‘Reflective Dll Injection’
‘The information has been provided by Stephen Fewer.
The original article can be found at: http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf‘
Under the Windows platform, library injection techniques both local and remote have been around for many years. Remote library injection as an exploitation technique was introduced in 2004 by Skape and JT. Their technique employs shellcode to patch the host processes ntdll library at run time and forces the native Windows loader to load a Dynamic Link Library (DLL) image from memory. As an alternative to this technique Stephen presents Reflective DLL Injection.
Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host. Previous work in the security field of building PE file loaders include the bo2k server by DilDog.
The main advantage of the library loading itself is that it is not registered in any way with the host system and as a result is largely undetectable at both a system and process level. When employed as an exploitation technique, Reflective DLL Injection requires a minimal amount of shellcode, further reducing its detection footprint against host and network based intrusion detection and prevention systems.’