SlideShare une entreprise Scribd logo

Dll injection

Télécharger en tant que PPT, PDF
K
KarlFrank99
TechnologieBusiness
1  sur  25
Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington 1
Agenda •Background: Processes and DLLs •Code Injection •Static Injection •Dynamic Injection • Trojans and Firewall Evasion • Defenses 2
Processes and DLLs (1) • What are processes? • What are DLL files?  More on this later • Processes are running tasks that are managed by the Operating System. Processes may load DLL files (Dynamic Link Libraries, in Windows). • Dynamic Link Libraries are executable code that can only be executed when called by a process. 3
Processes and DLLs (2) • At the Lab:  We will have a brief review of Processes.  Use Windows Task Managers to Observe Processes.  Use Sysinternals Process Explorer (view processes and .dll files loaded by processes).  Process Name, Process User, Process Description, Process ID, Process DLL’s. 4
Code Injection • Code Injection: ‘Injecting’ code (putting executable code within) into another program. • Two Kinds: • Static Injection: Occurs prior to program execution. • Dynamic Injection: Occurs on or after program execution. • Original Program/Process + Injected Code = Malicious Program/Process 5
Code Injection – Static Injection (1) • Occurs prior to execution of a program. • Example: • A program innocent.exe is modified so that prior to executing itself it executes code that has been injected to do some nasty thing. • Then the program is delivered to the victim who thinks the program is innocent (a virus? A trojan? A technique!). 6
Code Injection – Static Injection (2) • How is it done? • Programs have a memory space. • Not all of the memory space is used, some parts of the memory space (usually at the end) is full of NOOPs. This area is known as a “cave.” • A cave can be overwritten without corrupting (other than by adding a desired functionality) the victim program. 7
Code Injection – Static Injection (3) •In order to execute the code in the cave, the program has to be able to reach the code. •How? •Every program has an Entry Point. By changing the first instruction in the Entry Point into a JUMP to our added code, as soon as the program starts our code executes. •At the end of our code we add any instructions overwritten by the JUMP and then enter a JUMP back to the 2nd Instruction of the Entry Point. •Program execution continues normally. 8
Code Injection – Static Injection (4) • In the Lab: •We will use OllyDbg (a debugger or decompiler) to modify the memory space of winmine.exe (Minesweeper) so that it displays a Message Box prior to executing. • Need some basic ASM: •JMP -> A jump to an address (to an instruction). •PUSH -> Pushes a variable into the stack. •CALL -> Calls a Function, our function, user32.MessageBoxA, will pop the stack and take those 9 variables as parameters.
Code Injection – Static Injection (5) • Static Code Injection is not widely exploited by Trojans. • Understanding how Static Code Injection works helps to understand Dynamic Code Injection. • Static Code Injection is harder to detect since it may have occurred before the victim program arrived at a particular location. 10
Dynamic Code Injection • Used by rootkits, trojans, viruses, spyware • Inserting code into the program’s memory space. • No signs of tampering in the executable file. Changes done on-the-fly while the process is running. 11
Dynamic Link Libraries (DLL) • DLLs are shared libraries used across many programs.  Instead of including the shared code in every executable, common functions are stored in a separate file accessible by the programs. – Reduces executable size – Increases code re-use  Accessed by memory location – Import/Export Look-up table 12
API Hooking • Closely related to functional overloading in programming • Common practice in programming mainly for debugging purposes. • Uses DLL injection to implant its hook DLL 13
API Hooking (continued) • Malicious uses  Override functions in programs to intercept data  Maintain functionality but add “bad features”  Examples: – An encryption algorithm in a DLL could be overwritten to output the data before encrypted. – A send web data function could be overwritten to send duplicate data to another server. 14
Lab Procedures (Dynamic Injection) • Inject DLLs into running processes using  APM  Aphex’s DLL Injector • Use Process Explorer (PE) to show the new DLL loaded 15
Trojans and Firewall Evasion (1) •What is the relevance of Code Injection to an Internetwork Security class? •Trojans often use code/dll injection in an attempt to evade the Firewall and communicate with the Internet. •Reverse Connection: Attacker’s computer does not contact you; your computer contacts the attacker’s computer! •Access to data prior to encryption! 16
Trojans and Firewall Evasion (2) • Static code injection scenario:  Install.exe was downloaded from Kazaa. (Assume Install.exe is your favorite videogame).  Install.exe is in reality MultiPlayerGame.exe wrapped with invisible Keylogger.exe.  MultiPlayerGame.exe was injected with code to connect to the Internet and deliver Keylog.txt to an attacker’s IP address.  Because you willingly ran a Multiplayer Game, you will tell your Firewall “Yes, allow MultiPlayerGame.exe to go outbound.” 17
Trojans and Firewall Evasion (3) •But like we said before, while harder to detect, Static Code Injection is not commonly used by trojans. •Dynamic Code/DLL Injection is far more common and far more dangerous! •Dynamic Code/DLL Injection scenario: •warningIamAtrojanServer.exe was somehow executed by some irresponsible person. •This installed in the Run registry a program that runs upon startup for 1 second and injects a trojan.dll into iexplore.exe. Trojan was a Remote Administration Tool and because iexplore.exe has Firewall privileges, this RAT does too! 18
Trojans and Firewall Evasion (4) •At the lab: •We will install a firewall (Sygate Personal Firewall) •We will test a firewall using Atelier Web Firewall Tester (tests Firewalls by trying to inject different processes that should already have privileges in the Firewall. •Atelier claims that most firewalls fail these tests!! 19
Trojans and Firewall Evasion (5) • Some Trojans that use injection:  Assassin 2.0 – Uses dynamic DLL injection for reverse connection.  Beast 2.0 – Uses dynamic DLL injection for reverse connection.  Nuclear Uploader – Uses dynamic DLL injection for reverse connection.  Flux – Uses dynamic code injection for reverse connection.  Institution 2004 – Claims to use DLL injection for reverse connection. Allows to remotely patch a process. 20
Trojans and Firewall Evasion (6) • In the lab: • We will play with Assassin 2.0; show the loaded .dll using Process Explorer. • We will play with Institution 2004; show ability to patch processes remotely. • We will play with Flux; show that it does indeed use Internet Explorer to evade the Firewall and yet no loaded .dll is detected. • Tools: Process Explorer, Sygate Personal Firewall logs. 21
Protection • How can you protect yourself from this attack? • Anti-Hook  Essentially a firewall for DLL’s  Rule-based – Allow only “trusted” dll’s to be loaded by programs 22
Detection • Static Injection  File Fingerprinting • Dynamic Injection  Scan memory for rogue DLL currently loaded  Check import/export addresses of linked functions and compare with known addresses 23
Lab Procedures (Defenses) • Use Advanced Process Manipulation (APM) to unload DLL injected into current processes • Use TDS-3 to scan memory for rogue DLLs 24
Conclusions • This is a common technique. • Comparable to buffer overflows. • If you know how the technique works, you can defend yourself against various malware that uses it 25

Recommandé

DLL Injection
DLL InjectionDLL Injection
DLL InjectionNeeraj Godkhindi (OSCP)
 
DLL Injection
DLL InjectionDLL Injection
DLL InjectionHossein Yavari
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbgSam Bowne
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 

Recommandé

DLL Injection
DLL InjectionDLL Injection
DLL InjectionNeeraj Godkhindi (OSCP)
 
DLL Injection
DLL InjectionDLL Injection
DLL InjectionHossein Yavari
 
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgPractical Malware Analysis: Ch 10: Kernel Debugging with WinDbg
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
 
Injection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesInjection on Steroids: Codeless code injection and 0-day techniques
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
 
Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Windows 10 Nt Heap Exploitation (English version)
Windows 10 Nt Heap Exploitation (English version)Angel Boy
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbgSam Bowne
 
Pwning in c++ (basic)
Pwning in c++ (basic)Pwning in c++ (basic)
Pwning in c++ (basic)Angel Boy
 
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisCNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic Analysis
CNIT 126 2: Malware Analysis in Virtual Machines & 3: Basic Dynamic AnalysisSam Bowne
 
Exploring the Portable Executable format
Exploring the Portable Executable formatExploring the Portable Executable format
Exploring the Portable Executable formatAnge Albertini
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
PE File Format
PE File FormatPE File Format
PE File Formatn|u - The Open Security Community
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
PHPMaker - The Best PHP Code Generator Ever !
PHPMaker - The Best PHP Code Generator Ever !PHPMaker - The Best PHP Code Generator Ever !
PHPMaker - The Best PHP Code Generator Ever !Masino Sinaga
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Sam Bowne
 
2011 03 22_kynetx1
2011 03 22_kynetx12011 03 22_kynetx1
2011 03 22_kynetx1Doc Searls
 
The
TheThe
Themmisuraca
 

Contenu connexe

Tendances

Exploring the Portable Executable format
Exploring the Portable Executable formatExploring the Portable Executable format
Exploring the Portable Executable formatAnge Albertini
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawShakacon
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware styleSander Demeester
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationSam Bowne
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and AnalysisPrashant Chopra
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static AnalysisHossein Yavari
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)Sam Bowne
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingSaumil Shah
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01Michael Gough
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Angel Boy
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3Sam Bowne
 
PHPMaker - The Best PHP Code Generator Ever !
PHPMaker - The Best PHP Code Generator Ever !PHPMaker - The Best PHP Code Generator Ever !
PHPMaker - The Best PHP Code Generator Ever !Masino Sinaga
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new blackChris Gates
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beMichael Gough
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Sam Bowne
 

Tendances (20)

Exploring the Portable Executable format
Exploring the Portable Executable formatExploring the Portable Executable format
Exploring the Portable Executable format
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Social Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James ForshawSocial Engineering the Windows Kernel by James Forshaw
Social Engineering the Windows Kernel by James Forshaw
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
PE File Format
PE File FormatPE File Format
PE File Format
 
Process injection - Malware style
Process injection - Malware styleProcess injection - Malware style
Process injection - Malware style
 
CNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic DuplicationCNIT 121: 8 Forensic Duplication
CNIT 121: 8 Forensic Duplication
 
Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
CNIT 152 12 Investigating Windows Systems (Part 1 of 3)
 
Dive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented ProgrammingDive into ROP - a quick introduction to Return Oriented Programming
Dive into ROP - a quick introduction to Return Oriented Programming
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)Windows 10 Nt Heap Exploitation (Chinese version)
Windows 10 Nt Heap Exploitation (Chinese version)
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 
CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3CNIT 126: Ch 2 & 3
CNIT 126: Ch 2 & 3
 
PHPMaker - The Best PHP Code Generator Ever !
PHPMaker - The Best PHP Code Generator Ever !PHPMaker - The Best PHP Code Generator Ever !
PHPMaker - The Best PHP Code Generator Ever !
 
Windows attacks - AT is the new black
Windows attacks - AT is the new blackWindows attacks - AT is the new black
Windows attacks - AT is the new black
 
CNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbgCNIT 126: 10: Kernel Debugging with WinDbg
CNIT 126: 10: Kernel Debugging with WinDbg
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
 
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
Practical Malware Analysis: Ch 7: Analyzing Malicious Windows Programs
 

En vedette

2011 03 22_kynetx1
2011 03 22_kynetx12011 03 22_kynetx1
2011 03 22_kynetx1Doc Searls
 
Had You Got It ponywang
Had You Got It ponywangHad You Got It ponywang
Had You Got It ponywangVERABLOG
 
2009 03 24 Lunchtalk
2009 03 24 Lunchtalk2009 03 24 Lunchtalk
2009 03 24 LunchtalkDoc Searls
 
Eic2008munich1
Eic2008munich1Eic2008munich1
Eic2008munich1Doc Searls
 
網路拍賣
網路拍賣網路拍賣
網路拍賣future20
 
Introduction to Web 2.0 & Free Culture
Introduction to Web 2.0 & Free CultureIntroduction to Web 2.0 & Free Culture
Introduction to Web 2.0 & Free CultureHaggen So
 
Trial For Blog 2003
Trial For Blog 2003Trial For Blog 2003
Trial For Blog 2003guestcd6f00
 
2008 06 02_scopenl-a
2008 06 02_scopenl-a2008 06 02_scopenl-a
2008 06 02_scopenl-aDoc Searls
 
20100522 bv d66 wat betekene onze plannen voor u
20100522 bv d66 wat betekene onze plannen voor u20100522 bv d66 wat betekene onze plannen voor u
20100522 bv d66 wat betekene onze plannen voor uBert Vries
 

En vedette (20)

2011 03 22_kynetx1
2011 03 22_kynetx12011 03 22_kynetx1
2011 03 22_kynetx1
 
The
TheThe
The
 
1runit4
1runit41runit4
1runit4
 
Applebee’S
Applebee’SApplebee’S
Applebee’S
 
Maps, Maps, Maps
Maps, Maps, MapsMaps, Maps, Maps
Maps, Maps, Maps
 
Had You Got It ponywang
Had You Got It ponywangHad You Got It ponywang
Had You Got It ponywang
 
Unit3segon
Unit3segonUnit3segon
Unit3segon
 
Umpc
UmpcUmpc
Umpc
 
2009 03 24 Lunchtalk
2009 03 24 Lunchtalk2009 03 24 Lunchtalk
2009 03 24 Lunchtalk
 
Dsohowto
DsohowtoDsohowto
Dsohowto
 
Eic2008munich1
Eic2008munich1Eic2008munich1
Eic2008munich1
 
網路拍賣
網路拍賣網路拍賣
網路拍賣
 
Birr
BirrBirr
Birr
 
Introduction to Web 2.0 & Free Culture
Introduction to Web 2.0 & Free CultureIntroduction to Web 2.0 & Free Culture
Introduction to Web 2.0 & Free Culture
 
Trial For Blog 2003
Trial For Blog 2003Trial For Blog 2003
Trial For Blog 2003
 
2008 06 02_scopenl-a
2008 06 02_scopenl-a2008 06 02_scopenl-a
2008 06 02_scopenl-a
 
InMemoriam
InMemoriamInMemoriam
InMemoriam
 
1ststory3
1ststory31ststory3
1ststory3
 
20100522 bv d66 wat betekene onze plannen voor u
20100522 bv d66 wat betekene onze plannen voor u20100522 bv d66 wat betekene onze plannen voor u
20100522 bv d66 wat betekene onze plannen voor u
 
Fridgend Silde
Fridgend SildeFridgend Silde
Fridgend Silde
 

Similaire à Dll injection

Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPriyanka Aash
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware InfectionsRamon
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software rajakhurram
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsSam Bowne
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorSam Bowne
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of WindowsSam Bowne
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applicationsmgianarakis
 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their typesNeha Kurale
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtSecurity Bootcamp
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingSam Bowne
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101Rafel Ivgi
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorSam Bowne
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxbriancrawford30935
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 

Similaire à Dll injection (20)

Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Piratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigationPiratng Avs to bypass exploit mitigation
Piratng Avs to bypass exploit mitigation
 
Fileless Malware Infections
Fileless Malware InfectionsFileless Malware Infections
Fileless Malware Infections
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
CNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of WindowsCNIT 127 Ch 6: The Wild World of Windows
CNIT 127 Ch 6: The Wild World of Windows
 
CNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware BehaviorCNIT 126 Ch 11: Malware Behavior
CNIT 126 Ch 11: Malware Behavior
 
Ch 6: The Wild World of Windows
Ch 6: The Wild World of WindowsCh 6: The Wild World of Windows
Ch 6: The Wild World of Windows
 
Yow connected developing secure i os applications
Yow connected developing secure i os applicationsYow connected developing secure i os applications
Yow connected developing secure i os applications
 
6unit1 virus and their types
6unit1 virus and their types6unit1 virus and their types
6unit1 virus and their types
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensics
 
Finfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn ViệtFinfisher- Nguyễn Chấn Việt
Finfisher- Nguyễn Chấn Việt
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident Response
 
CNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware LaunchingCNIT 126 12: Covert Malware Launching
CNIT 126 12: Covert Malware Launching
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
Cyber attacks 101
Cyber attacks 101Cyber attacks 101
Cyber attacks 101
 
CNIT 126 11. Malware Behavior
CNIT 126 11. Malware BehaviorCNIT 126 11. Malware Behavior
CNIT 126 11. Malware Behavior
 
Project Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docxProject Malware AnalysisCS 6262 Project 3Agenda.docx
Project Malware AnalysisCS 6262 Project 3Agenda.docx
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 

Plus de KarlFrank99

Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksKarlFrank99
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueKarlFrank99
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging KarlFrank99
 
Osteoblast-Osteoclast Interactions
Osteoblast-Osteoclast InteractionsOsteoblast-Osteoclast Interactions
Osteoblast-Osteoclast InteractionsKarlFrank99
 
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...KarlFrank99
 
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to EphrinOsteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to EphrinKarlFrank99
 
The Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune SystemThe Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune SystemKarlFrank99
 
No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...KarlFrank99
 
20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatementKarlFrank99
 
20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreviewKarlFrank99
 
20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocusKarlFrank99
 
20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_UpdateKarlFrank99
 
20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECBKarlFrank99
 
NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423KarlFrank99
 
20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicalsKarlFrank99
 
Hs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionHs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionKarlFrank99
 
Atomic Bomb Tutorial En
Atomic Bomb Tutorial EnAtomic Bomb Tutorial En
Atomic Bomb Tutorial EnKarlFrank99
 
Bh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallBh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallKarlFrank99
 

Plus de KarlFrank99 (20)

Sandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooksSandboxie process isolation with kernel hooks
Sandboxie process isolation with kernel hooks
 
Comodo q1 2018
Comodo q1 2018Comodo q1 2018
Comodo q1 2018
 
Double agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence techniqueDouble agent zero-day code injection and persistence technique
Double agent zero-day code injection and persistence technique
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging
 
Osteoblast-Osteoclast Interactions
Osteoblast-Osteoclast InteractionsOsteoblast-Osteoclast Interactions
Osteoblast-Osteoclast Interactions
 
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
Role of autophagy in tumor necrosis factor-α- induced apoptosis of osteoblast...
 
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to EphrinOsteoblast and Osteoclast Crosstalks: From OAF to Ephrin
Osteoblast and Osteoclast Crosstalks: From OAF to Ephrin
 
The Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune SystemThe Tight Relationship Between Osteoclasts and the Immune System
The Tight Relationship Between Osteoclasts and the Immune System
 
No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...No association between circulating concentrations of vitamin D and risk of lu...
No association between circulating concentrations of vitamin D and risk of lu...
 
20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement20180426_EcbMeeting_DiffStatement
20180426_EcbMeeting_DiffStatement
 
20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview20180420__DanskeResearch_ECBPreview
20180420__DanskeResearch_ECBPreview
 
20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus20180420__DanskeResearcch_WeeklyFocus
20180420__DanskeResearcch_WeeklyFocus
 
20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update20180417_DanskeResearch_FX_Forecast_Update
20180417_DanskeResearch_FX_Forecast_Update
 
20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB20180418_NordeaResearch_EAInfl_n_ECB
20180418_NordeaResearch_EAInfl_n_ECB
 
NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423NordeaResearch_EcbWatch_20180423
NordeaResearch_EcbWatch_20180423
 
20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals20170426_CommerzbankResearch__BullionWeeklyTechnicals
20170426_CommerzbankResearch__BullionWeeklyTechnicals
 
Tesi Laurea
Tesi LaureaTesi Laurea
Tesi Laurea
 
Hs P005 Reflective Dll Injection
Hs P005 Reflective Dll InjectionHs P005 Reflective Dll Injection
Hs P005 Reflective Dll Injection
 
Atomic Bomb Tutorial En
Atomic Bomb Tutorial EnAtomic Bomb Tutorial En
Atomic Bomb Tutorial En
 
Bh Usa 07 Butler And Kendall
Bh Usa 07 Butler And KendallBh Usa 07 Butler And Kendall
Bh Usa 07 Butler And Kendall
 

Dernier

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Dernier (20)

🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Dll injection

  • 1. Code/DLL Injection ECE4112 – Internetwork Security Georgia Institute of Technology By Andrei Bersatti and Brandon Harrington 1
  • 2. Agenda •Background: Processes and DLLs •Code Injection •Static Injection •Dynamic Injection • Trojans and Firewall Evasion • Defenses 2
  • 3. Processes and DLLs (1) • What are processes? • What are DLL files?  More on this later • Processes are running tasks that are managed by the Operating System. Processes may load DLL files (Dynamic Link Libraries, in Windows). • Dynamic Link Libraries are executable code that can only be executed when called by a process. 3
  • 4. Processes and DLLs (2) • At the Lab:  We will have a brief review of Processes.  Use Windows Task Managers to Observe Processes.  Use Sysinternals Process Explorer (view processes and .dll files loaded by processes).  Process Name, Process User, Process Description, Process ID, Process DLL’s. 4
  • 5. Code Injection • Code Injection: ‘Injecting’ code (putting executable code within) into another program. • Two Kinds: • Static Injection: Occurs prior to program execution. • Dynamic Injection: Occurs on or after program execution. • Original Program/Process + Injected Code = Malicious Program/Process 5
  • 6. Code Injection – Static Injection (1) • Occurs prior to execution of a program. • Example: • A program innocent.exe is modified so that prior to executing itself it executes code that has been injected to do some nasty thing. • Then the program is delivered to the victim who thinks the program is innocent (a virus? A trojan? A technique!). 6
  • 7. Code Injection – Static Injection (2) • How is it done? • Programs have a memory space. • Not all of the memory space is used, some parts of the memory space (usually at the end) is full of NOOPs. This area is known as a “cave.” • A cave can be overwritten without corrupting (other than by adding a desired functionality) the victim program. 7
  • 8. Code Injection – Static Injection (3) •In order to execute the code in the cave, the program has to be able to reach the code. •How? •Every program has an Entry Point. By changing the first instruction in the Entry Point into a JUMP to our added code, as soon as the program starts our code executes. •At the end of our code we add any instructions overwritten by the JUMP and then enter a JUMP back to the 2nd Instruction of the Entry Point. •Program execution continues normally. 8
  • 9. Code Injection – Static Injection (4) • In the Lab: •We will use OllyDbg (a debugger or decompiler) to modify the memory space of winmine.exe (Minesweeper) so that it displays a Message Box prior to executing. • Need some basic ASM: •JMP -> A jump to an address (to an instruction). •PUSH -> Pushes a variable into the stack. •CALL -> Calls a Function, our function, user32.MessageBoxA, will pop the stack and take those 9 variables as parameters.
  • 10. Code Injection – Static Injection (5) • Static Code Injection is not widely exploited by Trojans. • Understanding how Static Code Injection works helps to understand Dynamic Code Injection. • Static Code Injection is harder to detect since it may have occurred before the victim program arrived at a particular location. 10
  • 11. Dynamic Code Injection • Used by rootkits, trojans, viruses, spyware • Inserting code into the program’s memory space. • No signs of tampering in the executable file. Changes done on-the-fly while the process is running. 11
  • 12. Dynamic Link Libraries (DLL) • DLLs are shared libraries used across many programs.  Instead of including the shared code in every executable, common functions are stored in a separate file accessible by the programs. – Reduces executable size – Increases code re-use  Accessed by memory location – Import/Export Look-up table 12
  • 13. API Hooking • Closely related to functional overloading in programming • Common practice in programming mainly for debugging purposes. • Uses DLL injection to implant its hook DLL 13
  • 14. API Hooking (continued) • Malicious uses  Override functions in programs to intercept data  Maintain functionality but add “bad features”  Examples: – An encryption algorithm in a DLL could be overwritten to output the data before encrypted. – A send web data function could be overwritten to send duplicate data to another server. 14
  • 15. Lab Procedures (Dynamic Injection) • Inject DLLs into running processes using  APM  Aphex’s DLL Injector • Use Process Explorer (PE) to show the new DLL loaded 15
  • 16. Trojans and Firewall Evasion (1) •What is the relevance of Code Injection to an Internetwork Security class? •Trojans often use code/dll injection in an attempt to evade the Firewall and communicate with the Internet. •Reverse Connection: Attacker’s computer does not contact you; your computer contacts the attacker’s computer! •Access to data prior to encryption! 16
  • 17. Trojans and Firewall Evasion (2) • Static code injection scenario:  Install.exe was downloaded from Kazaa. (Assume Install.exe is your favorite videogame).  Install.exe is in reality MultiPlayerGame.exe wrapped with invisible Keylogger.exe.  MultiPlayerGame.exe was injected with code to connect to the Internet and deliver Keylog.txt to an attacker’s IP address.  Because you willingly ran a Multiplayer Game, you will tell your Firewall “Yes, allow MultiPlayerGame.exe to go outbound.” 17
  • 18. Trojans and Firewall Evasion (3) •But like we said before, while harder to detect, Static Code Injection is not commonly used by trojans. •Dynamic Code/DLL Injection is far more common and far more dangerous! •Dynamic Code/DLL Injection scenario: •warningIamAtrojanServer.exe was somehow executed by some irresponsible person. •This installed in the Run registry a program that runs upon startup for 1 second and injects a trojan.dll into iexplore.exe. Trojan was a Remote Administration Tool and because iexplore.exe has Firewall privileges, this RAT does too! 18
  • 19. Trojans and Firewall Evasion (4) •At the lab: •We will install a firewall (Sygate Personal Firewall) •We will test a firewall using Atelier Web Firewall Tester (tests Firewalls by trying to inject different processes that should already have privileges in the Firewall. •Atelier claims that most firewalls fail these tests!! 19
  • 20. Trojans and Firewall Evasion (5) • Some Trojans that use injection:  Assassin 2.0 – Uses dynamic DLL injection for reverse connection.  Beast 2.0 – Uses dynamic DLL injection for reverse connection.  Nuclear Uploader – Uses dynamic DLL injection for reverse connection.  Flux – Uses dynamic code injection for reverse connection.  Institution 2004 – Claims to use DLL injection for reverse connection. Allows to remotely patch a process. 20
  • 21. Trojans and Firewall Evasion (6) • In the lab: • We will play with Assassin 2.0; show the loaded .dll using Process Explorer. • We will play with Institution 2004; show ability to patch processes remotely. • We will play with Flux; show that it does indeed use Internet Explorer to evade the Firewall and yet no loaded .dll is detected. • Tools: Process Explorer, Sygate Personal Firewall logs. 21
  • 22. Protection • How can you protect yourself from this attack? • Anti-Hook  Essentially a firewall for DLL’s  Rule-based – Allow only “trusted” dll’s to be loaded by programs 22
  • 23. Detection • Static Injection  File Fingerprinting • Dynamic Injection  Scan memory for rogue DLL currently loaded  Check import/export addresses of linked functions and compare with known addresses 23
  • 24. Lab Procedures (Defenses) • Use Advanced Process Manipulation (APM) to unload DLL injected into current processes • Use TDS-3 to scan memory for rogue DLLs 24
  • 25. Conclusions • This is a common technique. • Comparable to buffer overflows. • If you know how the technique works, you can defend yourself against various malware that uses it 25