What do I use to detect dll "injection"?

Discussion in 'other anti-malware software' started by Searching_ _ _, Sep 29, 2008.

Thread Status:
Not open for further replies.
  1. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    What do I use to detect a dll injection of a legitimate dll that can inject into other processes?

    malicious injection=>XXmsXX.dll (which can already)inject=>any process (winlogon.exe, explorer,exe, servicehost.exe, etc.)

    Not sure if dll injection is the right term, but that is what I used.

    edit: KX-Ray shows the suspect processes in gray, but would a memory dump show anything more than the legitimate dll which has the additional payload?
     
    Last edited: Sep 29, 2008
  2. Pseudo

    Pseudo Registered Member

    Joined:
    May 4, 2008
    Posts:
    193
    Most HIPSs detect DLL injection (injection would be the right term). I'm not sure if there's a specific utility dedicated to it, though. :)
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    It's already inside. I have hips and FW so it may have gotten in via another application that was trusted.

    After noticing issues, I downloaded SIW to see what I could find. I focused on processes and their dll's, specifically internet and COM related. I noted file sizes. Now I searched to learn more about particular dll's.
    While I surfed, the file I was researching changed size. What I didn't know right away was that the program I was using had been injected with the XXmsXX.dll, which was infected with extra data, and now altered the info I was seeing, hiding it's presence.

    I know what dll is involved and I know what processes the infected dll injected into.

    I don't know if each and every instance is an infected instance.

    I don't know what is causing the dll to become infected.

    I guess I should determine if the dll is necessary or terminable.

    Would a memory dump of the processes involved be useful in determining the payload inside the dll?


    Thanks Pseudo for the reply,

    Searching

    P.S.
    The processes involved:

    winlogon.exe
    svchost.exe
    svchost.exe
    svchost.exe
    spoolsv.exe
    FWService.exe
    explorer.exe
    FirewallGUI.exe
    firefox.exe
    siw.exe
    wmiprvse.exe
    wmiprvse.exe
     
    Last edited: Sep 30, 2008
  4. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Use APM, advanced process manipulation to unload the dll injected into the process.
    Memory analysis - scan or dump the memory.
    Analysis sandbox or joebox.
    Sysanalyzer
    ...
     
  5. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    ESET SysInspector.

    Thanks, PROROOTECT
     
  6. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    Injection of code in a .dll file ?

    I remember that an older version of Kaspersky once asked me if I wanted to allow 'process X to inject code in .dll file Y'. I'm not sure if that was in the default setting though.

    And figuring out if you should allow it or block it is the hard part. That's why I dropped Kaspersky at the time.
     
  7. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Hello,

    I used APM to unload the suspect dll and it left a 1KB tmp file.
    Is this a report of some kind? How do I view the file?

    Not sure about all of the uses for Sysanalysis. Apparently it has a memory dump feature. If you have any pointers that would be great.

    Is it ok to run explorer.exe with this program, or do you have to set it up for a boot procedure?

    I have used it on SIW already. I figured that is safer than mucking with Windows innards for now.
     
Loading...
Thread Status:
Not open for further replies.