Understanding DLL Injection Techniques in Malicious Internet Explorer Processes

1. kernel32.dll LoadLibrary(filename) LoadLibrary(filename) myInjectDll() { } malicious process Internet Explorer process

2. kernel32.dll LoadLibrary(filename) LoadLibrary(filename) myInjectDll() { h=OpenProcess(,,proc_id) } malicious process Internet Explorer process

3. kernel32.dll LoadLibrary(filename) LoadLibrary(filename) myInjectDll() { h=OpenProcess(,,proc_id) addr = VirtualAllocEx(h,, size,,,) } malicious process Internet Explorer process

4. kernel32.dll LoadLibrary(filename) LoadLibrary(filename) 0x4000 myInjectDll() { h=OpenProcess(,,proc_id) addr = VirtualAllocEx(h,, size,,,) } malicious process Internet Explorer process

5. kernel32.dll LoadLibrary(filename) LoadLibrary(filename) 0x4000 myInjectDll() { h=OpenProcess(,,proc_id) addr = VirtualAllocEx(h,, size,,,) WriteProcessMem(h,addr,buf,size,…) } malicious process Internet Explorer process

6. kernel32.dll LoadLibrary(filename) LoadLibrary(filename) 0x4000 myInjectDll() { h=OpenProcess(,,proc_id) addr = VirtualAllocEx(h,, size,,,) WriteProcessMem(h,addr,buf,size,…) } “evil.dll” malicious process Internet Explorer process

7. kernel32.dll LoadLibrary(filename) LoadLibrary(filename) 0x4000 myInjectDll() { h=OpenProcess(,,proc_id) addr = VirtualAllocEx(h,, size,,,) WriteProcessMem(h,addr,buf,size,…) CreateRemoteThread(h,,,start,param,…) } “evil.dll” malicious process Internet Explorer process

8. kernel32.dll LoadLibrary(filename) LoadLibrary(filename) 0x4000 myInjectDll() { h=OpenProcess(,,proc_id) addr = VirtualAllocEx(h,, size,,,) WriteProcessMem(h,addr,buf,size,…) CreateRemoteThread(h,,,start,param,…) } “evil.dll” LoadLibrary(“evil.dll”) malicious process Internet Explorer process