Finding Reflective DLL Injections

DLL injections that originate from a malicious DLL written to a disk are commonly detected by any decent AV product. Detecting reflective DLL injection, however, are not as straightforward. Malware injected directly into a process using reflective DLL injection typically will not exist on disk. A co-worker of mine developed a tool called Evil Injection Finder (EIF), which is designed to help you find those evil injections! Administrative rights are currently necessary to adequately examine the memory of running processes. Some memory pages will be unreadable if marked as protected processes by the OS, such as LSASS.

The example below demonstrates using EIF with a signature file to find injects in all processes on the system. A meterpreter has been loaded into MicrosoftEdge using reflective injection.

C:\Users\IEUser\Desktop>EvilInjectFinder.exe -s sigs.txt -S

Analysing PID: 3908 : MicrosoftEdgeCP.exe
+------------------------------------------------------------------------------------------------------------------------------+
|      Address | Permissions       |          Size | Module       | MZ  | DOS | Nops | Sigs | MD5                              |
+------------------------------------------------------------------------------------------------------------------------------+
|       480000 | EXECUTE_READWRITE |        1.14MB |              | No  | Yes |   0% |    5 | 6CE6C24391C37E0D4883DBA14F04EA31 |
|  1dc06950000 | EXECUTE_READWRITE |      156.00KB |              | Yes | Yes |   0% |    3 | AC46BC374B6CD85D3564A3F5F62B92C1 |
|  1dc06990000 | EXECUTE_READWRITE |      436.00KB |              | Yes | Yes |   0% |    8 | 13CA507C4B0A15775ABCE144B7D8C4C4 |
|  1dc07590000 | EXECUTE_READWRITE |        1.18MB |              | Yes | Yes |   0% |    5 | A81939E4335F18FF2213032100411659 |
+------------------------------------------------------------------------------------------------------------------------------+

I wanted to run EIF on remote systems but it didn’t have that capability so I developed EIF_Parser, which provides the following capabilities:

  • Executes Evil Inject Finder (EIF) on a remote system or systems
  • Retrieves the data gathered by EIF on remote systems
  • On the local system, presents only the processes with ‘yes’ in the MZ or DOS column
  • Logs systems not accessible, for one reason or another

The tools can be found at the below links: