DLL Injection: How viruses hide themselves?

For a good virus, out of many things, one of the major requirement is to go unnoticed and undetectable. This is achieved by injecting malicious code in the address space of an existing trustworthy process(commonly known as injecting code or DLL). Now, there are two ways to run your code inside a process.

1. Allocate memory in the victim process and write your code in that space and spawn a new thread from that address.

2. Or the better one(and more preferred one too), load a malicious DLL forcibly in the victim process.


I'll discuss more on way 2. The code will be divided into two modules:
1. Malicious DLL : This is the binary containing all code to do specific tasks. Viruses put all code related to replication, hooking, logging etc in this DLL.
2. Injector process: This is the short lived process. The task of this process is just to inject the dll
into the victim process(say explorer.exe) and then it dies out.

In this blog entry, I'll discuss more on Injector process working:

1. Get handle of the victim process: In windows, there are multiple ways to do so. You can either get the handle by using process name or its PID or even process window's title(in case it is a UI process). There are multiple APIs to do so like OpenProcess()

2. Once you get the handle, you need to start a new thread in the victim process and ask this thread to load your DLL. To do this, you need to set starting address of the newly created thread to LoadLibrary and corresponding argument set to the address of wchar string containing name of the DLL. So, before you do this, you need to allocate some memory in victim process and write DLL in it. Once you have written the name and have called Loadlibrary with right argument, you are good to go. OS will do rest of the things for you :)
It will automatically call the DllMain in your DLL and your work is done. You can execute any damn code via that DLL in the address space of the trustworthy process and there is no easy way to detect it.

In the next post, I'll tell you the ways by which you can detect whether any process on your machine has been injected with any DLL.

Disclaimer: The intention of this process(and the other posts following this one) is not to encourage DLL injection but to increase awareness about it so that one can safeguard oneself against these things. I'll restrain myself from posting any directly working codes..

Back...

This was supposedly a blog to pamper my technical side. But, damn this work life(yeah, I'm good at making excuses :P), I never ever put a single post here in 2 years.. Lazy me seriously... but not anymore..

First post coming soon on Dll injections..