Recently some earlier versions of Ramsay malware (malware capable of operating within air-gapped networks) used AppInit Dlls for persistence during the attack phase. AppInit is actually a registry key that is, when its specified with attackers dll, any application in the system that uses User32.dll would load the attackers dll as well. AppInit dll injection technique is being used by adversaries since long and its mainly used for gaining persistence during the attack phase.
In this short blog we will take a simple example to show how through this technique, on opening command prompt, calc gets popped. First we start off with specifying the target dll in the appinit registry key,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs = ‘path_to_your_dll‘
And then we enable this technique,
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs = 1,
Attacker could simply use a batch script to enable this on the victim PC. Once keys are specified and set, any application that uses User32.dll would also load attackers dll (in this case, our dll is appinit.dll in D: drive as highlighted above).DLL injected by attacker might contain shellcode or other malicious activities.
Below code images are of our sample DLL which contains the shellcode::
Starting with DllMain function:
For this example, I have kept our target as cmd.exe but attackers could simply use other processes as well running in the system in which User32.dll gets loaded while running, after that we have a chkprocess function which just compares the opened process with ‘cmd’ string and if it matches, it injects the shellcode into the cmd.exe process.
This code snippet above shows the injected() function in which first we create a process in suspended mode with regsvr32.exe(for whitelisting) as command line , then we just capture the context of the thread of the process using GetThreadContext() in order to set the Eip/Rip register, then we just allocate the space for our shellcode using VirtualAllocEx(as its remote process). Afterthat, we use WriteProcessMemory api for writing our shellcode to the allocated space and then, at last we resume our thread after pointing Eip to entry point of shellcode, to continue execution.
NOTE: For parameters kindly refer microsoft MSDN.
Shellcode that gets injected and pops calc.exe:
As we can see above when i fired cmd, calc gets popped and on looking the properties of cmd, i found that our module(appinit.dll) also got loaded.
Endgame has already covered an analysis of such type of infection where they have shown how we could detect this kind of injection.
- Interested in cybersecurity, his blog: https://threatblogs.wordpress.com/
- Student currently pursuing bachelors of technology (Computer Science)
- Interested in malware analysis,reversing and forensics.
- Did internship at Computer Emergency Response Team, India (CERT-In)