GET /api/techniques/110/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 110,
"key": "reflective-dll-injection",
"unprotect_id": "U1224",
"name": "Reflective DLL injection",
"description": "Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a `LoadLibrary` function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.\r\n\r\nThe way the reflective injection works is described by the technique's original author Stephen Fewer:\r\n\r\n* Execution is passed, either via `CreateRemoteThread` or a tiny bootstrap shellcode, to the library's\r\n\r\n* ReflectiveLoader function which is an exported function found in the library's export table.\r\n\r\n- As the library's image will currently exists in an arbitrary location in memory the ReflectiveLoader will first calculate its own image's current location in memory so as to be able to parse its own headers for use later on.\r\n\r\n- The ReflectiveLoader will then parse the host processes kernel32.dll export table in order to calculate the addresses of three functions required by the loader, namely `LoadLibraryA`, `GetProcAddress` and `VirtualAlloc`.\r\n\r\n- The ReflectiveLoader will now allocate a continuous region of memory into which it will proceed to load its own image. The location is not important as the loader will correctly relocate the image later on.\r\n\r\n- The library's headers and sections are loaded into their new locations in memory.\r\n\r\n- The ReflectiveLoader will then process the newly loaded copy of its image's import table, loading any additional library's and resolving their respective imported function addresses.\r\n\r\n- The ReflectiveLoader will then process the newly loaded copy of its image's relocation table.\r\n\r\n- The ReflectiveLoader will then call its newly loaded image's entry point function, DllMain with `DLL_PROCESS_ATTACH`. The library has now been successfully loaded into memory.\r\n\r\n- Finally, the ReflectiveLoader will return execution to the initial bootstrap shellcode which called it, or if it was called via `CreateRemoteThread`, the thread will terminate.",
"resources": "https://0x00sec.org/t/reflective-dll-injection/3080\nhttps://www.ired.team/offensive-security/code-injection-process-injection/reflective-dll-injection",
"creation_date": "2019-03-23T17:13:35Z",
"tags": "",
"modification_date": "2023-10-04T10:42:57.942000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
3,
7,
23,
340,
357,
365,
380,
419,
425,
439
],
"contributors": []
}
