This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection. For example, if a process links to ‘ User32.dll’, ‘ GDI32.dll’, ‘ Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This step can be skipped if a suitable DLL name is already available in the target process.
Allocate some memory in the target process, and the name of the DLL to be injected is written to it. This can be done by spawning the process or by keying off something created by that process that is known to exist – for instance, a window with a predictable title, or by obtaining a list of running processes and scanning for the target executable's filename. Process manipulation functions such as CreateRemoteThread or code injection techniques such as AtomBombing, can be used to inject a DLL into a program after it has started. DLL must be signed by a valid certificate. 
That is the right way to use legal DLL injection on current version of Windows - Windows 10.
DLLs listed under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCertDLLs are loaded into every process that calls the Win32 API functions CreateProcess, CreateProcessAsUser, CreateProcessWithLogonW, CreateProcessWithTokenW and WinExec. Starting with Windows 8, the entire AppInit_DLL functionality is disabled when Secure Boot is enabled, regardless of code signing or registry settings. Beginning with Windows 7, the AppInit_DLL infrastructure supports code signing. Beginning with Windows Vista, AppInit_DLLs are disabled by default. 
DLLs listed in the registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs are loaded into every process that loads User32.dll during the initial call of that DLL. There are multiple ways on Microsoft Windows to force a process to load and execute code in a DLL that the authors did not intend: 3.1 Copying a LoadLibrary-loaded DLL to a remote process.
0 kommentar(er)
