Observation
Parts of a legitimate module are modified with malicious code and then the target process is forced to load it.
Working
- Retrieve target process ID using
EnumProcessand get a handle to it usingOpenProcess. - Find the base address of loaded module in the target process to “stomp” using
EnumProcessModulesandGetModuleFileNameEx. - Allocating memory in the target process using
VirtualAllocEx. - Writing DLL Path to the allocated memory in target process using
WriteProcessMemory. - Get address of LoadLibraryA and converting it to the thread routine using
GetProcAddress. - Creating remote thread to load target DLL using
CreateRemoteThread. - Finding the base address of the loaded DLL using
FindModuleBase, then calculating entry point in memory =dllEntryPoint + moduleBaseAddress. - Over-write the DLL’s entry point with the shellcode using
WriteProcessMemory. - Execute the shellcode from inside the benign DLL using
CreateRemoteThread.