Injecting DLL from Driver to All Processes (Including Protected Ones)

By /

Listen to this Post

Featured Image
This article explores an unusual method of injecting a DLL from a driver into all processes—including protected ones (except `smss` and csrss)—without using APC insertion. The injected DLL loads even before kernel32.dll.

Key Resources:

You Should Know:

1. Understanding Kernel-Mode DLL Injection

Traditional DLL injection relies on user-mode APIs like CreateRemoteThread. However, kernel-mode injection provides deeper control, bypassing some protections.

2. Why This Method is Unusual

  • No APC Queueing: Avoids `KeInitializeApc` and KeInsertQueueApc.
  • Early Injection: The DLL loads before kernel32.dll, making it harder to detect.
  • Bypasses Some Protections: Works even on protected processes (except critical system processes like `smss` and csrss).

3. Key Code Snippets

Driver-Side (Kernel)

NTSTATUS InjectDLL(PEPROCESS TargetProcess) {
HANDLE hProcess;
PsLookupProcessByProcessId((HANDLE)TargetProcess->UniqueProcessId, &TargetProcess);
ZwOpenProcess(&hProcess, PROCESS_ALL_ACCESS, NULL, TargetProcess->UniqueProcessId);
// Manual mapping logic here
ZwClose(hProcess);
return STATUS_SUCCESS;
}

DLL-Side (Payload)

BOOL APIENTRY DllMain(HMODULE hModule, DWORD reason, LPVOID lpReserved) {
if (reason == DLL_PROCESS_ATTACH) {
DisableThreadLibraryCalls(hModule);
// Malicious logic here
}
return TRUE;
}

4. Practical Steps

1. Load the Driver:

sc create InjectDrv binPath= C:\Path\to\driver.sys type= kernel start= demand
sc start InjectDrv

2. Verify Injection:

Use Process Hacker or Process Explorer to check loaded modules in target processes.

3. Unload Driver:

sc stop InjectDrv
sc delete InjectDrv

5. Detection & Prevention

  • Monitor Kernel Drivers: 
    Get-WmiObject Win32_SystemDriver | Where-Object { $_.State -eq "Running" } | Select Name, PathName
  • Enable Secure Boot & DSE: 
    bcdedit /set {current} testsigning off

What Undercode Say

Kernel-mode DLL injection is a powerful technique for both offensive security and malware. Unlike user-mode injection, it bypasses many security mechanisms but requires signed drivers on modern Windows (unless testsigning is enabled). Defenders should:
– Audit loaded kernel modules (driverquery /v).
– Restrict driver loading via Group Policy.
– Use HVCI (Hypervisor-Protected Code Integrity) to block unsigned code execution in kernel.

Expected Output:

  • Successful DLL injection into most processes.
  • Logs in WinDbg showing early module loading.
  • Potential BSOD if the driver is unstable.

Prediction

As kernel protections (like Driver Blocklisting and VBS) improve, attackers may shift to firmware-level exploits or virtualization-based injection (e.g., via Hyper-V). Defenders must adopt memory scanning and hardware-enforced security.

References:

Reported By: Alex S – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram

Related Posts: