Monday, 28 October 2013

Security: Blocking DLL Injections


Today - we will be discussing about Injections and prevention of Injections, malware in generally notorious for stealing vital information from Softwares - This causes concern for most Developers working in the Security and Financial Industry as in these field, safeguarding customer data is a very important goal.

Malware(s) perform DLL Injection into the target, the DLL loaded would be a malicious DLL which would steal personal information, the generic malware authors tend to use LoadLibrary and WriteProcessMemory in a combination in order to successfully load a DLL into the Processes memory space, although this many Security Developers and Financial Developers simply detour LoadLibrary and expect the Application to be safe, however a simple call to a lower level function would bypass your layered protection, thus breaching the security.
However if we wanted to block the injection, without ourselves injection then performing a system-wide patch - we can use a LDR function which is function used to load DLL onto our Application, placing a nasty detour on that function would completely safeguard us against many User-Level Malware including Citadel.

The "magic" function is called LdrLoadDll, after we detour this function - we will be able to block many Injector(s) example  - WinInject.

Let's Get Coding, First we will start by the function responsible for patching LdrLoadDll:

As you see, we are not doing any special detouring method but the usual jmp method, I did not re-protect the memory address space as you can do anything more like add your own code\replace code.

Next we will be covering the Callback, the callback itself is more or less, simple filtering mechanism however you can customize the mechanism to your own liking:

As you may have noticed the callback simply blocks all DLL locations\names in the C: drive however if the DLL's exist in System32, we cannot block it. All this does is allow trusted DLL to load, but this can be bypassed if a Malware sets its DLL in System32:

The code above is quite straightforward so, not much to explain apart from the LdrAddress variable is a global variable therefore, you cannot see the variable.
These are only real\important piece of code as you may know as all main does is call the Install detour functions and thats all - from then on the callback handles it all.

The code, as I could not fit it into a single screenshot, I am going to give the code in a *.cpp file:

Next, time I will be covering how to block Code\Process Injections.

Until Next Time,

1 comment: