DLL Injection
What is DLL Injection?
DLL InjectionA code-injection technique that forces a target Windows process to load and execute an attacker-supplied dynamic-link library.
DLL injection coerces a running process into mapping a malicious DLL into its address space, after which the DLL's DllMain or an exported function runs with the host process's privileges and trust attributes. Classic implementations call OpenProcess, VirtualAllocEx, and WriteProcessMemory to drop the DLL path into the target, then trigger CreateRemoteThread on LoadLibraryA. Variants include reflective DLL loading (no file on disk), SetWindowsHookEx, and AppInit_DLLs registry abuse. MITRE ATT&CK records DLL injection as T1055.001 under Process Injection. Defences include EDR with cross-process API tracing, kernel callbacks (PsSetCreateProcessNotifyRoutineEx), protected processes, code signing, blocking remote-thread creation in critical processes, and Microsoft Sysmon event 8 monitoring.
● Examples
- 01
A Cobalt Strike beacon migrating into svchost.exe by injecting a DLL with CreateRemoteThread.
- 02
Malware abusing AppInit_DLLs to load a credential-stealing DLL into every interactive process.
● Frequently asked questions
What is DLL Injection?
A code-injection technique that forces a target Windows process to load and execute an attacker-supplied dynamic-link library. It belongs to the Attacks & Threats category of cybersecurity.
What does DLL Injection mean?
A code-injection technique that forces a target Windows process to load and execute an attacker-supplied dynamic-link library.
How does DLL Injection work?
DLL injection coerces a running process into mapping a malicious DLL into its address space, after which the DLL's DllMain or an exported function runs with the host process's privileges and trust attributes. Classic implementations call OpenProcess, VirtualAllocEx, and WriteProcessMemory to drop the DLL path into the target, then trigger CreateRemoteThread on LoadLibraryA. Variants include reflective DLL loading (no file on disk), SetWindowsHookEx, and AppInit_DLLs registry abuse. MITRE ATT&CK records DLL injection as T1055.001 under Process Injection. Defences include EDR with cross-process API tracing, kernel callbacks (PsSetCreateProcessNotifyRoutineEx), protected processes, code signing, blocking remote-thread creation in critical processes, and Microsoft Sysmon event 8 monitoring.
How do you defend against DLL Injection?
Defences for DLL Injection typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- attacks№ 862
Process Injection
A family of evasion techniques in which an attacker runs malicious code inside the address space of a legitimate process to inherit its trust and identity.
- malware№ 417
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
- malware№ 649
Malware
Any software intentionally designed to disrupt, damage, or gain unauthorized access to computers, networks, or data.
- defense-ops№ 371
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- defense-ops№ 298
Defense Evasion
The MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.