Book Image

Practical Windows Forensics

Book Image

Practical Windows Forensics

Overview of this book

Over the last few years, the wave of the cybercrime has risen rapidly. We have witnessed many major attacks on the governmental, military, financial, and media sectors. Tracking all these attacks and crimes requires a deep understanding of operating system operations, how to extract evident data from digital evidence, and the best usage of the digital forensic tools and techniques. Regardless of your level of experience in the field of information security in general, this book will fully introduce you to digital forensics. It will provide you with the knowledge needed to assemble different types of evidence effectively, and walk you through the various stages of the analysis process. We start by discussing the principles of the digital forensics process and move on to show you the approaches that are used to conduct analysis. We will then study various tools to perform live analysis, and go through different techniques to analyze volatile and non-volatile data.
Table of Contents (20 chapters)
Practical Windows Forensics
Credits
About the Authors
About the Reviewers
www.PacktPub.com
Preface

The DLL injection


DLL or Dynamic Link Libraries are resources and functions that are shared among different processes running within the system. Some processes and programs require special external DLLs, which can be included with the program to run properly. As DLLs usually run within the processes in memory, they are usually targeted by the malware as a way to access and control other processes in memory. DLLs are loaded into the process with different ways:

  • Dynamic linking: This is when an executable has an Import Address Table (IAT), which describes the resources needed for this executable to load along with their addresses, which are loaded in the process memory space.

  • Runtime Dynamic Linking: Some DLLs may not be mentioned in the IAT, but are called out by the program itself during execution, by calling out one of the Windows functions such as LoadLibrary.

  • Injection: DLLs can be injected into a process by different techniques. Let's see what they are.

Remote DLL injection

A malicious...