I'm just learning about memory analysis and how windows works internally. I've known for a long time a DLL allows for programs to import its functions. However, once a malicious DLL is injected into a process, how are those malicious functions getting executed by the victim process?
DLLs have entrypoint functions called "DLLmain" which are executed on load, unload etc and passed certain parameters.
Its wobbly as hell to try to execute stuff from within a dllmain function, as you can cause bluescreens or hangs if you try to load another dll function, but this is the primary method used for executing injected code.
There's a short DLL_Inject_Tutorial over at codeproject (dot) com.
It assumes you are comfortable about source code (lots of sample code), software development, and can read and understand some fairly technical sources.
There's also slightly higher-level document called 'Analyzing DLL Injection' – a collection of presentation slides and notes.
The main thing is that Windows gives you a lot of rope. The CreateRemoteThread() is one example – if you have the right privileges, you can create a thread in another process. The trick is finding a situation where you can make this particular system call work for you.
Of course, if you can attack a .DLL file, you can add the hostile DLL to its list of 'other DLLs this DLL needs to run', and just wait until your own DllMain() routine is called as part of process startup.
Very cool. It's already a lot more clear and now I got some good leads for google. ) Thanks guys!