Reflective Memory Injection

How It Works and How to Stop It

Reflective memory injection (RMI) is the most recent weapon in the

arms race between attackers and defenders. Take a deep dive into

how RMI works, what it looks like, and how your organization

can stop these security incidents from occurring in your

environment.

June 2013
WP-EN-06-19-13
Reflective Memory Injection: How it Works and How to Stop it
Overview
Reflective memory injection (RMI) is the most
recent weapon in the arms race between attack-
ers and defenders. Back in the 1990s, most se-
curity incidents centered around active penetra-
tion attempts, launched directly at the networks
and servers of target organizations. Such attacks
relied on simple security misconfigurations and
unhardened systems that were left at their unse-
cured default settings.
As awareness grew, organizations began harden-
ing their most exposed systems and implementing
better network boundaries. But security patch-
ing was slow, and many systems simply went un-
patched for years. So attackers started looking
for software bugs that they could exploit, such as
buffer overflows that allow malformed input to trick
programs into running arbitrary code.
In time, software vendors (arguably lead by Mi-
crosoft) beefed up the default security settings of
their products and began releasing patches more
regularly, along with automated patch-delivery sys-
tems. These changes made life more difficult for
attackers, but a significant window of opportunity
still existed. Attackers began to exploit zero-day
vulnerabilities, before vendors developed patches
and customers deployed them to target systems.
There’s no defense against a zero-day vulnerability
until a patch is available and you follow through
and deploy it. But most zero-day vulnerabilities are
used as the initial vector through which a malicious
Sponsered by
executable can be downloaded to the victim sys-
tem and configured to run persistently. If you can
stop that EXE file from executing, you can prevent
the attack from escalating.
At about the same time that zero-day exploits be-
came popular with attackers, application whitelist-
ing matured and became more common. Applica-
tion whitelisting solutions such as Lumension ®
Application Control prevent new EXEs from run-
ning on protected systems unless the EXE passes
various trust policies.
Software developers also began using more se-
cure coding techniques and compilers. OS and
hardware vendors began developing ways to make
buffer overflows and related bugs less prevalent
and more difficult to exploit and to restrict the size
and flexibility of buffer overflows.
With buffer overflows more difficult than ever to
exploit and the possibility that malicious EXEs
could be blocked by application whitelisting, at-
1
Reflective Memory Injection: How it Works and How to Stop it

tackers were under pressure to find something

new. In 2008, Stephen Fewer published a paper, Malformed content
Buffer overflow
“Reflective DLL Injection,” which detailed how to sent to PC

inject a DLL into a host process without using the

standard APIs that triggered security checks by
application whitelisting. Fewer provided proof-of-
concept code modules that could be used with the Downloads larger
Shell code
malware from
Metasploit toolkit. activates
internet

How Does RMI Work?

Before an attacker can use RMI, the attacker must
Writes malware
Dynamically links
be able to run a small amount of executable code directly to heap
references to
and must have downloaded or otherwise copied memory
function calls
the bytes of malicious DLL into memory. There • No file access

are many, many ways to accomplish this. We will

describe just one.

Spins up a thread to Flags memory as

The attacker places a malicious web page on some
run the malware executable
site that includes a malformed JPEG image, ex-
ploiting a buffer overflow in the Windows image-
rendering engine. The attacker succeeds in getting
When you load a DLL into memory, it can’t imme-
the user to view the web page, at which point the
diately begin to run. It first needs to call certain
browser downloads and renders the JPEG and ren-
standard functions, called imported functions, that
ders it, triggering the buffer overflow.
are provided either by the compiler’s standard li-
brary or by the OS. The library also exports func-
The buffer overflow results in the execution of a
tions that the OS or other libraries might need to
small amount of arbitrary CPU instructions (called
call back into the original library. These references
a shell code). The shell code downloads the bytes
are initially symbolic and must be replaced with the
of larger malicious DLL into memory. The shell
actual memory addresses of those functions which
code then calls in to a tiny bootstrap loader func-
change each time a process is started since ex-
tion in the DLL. This is where the reflective part
ecutables can be loaded into any location in mem-
of RMI begins.
ory. This process is called dynamic linking and ac-
counts for the term Dynamic Link Library (DLL).

2
Reflective Memory Injection: How it Works and How to Stop it

For a library to link itself, it must examine its own

bytes to find and resolve the symbolic references
Why Doesn’t Antivirus or Application
of its imported and exported functions. This pro-
Whitelisting Detect RMI?
cess is analogous to a program looking at itself in
The shell code keeps the DLL in memory; it
a mirror. That is where the term Reflective Memory
does not write the DLL to disk. This distinc-
Injection comes from.
tion is important. Security technologies such
as antivirus and application whitelisting can
A legitimate program simply uses the OS to ac-
easily “see” a new DLL that appears in the file
complish this process, by calling the LoadLibrary()
system and potentially quarantine it or block it
API. But attackers want to link up to the malicious
from being loaded. Writing the DLL to disk and
library without tipping their hand by touching the
loading it via the LoadLibrary API is much eas-
disk or calling an obvious API.
ier and is referred to as Simple DLL Injection.

After this linking is accomplished, a thread is spun

up to run the main code of the malicious DLL. Then
the attacker can get down to business, having si-
lently delivered and activated a potentially large
payload of malicious functionality, beginning with
a tiny buffer overflow and without tripping any
alarms. At this point the attacker can proceed with
the attack, executing any features of the new DLL
under the auspices of whichever user is logged on.

Continued »

3
Reflective Memory Injection: How it Works and How to Stop it
What Does an RMI Process Look Like?
Detecting RMI code is complex. Classic methods
of detecting DLLs that are injected through normal
APIs are obsolete. For instance, since the DLL was
not loaded with LoadLibrary(), the malicious code
won’t show up in the process’s metadata.
You must look for evidence of what RMI does,
which is to allocate a region of private memory and
flag it for not just Read and Write access but also
for Execute. The fact that the chunk of memory is in
the data part of a process’s memory but is flagged
to allow execution is suspicious; a program’s exe-
cutable code normally resides in the process’s “im-
age” (EXE) region of memory and in any legitimate-
ly mapped DLL file. The region must be marked as
writable so that the shell code can write the code
into the region. It must also be flagged as execut-
able so that the shell code can subsequently pass
execution to it.
However, just looking for chunks of private memory
that are flagged RWX will lead to false positives.
Some legitimate programs, such as the .NET Run-
time, use self-modifying code.
To eliminate such false positives, you must exam-
ine the contents of the suspicious memory chunk.
Look for structures and constants that show the
chunk to be a DLL in disguise. DLLs have a stan-
dard format with several headers and tables. Look
for are the MZ and PE headers, which are prefixed
by those actual characters, as shown in the fol-
lowing figure. The Process Hacker screen in this
figure shows a region of private memory in Micro-
soft Internet Explorer (IE) that is flagged for Read,
Write, and Execute. In addition, the contents of the
memory are a positive match for a DLL in Win32
Portable Executable (PE) format.
Although the contents of the memory region is a
DLL and is writable, other investigation shows that
it does not appear in the list of DLLs that are load-
ed through the normal API, nor is it mapped to a
file on the file system. This is suspicious but not
definite. Legitimate cases of programming could
yield the same appearance, but these are unusual,
such as copy-protection mechanisms in game soft-
ware. Indeed, code that loads this way is code that
wants to hide.
How Lumension Detects RMI
Lumension ® Application Control (part of Lumen-
sion ® Endpoint Management and Security Suite)
has long been a leader in application whitelisting,
which is the most effective way to prevent mali-
cious or otherwise untrusted or unwanted applica-
tions from executing.
RMI bypasses the file system and security technol-
ogies that interface with the file system. Through
the acquisition of CoreTrace, Lumension ® Applica-
tion Control includes CoreTrace’s Bouncer patent-
pending technology. Bouncer can detect and stop
RMI attacks by monitoring an endpoint’s memory
address space and associated processes for dis-
tinct evidence of exploitation. The architecture and
kernel-level position of Lumension ® Application
Control allow it to extend beyond simple whitelist-
ing to provide memory protection.
4
Reflective Memory Injection: How it Works and How to Stop it

In order to prevent exploits such as DLL injections RMI Protection as Part of a

and reflective memory injections, Lumension ® Ap-
Complete Endpoint Security
plication Control extends the whitelisting model
into memory, preventing execution of processes
Solution
that originate from unauthorized programs. Lumen- Application whitelisting and RMI protection go
sion ® Advanced Memory Protection eliminates one hand-in-hand to provide comprehensive protection
of the biggest endpoint security blind spots that at- against malware and the APTs that use malware.
tackers target. And preventing malicious code (whether in mem-
ory or on disk) is the single most effective way to
Lumension ® Advanced Memory Protection is an in- stop APTs.
tegral part of an overall layered strategy in Lumen-
sion ® Endpoint Management and Security Suite But more than one layer of security is required for
for defense against sophisticated attacks such as defense-in-depth. To defend against today’s risks,
Advanced Persistent Threats (APTs). Lumension ® endpoints need multiple security technologies:
Endpoint Management and Security Suite provides »»Configuration control
layered protection against memory-based attacks »»Patch management
by combining market-leading patch and reme- »»Antivirus
diation management and traditional application- »»Device control
whitelisting capabilities. »»Vulnerability scanning
»»Encryption
The defense-in-depth capabilities in Lumension ®
Endpoint Management and Security Suite provide
organizations with these capabilities:
»»Remove all known memory-based
vulnerabilities and ensure that the attackable
surface area is as small as possible.
»»Identify and block attempted memory-injection
exploits in memory, through Advanced
Memory Protection.
»»Deny any attempts to install on-disk payloads,
through the proven application-whitelisting
security model

5
Reflective Memory Injection: How it Works and How to Stop it

Deploying all these technologies can lead to a con-

fusing array of products, agents, and consoles, all
About Randy Franklin Smith
competing for endpoint computing resources and
Randy Franklin Smith is an internationally recog-
attention from IT staff. In contrast, Lumension de-
nized expert on the security and control of Win-
livers all these technologies as a single-server,
dows and Active Directory security who specializes
single-agent, single-console platform that provides
in Windows and Active Directory security. Randy
modularly licensed, best-of-breed capabilities and
publishes www.UltimateWindowsSecurity.com and
systems management—and that can grow with you
wrote The Windows Server 2008 Security Log Re-
as your needs evolve.
vealed – the only book devoted to the Windows
security log. Randy is the creator of LOGbinder
Lumension ® Endpoint Management and Security
software, which makes cryptic application logs un-
Suite enables you to take control of your end-
derstandable and available to log-management and
points through an agile solution suite that simpli-
SIEM solutions. As a Certified Information Systems
fies systems management, expands operational
Auditor, Randy performs security reviews for clients
visibility, and delivers more effective IT security,
ranging from small, privately held firms to Fortune
all while reducing complexity and endpoint total
500 companies, national, and international orga-
cost of ownership (TCO).
nizations. Randy is also a Microsoft Security Most
Valuable Professional.
Learn more about Lumension ® Endpoint Manage-
ment and Security Suite at http://www.lumension.
com/endpoint-management-security-suite.aspx Disclaimer
watch an on-demand demo at http://www.lumen- UltimateWindowsSecurity.com is operated by Mon-
sion.com/endpoint-management-security-suite/ terey Technology Group, Inc. Monterey Technology
demo-in-detail.aspx or start a free virtual hosted or Group, Inc. and Lumension Security, Inc. make no
on premise trial at http://www.lumension.com/end- claim that use of this whitepaper will assure a suc-
point-management-security-suite/free-trial.aspx. cessful outcome. Readers use all information within
this document at their own risk.

6
Reflective Memory Injection: How it Works and How to Stop it

About Lumension Security, Inc.

Lumension Security, Inc., a global leader in endpoint manage-

ment and security, develops, integrates and markets security

software solutions that help businesses protect their vital infor-

mation and manage critical risk across network and endpoint

assets. Lumension enables more than 5,100 customers world-

wide to achieve optimal security and IT success by delivering a

proven and award-winning solution portfolio that includes Vul-

nerability Management, Endpoint Protection, Data Protection,

Antivirus and Reporting and Compliance offerings. Lumension

is known for providing world-class customer support and servic-

es 24x7, 365 days a year. Headquartered in Scottsdale, Arizona,

Lumension has operations worldwide, including Texas, Florida,

Washington D.C., Ireland, Luxembourg, Singapore, the United

Kingdom, and Australia. Lumension: IT Secured. Success Opti-

mized.™ More information can be found at www.lumension.com.

Lumension, Lumension Application Control, Lumension

Endpoint Management and Security Suite, “IT Secured. Suc-

cess Optimized.”, and the Lumension logo are trademarks or

registered trademarks of Lumension Security, Inc. All other

trademarks are the property of their respective owners.

Global Headquarters
8660 East Hartford Drive, Suite 300
Scottsdale, AZ 85255 USA
phone: +1.480.970.1025
fax: +1.480.970.6323

www.lumension.com
Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management 7