search

UserExistsError / InjectDll

Inject a Dll from memory
MIT License
41 stars 23 forks source link

Is this method easy to be detectable? #5

Closed pepeu93 closed 1 year ago

pepeu93 commented 1 year ago

Hello, I see that when I inject a dll using this method and open process hacker, and check the injected executable modules, the dll is not shown there.

Is this method hard to be detectable? or do you recommend using any of these: https://github.com/KooroshRZ/Windows-DLL-Injector

UserExistsError commented 1 year ago

The technique used by this project is not particularly stealthy. It's a bare minimum "file-less" implementation that writes shell code into the remote process and executes it by creating a remote thread with RtlCreateUserThread. It won't show up in the loaded modules list because although you provide a dll, the entire contents are read into memory by InjectDll.exe, then a shell code loader is pre-pended to the dll and the entire thing is written into the target process.

Therefore, the Windows module loader is never invoked and the dll is never added to the loaded modules list (actually accessed here to find dependencies). The loader is the same one used by meterpreter, so it will likely get flagged.

This technique is certainly more stealthy than calling CreateRemoteThread on the remote process's LoadLibrary, which will load the dll directly from disk, and the dll will show up in the loaded modules list.

derricck commented 1 year ago

@UserExistsError This method is based on https://github.com/stephenfewer/ReflectiveDLLInjection? I couldn't get your InjectDLL to work when a process is x64, do you have any modified version of ReflectiveDLLInjection that supports x64 processes?

Do you have discord or email? i would like to request you something related, I'm able to pay for this work.

UserExistsError commented 1 year ago

@derricck You can open a new issue if you're having a problem with the code. But really quick, some things to consider:

This code has been written to support injecting from a 32 or 64 bit InjectDll.exe to a 64 bit process.

Some reasons injecting into a 64 bit process may fail:

  1. Your DLL is not 64 bit
  2. You don't have permissions to open the process
  3. The process you're trying to inject into is a Protected Process