HTTP 200 OK
Allow: GET, PUT, PATCH, DELETE, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept
{
"id": 161,
"key": "dns-api-injection",
"unprotect_id": "U1202",
"name": "DNS API Injection",
"description": "DNS API injection is a technique used by malware to evade detection by intercepting and modifying DNS (Domain Name System) requests made by a host system. The technique involves injecting code into the DNS API (Application Programming Interface) of the host system, which is a set of functions and protocols that allow communication with the DNS service. By injecting code into the DNS API, the malware can manipulate DNS requests and responses, potentially redirecting traffic to malicious domains or hiding its own DNS requests from being logged or detected.\r\n\r\nTo carry out DNS API injection, the malware must first locate the address of the dnsapi.dll library in the host system's memory and find the address of the exported `DnsApiHeapReset` function. By parsing the code of this function, the malware can discover the addresses of various callback functions that are used to process DNS requests and responses. The malware can then use the `WriteProcessMemory` function to modify these callbacks, allowing it to intercept and manipulate DNS requests made by the host system.\r\n\r\nSysmon v10, a system monitoring tool, includes a feature that logs DNS queries and maps them to the process name making the request. This can help detect DNS API injection by showing any suspicious or unexpected DNS requests being made by processes on the host system.",
"resources": "https://modexp.wordpress.com/2019/08/08/windows-process-injection-dnsapi/\nhttp://www.hexacorn.com/blog/2019/06/12/code-execution-via-surgical-callback-overwrites-e-g-dns-memory-functions/",
"creation_date": "2020-10-26T07:38:31Z",
"tags": "Overwriting DNS memory functions,\r\nLogging DNS queries,\r\nIntercepting DNS requests,\r\nHiding DNS requests,\r\ndnsapi.dll,\r\nDnsApiHeapReset,",
"modification_date": "2023-10-04T10:44:49.979000Z",
"category": [
4
],
"rules": [],
"attachments": [],
"featured_api": [
2,
3,
4,
6,
23,
24,
94,
239,
290,
301,
357,
358,
363,
413,
423,
469,
480,
569
],
"contributors": []
}
