Mar 08, 2025, 01:50 PM
DLL injection is a technique used to execute arbitrary code within the address space of another process.
One of the most common methods is leveraging "CreateRemoteThread" to execute malicious code in another process.
[*]Tools like Process Hacker, Process Explorer, and Sysmon can detect remote thread creation.
[*]Implementing a hook on LoadLibrary() or monitoring API calls can detect this.
[*]Windows Defender ATP can track DLL injection behavior.
Classic Remote Thread Injection:
Classic Remote Thread Injection is one of the most widely used DLL injection techniques
Used by: RATs, Keyloggers etc.
It has 4 main steps:
- Gain a handle to the target process.
- Reserve memory for the DLL path.
- Place the path of the malicious DLL into the remote process's memory space.
- Execute the DLL inside the target process using
real examples:
Zeus (Zbot) – Banking Trojan
TrickBot – Modular Banking Trojan & Loader
Emotet – Malware Loader
Cobalt Strike – Red Team Tool
QakBot (QBot) – Banking Trojan & Malware Loader
One of the most common methods is leveraging "CreateRemoteThread" to execute malicious code in another process.
[*]Tools like Process Hacker, Process Explorer, and Sysmon can detect remote thread creation.
[*]Implementing a hook on LoadLibrary() or monitoring API calls can detect this.
[*]Windows Defender ATP can track DLL injection behavior.
Classic Remote Thread Injection:
Classic Remote Thread Injection is one of the most widely used DLL injection techniques
Used by: RATs, Keyloggers etc.
It has 4 main steps:
- Gain a handle to the target process.
- Reserve memory for the DLL path.
- Place the path of the malicious DLL into the remote process's memory space.
- Execute the DLL inside the target process using
real examples:
Zeus (Zbot) – Banking Trojan
TrickBot – Modular Banking Trojan & Loader
Emotet – Malware Loader
Cobalt Strike – Red Team Tool
QakBot (QBot) – Banking Trojan & Malware Loader