DLL injection is a technique which allows an attacker to run arbitrary code in the context of the address space of another process. If this process is running with excessive privileges then it could be abused by an attacker in order to execute malicious code in the form of a DLL file in order to elevate privileges.

Specifically this technique follows the steps below:

1. A DLL needs to be dropped into the disk
2. The “CreateRemoteThread” calls the “LoadLibrary”
3. The reflective loader function will try to find the Process Environment Block (PEB) of the target process using the appropriate CPU register and from that will try to find the address in memory of kernel32dll and any other required libraries.
4. Discovery of the memory addresses of required API functions such as LoadLibraryA, GetProcAddress, and VirtualAlloc.
5. The functions above will be used to properly load the DLL into memory and call its entry point DllMain which will execute the DLL.

This article will describe the tools and the process of performing DLL injection with PowerSploit, Metasploit and a custom tool.

Manual Method

DLL’s can be created from scratch or through Metasploitmsfvenom which can generate DLL files that will contain specific payloads. It should be noted that a 64-bit payload should be used if the process that the DLL will be injected is 64-bit.

The next step is to set up the metasploit listener in order to accept back the connection once the malicious DLL is injected into the process.

There are various tools that can perform DLL injection but one of the most reliable is the Remote DLL Injector from SecurityXploded team which is using the CreateRemoteThread technique and it has the ability to inject DLL into ASLR enabled processes. The process ID and the path of the DLL are the two parameters that the tool needs:

From the moment that RemoteDLLInjector executes will provide the full steps that performs in order to achieve DLL injection.

If the DLL is successfully injected it will return back a meterpreter session with the privileges of the process. Therefore processes with higher privileges than the standard can be abused for privilege escalation.

Metasploit

Metasploit framework has a specific module for performing DLL injection. It only needs to be linked into a meterpreter session and to specify the PID of the process and the path of the DLL.

 

PowerSploit

Privilege escalation via DLL injection it is also possible with PowerSploit as well. The msfvenom can be used to generate the malicious DLL and then through the task manager the PID of the target process can be obtained. If the process is running as SYSTEM then the injected DLL will run with the same privileges as well and the elevation will be achieved.

The Invoke-DLLInjection module will perform the DLL injection as the example below:

The payload inside the DLL will be executed and SYSTEM privileges will be obtained.

References

https://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/

http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html

https://disman.tl/2015/01/30/an-improved-reflective-dll-injection-technique.html

https://github.com/stephenfewer/ReflectiveDLLInjection

https://www.nettitude.co.uk/dll-injection-part-two/