Skip to main content

Processes 2

Steps for DLL injection

  • Call OpenProcess() to get HANDLE for the process
  • Use VirtualAllocEx() to allocate memory inside the process
  • Use WriteProcessMemory() to copy path to DLL into the process
  • Use CreateRemoteThread() to create a new thread in the process
    • Start LoadLibrary() as the thread routine
    • Pass the address of the DLL path as data to the thread

Direct Injection

  • Related Technique - Inject code directly rather than path to DLL
  • Use VirtualAllocEx() to allocate memory - need to ensure it is marked as executable
  • WriteProcessMemory() used to copy over code
  • CreateRemoteThread() used to start code
  • Harder to write code for this - code isn't loaded so will need to find address of API function itself

Non-Traditional Loading

  • Code knows where the stack is (using esp)
  • Can use this to create structures or store strings, by pushing the relevant values and capturing the address

....

Thread Environment Block

  • Every thread on a Windows program has an associated Thread Environment Block..

Process Environment Block

  • Part of the kernels data structures about each process
  • Fortun...

Starting a Process

  • Windows provides API calls that ca.....