How can I hide DLL that loaded into the process memory?

Question

I performed "reflective DLL injection", but I am trying to determining if I can view the injected DLL? if so, how can I hide it?

Could you explain what you are trying to accomplish? There different methods with different shortcomings. — H. Idden, Dec 20 '19 at 21:43

score 0 · Accepted Answer · answered Dec 20 '19 at 22:59

It sounds like you're interested in learning about reflective DLL injection. The following page should cover what you need:

https://0x00sec.org/t/reflective-dll-injection/3080

You might expect that Security software, in particular, anti-exploit based software might be on the lookout for this and it is. For example HitmanPro.

Reflective DLL Injection

Normally when you load a DLL in Windows, you call the API function LoadLibrary. LoadLibrary takes the file path of a DLL as input and loads it into memory. Reflective DLL loading refers to loading a DLL from memory rather than from disk. Windows doesn’t have a LoadLibrary function that supports this, so to get this functionality you have to write your own. One benefit to writing your own function is that you can omit some of the things Windows normally does, such as registering the DLL as a loaded module in the process, which makes the reflective loader sneakier when being investigated. Meterpreter is an example of a tool that uses reflective loading to hide itself. Mitigation is performed by analyzing if a DLL is reflectively loaded inside memory

https://www.sophos.com/en-us/medialibrary/Gated-Assets/white-papers/Sophos-Comprehensive-Exploit-Prevention-wpna.pdf

Did the Demonstration section of the linked article not help? — HelpingHand, Dec 22 '19 at 10:48

How can I hide DLL that loaded into the process memory?

1 Answers1