To understand Reflective DLL Injection technique, we’ll need to understand what is reflective programming.

Reflective programming or reflection refers to the ability of a program or process to introspect itself during runtime, and modify its structure and behaviour. Conceptually, this is similar to a human’s ability to introspect (or reflect) on themselves and modify their thought, behaviour or beliefs.

Building on the above definition, Reflective DLL Injection is the technique using which a program (specially crafted DLL, in this case) can introspect its address space and inject itself into the address space of another process. When used as an attack vector, this techniques gives red team operators the ability to inject a malicious DLL into another process without saving it to the disk (unlike DLL Injection attack) and execute malicious code without getting detected.

This technique was discovered by Stephen Fewer. Here’s the PoC that Stephen published on his GitHub Repository.

Red Team Notes
- A reflective DLL injection attack is a more advanced form of DLL injection where the attacker injects a malicious Dynamic Link Library (DLL) directly into the memory of a target process without writing the DLL to disk.
- The DLL operates entirely in memory, making it difficult for traditional file-based antivirus systems to detect.
- No file artifacts are left on disk, reducing forensic evidence.

Follow my journey of 100 Days of Red Team on WhatsApp or Discord.

It can be detected by behavioural analysis and memory scanning techniques.

Examples of real-world cyber attacks where this technique was used include attacks by Lazarus Group, Matryoshka, and PipeMon.

If you want to dive deep into the technical details of how Reflective DLL Injection attack works, below is the video, Reflective Dll Injection Explained in 10 Minutes by Debasish Mandal.