DLL injection is a technique that exploits the possibility to load external DLL files to process address space.
This technique uses the possibility of loading a DLL to another process by 'injecting' a malicious DLL to a process. As a part of DLL mounting, the DLL can then abouse the victim process.
In our program, we change the title bar of notepad (notepad.exe) using DLL injection
DLL Injection example; Visualization of DLL Injection steps:
API Hooking is a technique that we can abuse by manipulating a process data structure, IAT, to point at a custom implementation of the function that can easily cause a malicious behavior.
- Import Address Table (IAT) - is a structure, exists in Windows PE file, which contains pointers to information that is critical for an executable as: list of necessary DLL files and a list of function names and their addresses from those DLLs
In our implementation, we choose to hook API function called 'NtQuerySystemInformation' that exists in
'Ntdll.dll'
which retrieve system information. The main purpose of our hooked function is to skip on the 'CMD.exe' process.
API Hooking example; Visualization of API Hooking steps:
