DLL injection is a technique which allows an attacker to run arbitrary code in the context of the address space of another process. If this process is running with excessive privileges then it could be abused by an attacker in order to execute malicious code in the form of a DLL file in order to elevate privileges.

Specifically this technique follows the steps below:

  1. A DLL needs to be dropped into the disk
  2. The “CreateRemoteThread” calls the “LoadLibrary”
  3. The reflective loader function will try to find the Process Environment Block (PEB) of the target process using the appropriate CPU register and from that will try to find the address in memory of kernel32dll and any other required libraries.
  4. Discovery of the memory addresses of required API functions such as LoadLibraryA, GetProcAddress, and VirtualAlloc.
  5. The functions above will be used to properly load the DLL into memory and call its entry point DllMain which will execute the DLL.

This article will describe the tools and the process of performing DLL injection with PowerSploit, Metasploit and a custom tool.

Manual Method

DLL’s can be created from scratch or through Metasploitmsfvenom which can generate DLL files that will contain specific payloads. It should be noted that a 64-bit payload should be used if the process that the DLL will be injected is 64-bit.

Generating Malicious DLL

Msfvenom – DLL Generation

The next step is to set up the metasploit listener in order to accept back the connection once the malicious DLL is injected into the process.

Metasploit Listener Configuration

Metasploit Listener Configuration

There are various tools that can perform DLL injection but one of the most reliable is the Remote DLL Injector from SecurityXploded team which is using the CreateRemoteThread technique and it has the ability to inject DLL into ASLR enabled processes. The process ID and the path of the DLL are the two parameters that the tool needs:

RemoteDLLInjector - Injecting DLL

From the moment that RemoteDLLInjector executes will provide the full steps that performs in order to achieve DLL injection.

RemoteDLLInjector - DLL Injection

RemoteDLLInjector – DLL Injection Method

If the DLL is successfully injected it will return back a meterpreter session with the privileges of the process. Therefore processes with higher privileges than the standard can be abused for privilege escalation.

Privilege Escalation - DLL Injection

Privilege Escalation – DLL Injection

Metasploit

Metasploit framework has a specific module for performing DLL injection. It only needs to be linked into a meterpreter session and to specify the PID of the process and the path of the DLL.

Metasploit - Reflective DLL Injection Module

Metasploit – Reflective DLL Injection Module

 

Metasploit - Reflective DLL Injection

Metasploit – Reflective DLL Injection

PowerSploit

Privilege escalation via DLL injection it is also possible with PowerSploit as well. The msfvenom can be used to generate the malicious DLL and then through the task manager the PID of the target process can be obtained. If the process is running as SYSTEM then the injected DLL will run with the same privileges as well and the elevation will be achieved.

Identify the Process ID

Discovery of the Process ID

The Invoke-DLLInjection module will perform the DLL injection as the example below:

PowerSploit - DLL Injection

PowerSploit – DLL Injection

The payload inside the DLL will be executed and SYSTEM privileges will be obtained.

DLL Executed as SYSTEM

DLL Executed with SYSTEM Privileges

References

https://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/

http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html

https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html

https://github.com/stephenfewer/ReflectiveDLLInjection

https://www.nettitude.co.uk/dll-injection-part-two/

Advertisements