DLL/PROCESS INJECTION WRITEUPBy Viktory.--WHAT ARE DLLS?--You have proba

1. DLL/PROCESS INJECTION WRITEUP
2. By Viktory.
3.  
4. --WHAT ARE DLLS?--
5. You have probably seen a lot of .DLL files in the directory of your programs. But what are they?
6. DLLs, or Dynamic-Link Libraries, are basically libraries for a program where functions can be called and have it loaded into the memory.
7.  
8.  
9. --WHY USE DLLS?--
10. The basic idea was that the developer doesn't have to rewrite common functions. All that has to be done is have the program call a specific function from the dll.
11.  
12.  
13. --WHAT IS DLL INJECTION?--
14. Basically, DLL injection is when a program is forced to load arbitrary code into it's memory and have it executed. It can be applied in various ways, such as giving us an unfair advantage in video games, or have malicious code executed onto a computer.
15.  
16.  
17. --HOW DOES DLL INJECTION WORK?--
18. There are a number of function in the Windows API that aloows us to inject our code into a process. DLL injector tools such as RemoteDLL or Cheat Engine can also be used which use said functions to inject our dlls into a process.
19.  
20. The complete process of having a DLL injected into a process can be broken down to four parts-
21. 1. Attaching to the targetted process using a handle; using function OpenProcess();
22. 2. Allocating memory in the process for the dll; using function VirtualAllocEx()/ReadProcessMemory();/WriteProcessMemory();
23. 3. Copying the DLL path to memory using LoadLibraryA();
24. 4. Executing the DLL using CreateRemoteThread();
25. Here's an image by OpenSecurityResearch that explains the whole process: http://i.imgur.com/DAdnJyw.png
26.  
27.  
28. --DLL PROXYING--
29. This is a method which is commonly used to bypass "activation" restrictions on programs, or get arbitrary code to load into a process along and forwards the function calls to the legitimate dll.
30. It is done by simply renaming your dll to the one used by the program, then replacing them.
31.  
32. This is sort of how it works (imagine an XKCD background, with "PlsNotHack.dll" being the replaced dll used by the application)
33.  
34. EpikGame.exe: yo PlsNotHack.dll, gimme the time and date.
35. PlsNotHack.dll: alright sure man I'll ask LegitimateDll.dll real quick and get back to u
36. LegitimateDll.dll: it's 18th of April, 3:33PM
37. PlsNotHack.dll: it's 18th of April, 3:33PM; also let me see and shoot through walls.
38. EpikGame.exe: alright done thanks
39.  
40.  
41. --CHEATENGINE--
42. Cheat Engine is another nifty tool used for process injection and memory altering.
43. It attaches itself to a selected process, and then scans the memory of the process. It can be used to get ourselves infinite health in a game by asking CE to scan the memory with the value of our current health. When the correct address for the health value in the memory is found, we can alter the value to a desired number, such as 9999.
44.  
45.  
46. --CONCLUSION--
47. In this (sad excuse of a) writeup, we went over what DLLs are, what is DLL injection, how to achieve it and what do we get out of it.
48.  
49. Thanks for reading!
50.  
51.  
52. SOURCES
53. http://en.wikipedia.org/wiki/DLL_injection
54. http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
55. http://www.bluenotch.com/files/Shewmaker-DLL-Injection.pdf
56. http://www.codeproject.com/Articles/5178/DLL-Injection-and-function-interception-tutorial
57. http://en.wikipedia.org/wiki/Cheat_Engine