 to scan memory for rogue
DLLs
24

25. Conclusions
• This is a common technique.
• Comparable to buffer overflows.
• If you know how the technique works,
you can defend yourself against various
malware that uses it
25