Reflective DLL injection
Created the Saturday 23 March 2019. Updated 4 years, 2 months ago.
Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a
LoadLibrary function that supports this, so to get the functionality you have to write your own, omitting some of the things Windows normally does, such as registering the DLL as a loaded module in the process, potentially bypassing DLL load monitoring.
The way the reflective injection works is described by the technique's original author Stephen Fewer:
Execution is passed, either via
CreateRemoteThreador a tiny bootstrap shellcode, to the library's
ReflectiveLoader function which is an exported function found in the library's export table.
As the library's image will currently exists in an arbitrary location in memory the ReflectiveLoader will first calculate its own image's current location in memory so as to be able to parse its own headers for use later on.
The ReflectiveLoader will then parse the host processes kernel32.dll export table in order to calculate the addresses of three functions required by the loader, namely
The ReflectiveLoader will now allocate a continuous region of memory into which it will proceed to load its own image. The location is not important as the loader will correctly relocate the image later on.
The library's headers and sections are loaded into their new locations in memory.
The ReflectiveLoader will then process the newly loaded copy of its image's import table, loading any additional library's and resolving their respective imported function addresses.
The ReflectiveLoader will then process the newly loaded copy of its image's relocation table.
The ReflectiveLoader will then call its newly loaded image's entry point function, DllMain with
DLL_PROCESS_ATTACH. The library has now been successfully loaded into memory.
Finally, the ReflectiveLoader will return execution to the initial bootstrap shellcode which called it, or if it was called via
CreateRemoteThread, the thread will terminate.
The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.