, users generate events that are sent to the OS, which then sends messages created by those events to threads registered to receive them. The right side of the figure shows one way that an attacker can insert a malicious DLL to intercept messages.

shows the assembly code for performing hook injection in order to load a DLL in a different process’s memory space.

, the malicious DLL (hook.dll) is loaded by the malware, and the malicious hook procedure address is obtained. The hook procedure, MalwareProc, calls only CallNextHookEx. SetWindowsHookEx is then called for a thread in notepad.exe (assuming that notepad.exe is running). GetNotepadThreadId is a locally defined function that obtains a dwThreadId for notepad.exe. Finally, a WH_CBT message is sent to the injected notepad.exe in order to force hook.dll to be loaded by notepad.exe. This allows hook.dll to run in the notepad.exe process space.

Once hook.dll is injected, it can execute the full malicious code stored in DllMain, while disguised as the notepad.exe process. Since MalwareProc calls only CallNextHookEx, it should not interfere with incoming messages, but malware often immediately calls LoadLibrary and UnhookWindowsHookEx in DllMain to ensure that incoming messages are not impacted.

Назад: Process Replacement

Дальше: Detours

Отправить

sss

sss