Dynamic Link Library Injection (DLL Injection)

Dynamic Link Library Injection (DLL Injection) is a method malicious actors use to insert malicious code into running processes.

Dynamic Link Library Injection (DLL Injection) is a method malicious actors use to insert malicious code into running processes. A dynamic link Library Injection attack could occur when someone injects code into an app’s DLLs to compromise functionality or steal sensitive information.

2023 Global Mobile Threat Report

Dynamic link library injection (DLLI) attacks are common in mobile app security when an attacker gains access to a mobile device and alters the app’s code or configuration files. Device access can be done through various means, such as exploiting vulnerabilities within the operating system or application itself or employing social engineering tactics to trick users into installing malicious apps.

Once an attacker injects their malicious code into an app’s DLLs, they can use it to carry out various malicious tasks such as stealing sensitive information, altering its behavior, and even taking control of the entire device.

What Are the Different Methods of Dynamic Link Library injections?

Dynamic Link Library (DLL) injection is a technique used to load and execute code within the address space of a running process. It’s employed for various legitimate and sometimes malicious purposes. There are several methods of DLL injection, including:

  • Load-Time Injection: This occurs when the DLL is loaded into the target process at the time the process starts. This method can be used for legitimate purposes like extending an application’s functionality. A common technique for load-time injection includes Import Address Table (IAT) hooking. IAT hooking involves modifying the Import Address Table of a process to point to a custom DLL instead of the intended one. IAT hooking is often used for debugging or extending application functionality. A second method of load-time injection is manifest file modification, which changes the manifest file of an executable to load a custom DLL during its launch. Manifest file modification is another legitimate way to extend application behavior.
  • Runtime Injection: This method involves injecting a DLL into a running process. Runtime injection is often used for more advanced debugging or security research. There are several runtime injection techniques. The CreateRemoteThread technique involves creating a new thread within the target process and having that thread load the DLL. It’s commonly used for legitimate debugging and monitoring purposes. In the QueueUserAPC technical, Asynchronous Procedure Calls (APCs) execute code in the target process, often by queuing an APC to a specific thread. The SetWindowsHookEx technique uses a legitimate Windows API to set hooks in applications but can also be exploited for injection. This technique is used mainly for monitoring input events and is often used for keyloggers and other monitoring tools.
  • Reflective Injection: Reflective injection is a more advanced technique that involves injecting a DLL into a process without relying on traditional injection methods. The injected DLL can be position-independent and capable of loading itself into memory, making it more stealthy and difficult to detect.
  • Process Hollowing: This technique involves creating a new suspended process, replacing its code and data with the code and data of the target DLL, and then resuming execution. It is often used in malware to disguise malicious activities within a legitimate process.
  • Thread Local Storage (TLS) Callbacks: Some DLLs use TLS callbacks to execute code when the DLL is loaded or unloaded. By manipulating TLS callbacks, an attacker can execute custom code in the context of a process.
  • AppInit_DLLs Registry Key: On Windows, the AppInit_DLLs registry key allows you to specify DLLs that are loaded into every process at startup. This injection technique can be exploited for malicious purposes.

Dynamic Link Library Injections in Mobile Applications

While dynamic link library injection is a concept that is often associated with Windows-based operating systems and applications, dynamic link library injection concepts apply equally to mobile applications. The dynamic link library injection terminology differs for iOS and Android operating systems. Similar concepts exist regarding mobile applications, especially on platforms like Android and iOS, but the terminology and techniques can vary. Let’s explore the equivalent concepts for mobile applications:

Android

There are similar concepts in the context of Android applications, but they are not referred to as DLL injection. Instead, you might hear about methods like code injection, hooking, or modification of APK files.

  • Code Injection: Developers may modify or add code to an Android application at runtime, often called runtime code injection. Runtime code injection can be used for various purposes, including debugging, monitoring, or modifying an app’s behavior.
  • Xposed Framework: The Xposed Framework is a popular tool for Android that allows you to modify the behavior of apps by injecting code into the application process. This modification uses modules that intercept and alter the app’s function calls.
  • Frida: Frida is another dynamic instrumentation tool that can inject JavaScript code into Android applications. It allows for runtime analysis, manipulation, and reverse engineering.

iOS

In the context of iOS applications, similar concepts to DLL injection are used, but different terminology is employed:

  • Cydia Substrate (formerly MobileSubstrate): This framework allows developers to modify the behavior of iOS apps by injecting code into them. It is often used for creating tweaks and extensions for jailbroken iOS devices.
  • Theos and Logos: These development frameworks can modify iOS apps by injecting code into them. They are commonly used in the jailbreaking community.

In the case of Android and iOS, it’s essential to note that these techniques are typically associated with jailbroken or rooted devices. Regular app stores have strict security policies and app sandboxing, making it challenging to perform code injection and modify or manipulate unaltered devices.

Legitimate Uses of Dynamic Link Library Injection for Mobile Applications

There are legitimate techniques and practices in the realm of mobile app development and security that may have some similarities to traditional DLL injection:

  • Dynamic Loading of Libraries or Modules: Mobile apps can dynamically load external libraries or modules at runtime. This capability can extend functionality, optimize performance, or facilitate plugin systems. For example, Loading web views or JavaScript modules dynamically to display content from a server or loading video player modules for playing different media formats. Another example is utilizing third-party SDKs and libraries for specific features, like analytics or social sharing.
  • Remote Updates: Mobile apps can fetch and apply updates remotely to improve security, fix bugs, or enhance features. Dynamic updates can include changes to assets, resources, or even code without users needing to download a full app update.
  • Scripting and Automation: Some mobile apps offer scripting or automation capabilities that allow users to run custom scripts or code snippets for legitimate purposes like task automation or personalization.
  • Localization and Language Support: Mobile apps may load language-specific resources and assets dynamically to provide multilingual support to users.
  • Feature Flags: Feature flagging allows mobile app developers to turn specific features on or off at runtime. Feature flagging can be used for A/B testing, feature rollouts, or turning functionalities on/off based on user segments.
  • Remote Configuration and Personalization: Apps can use remote configuration settings to change app behavior, appearance, or other aspects based on user preferences or external conditions.
  • Cloud-Based Business Logic: Mobile applications with cloud-based components may dynamically load business logic or rules from a server to adapt to changing business requirements.

While these practices may resemble some aspects of DLL injection, it’s important to note that mobile platforms have strict security measures and app store policies. Any form of dynamic loading or code execution should be performed within the confines of these policies to ensure the app’s integrity and security. Additionally, these practices are typically integrated into app development using approved APIs and methods provided by the mobile platform’s SDK. In general, mobile app developers should prioritize security, user privacy, and adherence to app store guidelines when considering any form of dynamic code loading or remote updates.

To safeguard against dynamic link library injection attacks, app developers should follow secure coding practices such as code signing and encryption, performing regular security audits, and incorporating runtime protection mechanisms that can detect malicious code injection. Mobile device users should also exercise caution when installing apps from untrusted sources and regularly update their devices with the latest software updates and security patches.

Related Content

Receive Zimperium proprietary research notes and vulnerability bulletins in your inbox

Get started with Zimperium today