Red Team tutorial: A walkthrough on memory injection techniques

Infosec Institute - 

There are many techniques within the memory injection field. Some are often found in malware or used by security experts to run their material, like during a pentesting exercise.

Classic DLL injection

DLL injection is a classic method of putting code into another process in memory. The first stage — the loader — adds the path of the new DLL in the virtual address space of the target process. Next, the target process will load the DLL by creating a remote thread and execute it.

During malware analysis, it is common to find calls to the CreateToolhelp32Snapshot, Process32First and Process32Next Win32 API functions used to enumerate and get a handle to a target process. After that, adversaries can put their malicious DLLs into the memory by using the VirtualAllocEx, WriteProcessMemory and CreateRemoteThread calls capabilities. 

Figure 1 shows the block of code responsible for performing DLL injection.

Figure 1:  Rebhip malware executing a common DLL injection (source).

Reflective DLL injection

Reflective DLL injection, in contrast to the DLL injection approach, loads a DLL from memory rather than from disk. Instead of using a LoadLibrary() call, this technique requires a custom loader that emulates the tasks of the native LoadLibrary()

Read More: