Exploring DLL Injection

Oct 2, 2025

Keeping it simple: DLL injection is a technique that executes malicious code within the virtual memory space of a running process.

We’ll be covering a few topics.

  • How Memory Works

  • What is a DLL

  • Goal of DLL Injection

  • DLL Injection

How Memory Works

I mentioned in my previous article, "SOC Analyst Perspective: What is BYOVD Attack," that the operating system is responsible for memory management. This includes tasks such as allocating resources, determining which processes need memory at specific times, and managing the order in which processes/programs run.

So, think of memory as having two types: physical and virtual. The operating system will utilize the RAM (a physical component in your computer) to provide virtual memory. Virtualization (oversimplified) is an abstraction by the operating system that allows processes to use more memory than is actually available.

When a process needs to use memory, the operating system will give it its own virtual address space. The process uses this virtual address space to request memory, while the operating system maps these virtual addresses to physical addresses in RAM.

So, what does the process need the memory for? To store and execute code and sets of instructions. A thread handles a piece of the instructions that will be executed. Since a process often involves multiple tasks, it can have multiple threads — each for managing a specific task.

So, now that we know how memory works. Let’s get into how this works with DLL Injection.

What is a DLL

Using Microsoft’s definition, a DLL is a library that contains code and data that can be used by more than one program simultaneously. ("What is a DLL", 2025)

Goal of DLL Injection

In short, an attacker can write their own library of code (DLL) to inject into a running process or program. A common reason for doing this is to gain the elevated privileges that belong to the running process.

How DLL Injection Works

There are several ways to perform DLL injection; however, to establish a baseline, one common technique involves abusing Windows API calls to load a DLL into a running process’s virtual address space.

Also, here is a really, really good video that describes it a lot better than I can:


‹ Demystifying Microsoft Entra ID: Navigating Cloud Attacks with the MITRE Framework

Exploring LOLBINs ›

Create a free website with Framer, the website builder loved by startups, designers and agencies.