DLLInjection

DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.

Approaches in Microsoft WindowsThere are at least two ways to force a program to load a DLL on Windows:

1. The operating systems dynamic linker will load DLLs listed under a certain registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs) into every process as it is started

2. Process manipulation functions can be used to inject a DLL into a program after it has started
Typically virus scanners and programs which are designed to alter the behavior of the system as a whole use the first technique, whereas targeted usages such as bots use the latter.


Whilst there are several ways to inject a DLL into a running process, here is an outline of one common approach:

1. A handle to the target process is obtained, this can be done by keying off something created by that process that is known to exist - for instance, a window with a predictable title, or by scanning through a list of running processes and obtaining a handle based on the target executable's filename.
2. Some memory is allocated in the target process, and the name of the DLL to be injected is written to it.
3. A new thread is created in the target process, with the threads start address set to be the address of LoadLibrary and the default argument set to the address of the string just uploaded into the target.
4. The Windows dynamic linker will now call DllMain in the injected DLL, allowing it to begin manipulating the targets address space. This approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module by the dynamic linker as a thread starts. By counting the process's own threads, unknown new threads can be detected. The issue here is that the injected code could - in some situations - alter the memory of the process so that it thinks the new thread is legitimate.

Windows Hooks - Needs Window Application; For GUI
Remote Threads - Windowless Application; if App is not having GUI

Links:
http://en.wikipedia.org/wiki/DLL_injection
DllInjection : 3 ways by Robert Kuster -http://www.codeguru.com/Cpp/WP/system/processesmodules/article.php/c5767/
API hooking revealed - http://www.codeproject.com/KB/system/hooksys.aspxfid=3602&df=90&mpp=25&noise=3&sort=Position&view=Quick&select=1322494&fr=51
Injective Code inside Windows PE File Header Import Table - http://www.ntcore.com/Files/inject2it.htmhttp://www.codeguru.com/cpp/wp/system/processesmodules/print.php/c5767
http://www.ddj.com/windows/184416791
VC++ FAQ - http://www.codeproject.com/KB/cpp/cppfaq10dec04-23jan05.aspx?display=Print
http://www.codeproject.com/KB/WCF/WCFInject.aspx