DLL-Injection

In computer science, DLL injection refers to a technique by introducing code into the address space of another process to execute, in which one is forcing this process, a foreign program Dynamic Link Library (DLL ) files. In principle, this technique is for all operating systems that support shared libraries, however, the term DLL injection usually refers to the Microsoft Windows operating system.

This technique is only needed if the source code of a program whose behavior you want to influence, is not available. Thus, DLL injection is frequently used by so-called third-party vendors to customize the behavior of a program in a way that was not intended by the developers of the original program. A typical example of the technique of the DLL injection -use application is a profiler.

Available options in Windows

On Microsoft Windows, there are several techniques to accomplish a DLL injection. The most important are the following:

  • Windows Registry: The registry ( registry) can under the key " HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Windows \ AppInit_DLLs " DLLs are specified that are globally additionally loaded at the start of each program.
  • Hooks: By using Windows hooks it is possible to own DLLs to foreign processes ( both selective, as well as globally ) to attach. Additionally you can use this technique to intercept equal to certain actions / prevent (see Windows hooks ).
  • CreateRemoteThread: The CreateRemoteThread API makes it possible to start a thread of an arbitrary memory address with the transfer of an argument. This makes it possible, with the argument of to load DLL name to load when calling the memory address in which the LoadLibrary API of a process that this DLL into a foreign process.
  • Direct Memory Access: Using the Windows functions AllocMemory and Write Memory, it is possible to directly access the memory of other processes. This allows new memory request and write to it a separate function for reloading the native DLL ( AllocMemory ).
  • By using operating system functions (APIs) for the manipulation of processes (process manipulation functions) makes reloading an additional DLL can be achieved.

Use by malicious software

The use of DLL injection is very attractive for malicious software. This technique makes it possible to execute code under the guise of another program. This is interesting, as this access can be granted to the Internet in front of a desktop firewall. Here can be sent over unnoticed, for example on the infected computer spied passwords. To address this problem, try some desktop firewalls to detect by analysis of the system is a DLL injection, which they do not always succeed.

Countermeasures

  • To write to the memory of other applications Administrator privileges are required
  • Protected processes (protected process, with Windows Vista for the Protected Media Path introduced ) can not be accessed unless the writing process is not also a protected process
Profiling (computer programming)
242778
de