How InjectedDLL Works — Methods, Tools, and Detection
Overview
InjectedDLL (DLL injection) is the technique of forcing a running process to load and execute a DLL that it did not originally load. Attackers and red-teamers use it to run code with the target process’s privileges, hide activity, and persist. Defenders monitor for characteristic behaviors and artifacts to detect and block injections.
Common methods
-
Classic remote-thread (LoadLibrary)
- OpenProcess(targetPID)
- VirtualAllocEx to store DLL path in target memory
- WriteProcessMemory to write the path
- CreateRemoteThread calling LoadLibraryA/W with that path
- Pros: simple, reliable. Cons: easily detected by monitoring LoadLibrary remote threads.
-
Reflective DLL injection
- Injects a self-loading DLL (reflective loader) into memory and calls its entry routine without writing a file to disk or calling LoadLibrary. Evades some DLL-load monitoring.
- Pros: stealthier, fileless. Cons: more complex to implement.
-
SetWindowsHookEx / Hooking
- Uses OS hook APIs (e.g., SetWindowsHookEx) to force system components or other processes to load a DLL containing the hook callback.
- Common for keyloggers and UI hooks.
-
AppDomain / Loader hijacking (DLL search order / side-loading)
- Place a malicious DLL where the target process will prefer it (DLL search-order hijacking, side-loading). No cross-process memory ops required.
- Pros: persistence without remote threads. Cons: requires writing to accessible paths or manipulating installers.
-
Process hollowing / process replacement
- CreateProcess suspended, unmap legitimate code, write malicious image, adjust entrypoint/PEB, resume. Achieves execution under a legitimate executable name.
- Often accompanied by injected DLLs/hooks.
-
APC / Thread hijacking
Leave a Reply