Attackers can manipulate information in RAM to gain elevated access. In this video, you’ll learn how memory and DLL injections are used in an attack.
The software that runs on your computer all runs inside of memory. Nothing executes on your computer unless it’s loaded from disk, runs inside of memory, and is processed by your CPU. So obviously, malware itself, has to somehow get into memory to be able to operate.
And there’s a lot of different running processes that you’ll find inside of your memory. There’s DLLs or Dynamic-Link libraries in Windows. There are threads, buffers, memory management functions, and other things that are stored and operate inside of the memory of your computer.
The malware then, has a number of choices to be able to run on your computer. It can run as its own process in memory. Or it can find an existing process and inject itself into the middle of that process.
Here’s a block diagram that describes a process or an application that’s running inside of memory. In this process, there is a starting address and an ending address. And if you wanted to inject malware into this process, you would need to inject it somewhere between those two addresses. Not only does this allow malware to avoid detection by anti-malware that’s just looking for a malicious process, but it also allows this malware to have the same rights and permissions as the process that it’s injecting into. This means it’s a very easy way for the malware to suddenly have privileged escalation or higher rights and permissions than what it would normally have on that system.
One of the most common forms of malware injection is called DLL injection. DLL stands for Dynamic-Link library. So it’s effectively a type of executable on your system that many different processes and applications can use. For this to work, the attackers first need to get this malicious DLL installed onto some storage that your system can access. The attacker wants this DLL to run as part of this target process. But obviously, the DLL is not already part of this application.
The implementation of this, though, is relatively easy for the attacker. The attacker puts a path to where the malicious DLL is located somewhere on a storage drive, and will put that path or a link to that path inside of the target process. As the process is executing, it reaches the point where it needs to reference that DLL. It goes out to disk, pulls in the malicious DLL, and it is loaded into memory. And now the malware is running on that system.