Infosec Institute -
Classic DLL injection
DLL injection is a classic method of putting code into another process in memory. The first stage — the loader — adds the path of the new DLL in the virtual address space of the target process. Next, the target process will load the DLL by creating a remote thread and execute it.
During malware analysis, it is common to find calls to the CreateToolhelp32Snapshot, Process32First and Process32Next Win32 api functions used to enumerate and get a handle to a target process. After that, adversaries can put their malicious DLLs into the memory by using the VirtualAllocEx, WriteProcessMemory and CreateRemoteThread calls capabilities.
Figure 1 shows the block of code responsible for performing DLL injection.
Figure 1: Rebhip malware executing a common DLL injection (source).
Reflective DLL injection
Reflective DLL injection, in contrast to the DLL injection approach, loads a DLL from memory rather than from disk. Instead of using a LoadLibrary() call, this technique requires a custom loader that emulates the tasks of the native LoadLibrary()