# Dynamic-Link Library Injection Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process. DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as VirtualAllocEx and WriteProcessMemory, then invoked with CreateRemoteThread (which calls the LaodLibrary API responsible for loading the DLL). Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually performing the function of LoadLibrary). Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process. **Example:** From the tool InjectAllTheThings we are capable of injecting DLL files into processes and hide our actions as long is within reason of a process communicating with the internet. We have 7 different methods here: ![](/files/-MRhuUjlax5tvCp0Fq25) I won't explain this as this is way beyond beginner level but in simple terms it uses those API calls to inject DLLs into legitimate processes to hide its intentions. ![](/files/-MRhuWJZS4uAJe2cW0wp) Will choose option 1 and fill the needed parameters. ![](/files/-MRhuX88h2ITN8QEgrl7) I will take a look using Process Explorer and see what happened. ![](/files/-MRhuXup_HHYvFfe_2Ue) ![](/files/-MRhu_ThmQJf3cKPYgBd) We see above that rundll32.exe is now a child process of notepad.exe And it is using a Network connection with the port 4444 Check the TaskManager ![](/files/-MRhuaOz-Dp9mA1bTIzb) A bunch of Subprocesses running under Notepad, and even when closing these we still have notepad running in the background and stays available for us still to see in the Process Explorer Application. ![](/files/-MRhubUz3EevxZQ681Yg) A great technique for evading since we are hiding under the legitimacy of another process and maybe even escalating privileges. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1055-process-injection/dynamic-link-library-injection.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.