This post is about reflective dynamic link libraries (DLL) and will do a simple walk-through on how to write one. This is a technique developed by Stephen Fewer and will use his code to make the magic happen. I realize this is a topic that has been discussed several times so I’m going to keep this post simple and tight.
What is a DLL? A DLL is portable code that is often shared by applications. However, with respect to this post, a DLL is an opportunity to execute code. Why even bother with this? If our goal is to execute code why not write an exe to disk? For a moment, consider the footprint: writing to disk, creating a process, and then doing stuff; it can add up in a hurry. Enter DLLs and how we can go about loading them into memory.
Normally, DLLs are loaded into memory when a process is started; however, they can also be injected into an already running process. Through DLL injection we no longer need to create a process to execute code (various DLL injection techniques); yet, we still need to write our file to disk in order to inject. Reflective DLL injection solves this. Developed by Stephen Fewer, this technique allows us to inject code into an existing process without ever writing to disk. So using reflective DLL injection we go from writing to disk and creating a process to injecting our code entirely in memory … thank you Stephen.
How to Defend or Detect
Endpoint protection platforms (EPP) are starting to flag these techniques. Personally, I would explore reflective DLL injection on an endpoint using my EPP software to identify any limitations. Additionally, reflective DLLs will often execute malicious code by using Windows API calls, a potential detection point. For example, createremotethread is a popular technique to execute shellcode in a remote process.
After watching Raphael’s latest post on in-memory evasion, a few other tools:
- Reflective-injection-detection (unverified)
- LOKI (unverified)