Exetools  

Go Back   Exetools > General > General Discussion
Reload this Page How to inject my dll into all user processes [Win]?
Register Forum Rules FAQ Calendar Mark Forums Read

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-25-2005, 02:07
thewhiz
 
Posts: n/a
AppInit_DLLs based injection only works for executables linked with user32.dll:

hXXp://support.microsoft.com/kb/q197571/
Reply With Quote
  #2  
Old 01-25-2005, 12:18
Opc0de
 
Posts: n/a
Take a look into the source code at:

hxxp://iamaphex.net/downloads/
and
hxxp://www.rootkit.com (ring-3 rootkits)

Regards,
Opc0de
Reply With Quote
  #3  
Old 01-25-2005, 15:02
bearek
 
Posts: n/a
I was looking something similiar to LD_PRELOAD and I think the registry method is ok for me and I will check it.
I checked out the rest of the links/methods and I think I have idea how to make a thing I wanted to do.
Also I found out something usefull on MS site.

hxxp://research.microsoft.com/sn/detours/
..."Detours intercepts Win32 functions by re-writing target function images."...
Reply With Quote
  #4  
Old 02-16-2005, 03:01
just4urim
 
Posts: n/a
Talking
I think the Registry is the best way to hide your DLL and also keep
it run (loaded) . if you put your dll in the following key (On Win NT) ,
ur dll would be loaded by Explorer during windows startup :-)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Enjoy

PS : u should register the dll and puts the CLSID in ShellExecuteHooks.
Reply With Quote
  #5  
Old 02-16-2005, 04:43
AdamD
 
Posts: n/a
Few things about the HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows NT\CurrentVersion\Windows\AppInit_DLLs
method of Injecting a DLL.

Windows 98 will ignore this registry key, so you cannot use this technique under windows 98.

When you're adding dlls to the key, only the first dll can have a path name. All other paths will be ignored, so you should put your dll in the windows directory.

After you change the registry key, you must restart the machine so windows initializes and saves the value to the key. Then when the user32.dll is mapped into a process, it will call the dllmain of your dll with reason DLL_PROCESS_ATTACH so each library can initialize itself.

Because your injected dll is loaded early in the process's lifetime, you must excercise caution when calling functions.

Of all the methods for injecting dlls, this is the easiest.

---------------------------------------------------------

Some other ways that you might want to look into, whether you need it or not, it's still fun to learn: Injection through windows hooks, injection using remote threads, injection as debugger, memory mapped file, or createprocess.

Hope this helps people who are trying to learn dll injection with what to look for while searching.
Reply With Quote
Reply

« Previous Thread | Next Thread »
Thread Tools
Display Modes
Hybrid Mode Hybrid Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Hiding processes using FROST (64bit) typedef x64 OS 6 05-22-2014 23:21
LordPE limited to 60 processes? tbone General Discussion 0 07-01-2004 06:35
IDA debugging sub processes Bram Kate General Discussion 2 05-03-2004 18:28


All times are GMT +8. The time now is 16:54.

Aaron's homepage - Top

Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( Since 1998 )