PoC kernel to usermode dll injection
Tested on Windows 10 22H2
InjectorController.exe <target_pid>
the shellcode is injecting "C:\hooking.dll" so make sure to rename your dll or modify the shellcode accordingly
see load_dll_shellcode.asm provided source file
- KeStackAttachProcess to attach to the received target process address space (CR3)
- RX allocation for our shellcode using ZwAllocateVirtualMemory
- MmMapLockedPagesSpecifyCache & MmProtectMdlSystemAddress to create another mapping for our shellcode allocation and set it to RW (thus avoiding allocation of RWX memory)
- Copy shellcode to RW Mdl mapping
- Enumerate the process's threads list and find an alertable thread (indicated by the Alertable flag in the KTHREAD structure)
- Queue a user apc to the target address with the normal routine pointing at our shellcode
- Shellcode executes and calls LoadLibraryA to load our module (could be improved to signal an event so the driver can free it once it finishes executing)
- shellcode resides within an executable allocation not backed by a module on disk (potential workaround would be to find a code cave in a loaded module and write the shellcode there)
- shellcode can be memory scanned
- LoadLibrary or LdrLoadDLL might be hooked and monitored
- Drivers that register to image load notify routines or filter on IRP_MJ_ACQUIRE_FOR_SECTION_SYNCHRONIZATION will be aware we loaded a module
- In case of Anti Cheat or AV processes they can walk the peb or use EnumProcessModules to identify 'unknown' DLLs in their process
- User APC dispatcher can be hooked