Dynamic Link Library (DLL) Injection is a technique using which external code can be executed within the address space of a process by loading a DLL file into that process. This is a legitimate operating system functionality and allows for genuine use cases such as, debugging, reverse engineering etc. but it can also be used for loading and executing malicious code without getting detected.

Allow me to explain this with an analogy.

Imagine there are two rival kingdoms, Kingdom A and Kingdom B.

As it happens in such situations, both kingdoms want to sabotage each other but they don’t want to start an actual war. Things escalate. Kingdom A sends a spy to Kingdom B and asks it’s agent in Kingdom B to install the spy in the King’s court. The agent gets the spy registered in Kingdom B, sneaks the spy into the palace, and helps the spy to get a job in the King’s court. The spy, in the guise of a trusted servant of Kingdom B, then unfolds their nefarious plan to sabotage the kingdom from within.

Now, let’s break this analogy to understand how DLL Injection can be used as an attack vector (more or less):

• The spy from Kingdom A is the malicious DLL.

• Asking Kingdom B’s agent to install the spy is similar to commanding the red team operator’s beacon on the target machine to download this DLL and inject it.

• The agent registering the spy in the kingdom records is akin to the beacon storing the DLL on the disk.

• The agent sneaking the spy into the palace is akin to the beacon using LoadLibraryA Windows API to load the DLL in to the memory.

• Finally, getting the spy a job in the King’s court is similar to the beacon using other Windows APIs to inject the DLL into the address space of another process and creating a thread to execute the code in the DLL.

• The spy is in the guise of servant of the court, and therefore trusted. Similarly the malicious DLL works in the context of a non-suspicious process, therefore, its activities don’t get detected by the endpoint security solution.

Red Team Notes
In technical terms, a DLL injection attack is a technique where an attacker forces a legitimate application to load a malicious DLL into its memory space. This allows the attacker to execute arbitrary code within the context of the targeted process. By doing so, the attacker can manipulate the application’s behavior, steal sensitive information, or perform malicious actions under the guise of a trusted process.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

Through this technique any malicious activity goes undetected, at least in theory. Today, host-based security solutions have advanced enough to detect this technique.

Examples of real-world cyber attacks where this technique was used include Conti, Emotet and PoisonIvy.

Here’s a Python PoC for DLL Injection attack (by infodox).

If you want to dive deep into the technical details of how DLL injection attack works, below is the video, Dll Injection Explained in 10 Minutes by Debasish Mandal.