First up, once the file has been compiled and the executable launched, the following output is printed
on the screen:
DLLInjection-Basics.exe 7852 ----\\//---- DLL Injection Basics by Nik Alleyne | www.securitynik.com ----\\//---- [*] My current process ID is:[15808] [*] Enumerating all processes on the system ... -> [+] Successfully enumerated all processes [*] Searching through [211] process looking for the process with PID:[7852] ... ............................................................................................................................................................................................................... -> [*] Process with PID:[7852] found [*] Attempting to give myself [Debug] privileges ... -> [*] Successfully looked up current privileges -> [+] Successfully gained [SeDebugPrivilege] privileges! [*] Attempting to attach to the remote process with PID:[7852] ... -> [+] Successfully attached to the remote process with PID:[7852] -> [+] The handle returned to the remote process is [00000000000001D8] [*] Attempting to allocate space within the remote process with PID:[7852] ... -> [+] Successfully allocated space within the remote process -> [+] The base addressed returned for the remote process was [000002C426A40000] [*] Attempting to write [SampleDLL.dll] into the memory of process with PID:[7852] at base address:[000002C426A40000] ... -> [+] Successfully wrote [260] bytes to the process with PID:[7852] memory [*] Attempting to create a new thread in the remote process ... -> [+] Successfully created the new thread in the remote process -> [*] The handle received for the remote thread is [00000000000001DC] -> [*] I'm done my work. Let's now get out of here! ----------\\//--- www.securitynik.com ---//\\----------
The above suggests that everything went well. Let's first verify that a process with PID 7852 is running on our system.
C:\Users\Security Nik>tasklist /FI "PID eq 7852" Image Name PID Session Name Session# Mem Usage ========================= ======== ================ =========== ============ notepad.exe 7852 Console 1 15,676 K
From above it would be safe to say the PID 18296 belongs to notepad.exe.
Next up, above the application says it has obtained "Debug" privileges. Let's confirm this.
If you notice above, the PID is different from the one I originally had. Not to worry about that, I just had to rerun the code to get the debug information as I had not captured it before. However, as can be seen above the program has obtained "SeDebugPrivilege" which allows it to "Debug Programs".
Let's poke around a bit more in Process Explorer and look at the memory of this process. Below we see "SampleDLL.dll" has been written into this process's memory.
If we look at the modules tab, we see the SampleDLL.dll module is loaded.
Let's now use WinDBG to look at the memory base address "000002C426A40000" to see what we have here.
0:002> db 000002C426A40000 000002c4`26a40000 45 3a 5c 43 6f 64 65 5c-53 61 6d 70 6c 65 44 4c E:\Code\SampleDL 000002c4`26a40010 4c 2e 64 6c 6c 00 00 00-00 00 00 00 00 00 00 00 L.dll........... 000002c4`26a40020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000002c4`26a40030 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000002c4`26a40040 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000002c4`26a40050 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000002c4`26a40060 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 000002c4`26a40070 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
From above we see the path "E:\Code\SampleDLL.dll" to our DLL is loaded at the base addressed returned when we ran the program.
Let's see if we can learn anything else about this DLL. Let's first look at the "lm" command which list the modules. Let's be specific with our search.
0:002> lm m sample* Browse full module list start end module name 00007ffb`82fe0000 00007ffb`82feb000 SampleDLL (deferred)
Let's next see what other information we can get about this DLL
0:002> lmDvm SampleDLL Browse full module list start end module name 00007ffb`82fe0000 00007ffb`82feb000 SampleDLL (deferred) Image path: E:\Code\SampleDLL.dll Image name: SampleDLL.dll Browse all global symbols functions data Timestamp: Tue Jan 1 12:18:39 2019 (5C2BA0EF) CheckSum: 00000000 ImageSize: 0000B000 Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e4 Information from resource tables:
If we look below at the starting address specified by this DLL, we can see this is an executable file based on the "MZ" magic (Signature) and we see the MS-DOS stub also.
0:002> db 00007ffb`82fe0000 00007ffb`82fe0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. 00007ffb`82fe0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... 00007ffb`82fe0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ 00007ffb`82fe0030 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................ 00007ffb`82fe0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th 00007ffb`82fe0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno 00007ffb`82fe0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS 00007ffb`82fe0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
If we look into into the process memory a bit, we can see some strings
0:002> db 00007ffb`82fe4470 L170 00007ffb`82fe4470 67 20 53 61 6d 70 6c 65-44 4c 4c 2e 64 6c 6c 20 g SampleDLL.dll 00007ffb`82fe4480 0a 00 00 00 00 00 00 00-50 72 6f 63 65 73 73 20 ........Process 00007ffb`82fe4490 77 69 74 68 20 50 49 44-3d 5b 00 00 00 00 00 00 with PID=[...... 00007ffb`82fe44a0 5b 2a 5d 20 50 72 6f 63-65 73 73 20 73 74 61 72 [*] Process star 00007ffb`82fe44b0 74 65 64 20 6f 6e 3a 20-00 00 00 00 00 00 00 00 ted on: ........ 00007ffb`82fe44c0 2d 2d 2d 2d 2d 2d 2d 2d-2d 2d 2d 2d 2d 3d 3d 3d -------------=== 00007ffb`82fe44d0 3d 3d 3d 2d 2d 2d 2d 2d-2d 2d 2d 2d 2d 2d 2d 2d ===------------- 00007ffb`82fe44e0 7c 7c 2d 2d 2d 2d 2d 2d-2d 2d 2d 2d 2d 2d 2d 2d ||-------------- 00007ffb`82fe44f0 3d 3d 3d 3d 3d 3d 2d 2d-2d 2d 2d 2d 2d 2d 2d 2d ======---------- 00007ffb`82fe4500 2d 2d 2d 0a 00 00 00 00-20 20 20 20 20 20 20 20 ---..... 00007ffb`82fe4510 20 20 20 20 20 20 57 65-6c 63 6f 6d 65 20 74 6f Welcome to 00007ffb`82fe4520 20 53 65 63 75 72 69 74-79 4e 69 6b 27 73 20 57 SecurityNik's W 00007ffb`82fe4530 6f 72 6c 64 20 0a 00 00-00 00 00 00 00 00 00 00 orld ........... 00007ffb`82fe4540 20 20 20 20 20 20 20 54-68 69 73 20 44 4c 4c 20 This DLL 00007ffb`82fe4550 77 61 73 20 69 6e 6a 65-63 74 65 64 20 62 79 20 was injected by 00007ffb`82fe4560 74 68 65 20 74 6f 6f 6c-20 27 44 4c 4c 49 6e 6a the tool 'DLLInj 00007ffb`82fe4570 65 63 74 69 6f 6e 2d 42-61 73 69 63 73 2e 65 78 ection-Basics.ex 00007ffb`82fe4580 65 27 0a 20 00 00 00 00-00 00 00 00 00 00 00 00 e'. ............ 00007ffb`82fe4590 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20 00007ffb`82fe45a0 20 20 20 20 4e 69 6b 20-41 6c 6c 65 79 6e 65 20 Nik Alleyne 00007ffb`82fe45b0 7c 7c 20 77 77 77 2e 73-65 63 75 72 69 74 79 6e || www.securityn 00007ffb`82fe45c0 69 6b 2e 63 6f 6d 20 20-20 20 20 20 20 20 20 20 ik.com 00007ffb`82fe45d0 20 20 0a 20 00 00 00 00-00 00 00 00 00 00 00 00 . ............
Now let's take a look at some of Process Monitor's output.
From above we see Process Monitor capturing the "Thread Create" activity and then immediately, we see there is activity for the file "SampleDLL.dll". If look closely we will see the "Load Image" for SampleDLL.dll and then we see activity for our file "C:\Users\Security Nik\SecurityNik.txt" being written and close.
Last but not least, our text file was created and have the following contents:
c:\Users\Security Nik\ type c:\home\SecurityNik\SecurityNik.txt Process with PID=[10512loading Sample DLL [*] Process started execution on current local time:Tue Jan 1 11:38:36 2019 -------------======-------------||--------------======------------- Welcome to SecurityNik's World This DLL was injected by the tool 'DLLInjection-Basics.exe' Nik Alleyne || www.securitynik.com -------------======-------------||----------------======-----------
Once again, don't get too hung-up on the fact that the PIDs may not match throughout, the concepts remain the same it is just that I did not have all the information ready at one time.
Hope you enjoyed the read.
References:
https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/lm--list-loaded-modules-