Sunday, 13 October 2013

DLL Injection into Google Chrome


Today, I wanted to share a injection method into Chromium (Google Chrome) browser. Google Chrome is known for it's Security - which protects it's End-Users from Malware, but unfortunately Google Chrome missed out the most simplest DLL injection method - a basic thread creation using CreateRemoteThread, this should be obvious to Google Chrome Developers as the it is commonly used by Malware, on contrary to what the developers said... "Sandbox" is not safe as we were informed.

There are very powerful uses if a DLL is executed inside memory\process space of Google Chrome, these include:

- Bypassing AV firewall solutions, as Google Chrome is by default enabled to perform network activity
- To steal and to formgrab vital pieces of Data such as Login details for Email accounts
- To prevent downloads of Security Utilities such as AV solutions.

These are some negative impacts but these are the positive aspects to use such a DLL injection:

- To create hotkeys\ personalisation applications without using Chromium SDK
- To block Malicious Threats
- Use it to create rich P2P\Network Applications for End-Users, without needing a Internet Allowed Certification
-  Remove Malware's detours on the Google Chrome

Before, I give the code for the DLL injection, do note that:

- This DLL Injection method has been tested on Google Chrome Version: 29.0.1547.62
- Using this method to perform Code Injection can crash the application or can result in unexpected behaviour of injected thread.

To protect from this injection method follow these steps:

- Create a DLL, which detours LoadLibraryA & LoadLibraryW
- In the detour callback simply return 0; which means if this method was called by Malware it would fails as our callback does nothing with this functions
- Inject a DLL into Google Chrome, to inject just re-follow this method

Do keep in mind if LoadLibraryA\W is detoured and returns 0, it would mean all Google Chrome LoadLibrary calls would fail as well, so make sure to implement a some type of identification, to ensure that you know if Google Chrome called it or a foreign process.

Once injected other 3rd Party Malware\Tools cannot inject into this using this method.


  1. "Once injected other 3rd Party Malware/Tools cannot inject into this using this method." Why not?