Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 01-24-2005, 16:46
bearek
 
Posts: n/a
How to inject my dll into all user processes [Win]?

I want to hide some windows original dll with my well prepared dll, on unix I have a environment def to make it possible, how to do the same on Windows ?
Reply With Quote
  #2  
Old 01-24-2005, 19:50
Dmit
 
Posts: n/a
Not sure about hiding but easiest way to inject DLL into all processes under NT is via AppInit_DLLs registry entry.

The AppInit_DLLs value is found in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

All of the DLLs specified in this value are loaded by each Windows-based application running within the current logon session.
Reply With Quote
  #3  
Old 01-24-2005, 20:06
OrionOnion
 
Posts: n/a
Hiding DLL
<Check follow link>
hxxp://forum.exetools.com/showthread.php?t=6457

And Injection DLL
<Check Follow link>
hxxp://www.codeproject.com/dll/RemoteLib.asp
Reply With Quote
  #4  
Old 01-24-2005, 22:03
Thims's Avatar
Thims Thims is offline
Friend
 
Join Date: Aug 2003
Location: Russia
Posts: 23
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 1 Time in 1 Post
Thims Reputation: 0
Is this the stuff you're looking for: hxxp://help.madshi.net/DllInjecting.htm ?
Reply With Quote
  #5  
Old 01-25-2005, 02:07
thewhiz
 
Posts: n/a
AppInit_DLLs based injection only works for executables linked with user32.dll:

hXXp://support.microsoft.com/kb/q197571/
Reply With Quote
  #6  
Old 01-25-2005, 12:18
Opc0de
 
Posts: n/a
Take a look into the source code at:

hxxp://iamaphex.net/downloads/
and
hxxp://www.rootkit.com (ring-3 rootkits)

Regards,
Opc0de
Reply With Quote
  #7  
Old 01-25-2005, 15:02
bearek
 
Posts: n/a
I was looking something similiar to LD_PRELOAD and I think the registry method is ok for me and I will check it.
I checked out the rest of the links/methods and I think I have idea how to make a thing I wanted to do.
Also I found out something usefull on MS site.

hxxp://research.microsoft.com/sn/detours/
..."Detours intercepts Win32 functions by re-writing target function images."...
Reply With Quote
  #8  
Old 02-16-2005, 03:01
just4urim
 
Posts: n/a
Talking

I think the Registry is the best way to hide your DLL and also keep
it run (loaded) . if you put your dll in the following key (On Win NT) ,
ur dll would be loaded by Explorer during windows startup :-)

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

Enjoy

PS : u should register the dll and puts the CLSID in ShellExecuteHooks.
Reply With Quote
  #9  
Old 02-16-2005, 04:43
AdamD
 
Posts: n/a
Few things about the HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows NT\CurrentVersion\Windows\AppInit_DLLs
method of Injecting a DLL.

Windows 98 will ignore this registry key, so you cannot use this technique under windows 98.

When you're adding dlls to the key, only the first dll can have a path name. All other paths will be ignored, so you should put your dll in the windows directory.

After you change the registry key, you must restart the machine so windows initializes and saves the value to the key. Then when the user32.dll is mapped into a process, it will call the dllmain of your dll with reason DLL_PROCESS_ATTACH so each library can initialize itself.

Because your injected dll is loaded early in the process's lifetime, you must excercise caution when calling functions.

Of all the methods for injecting dlls, this is the easiest.

---------------------------------------------------------

Some other ways that you might want to look into, whether you need it or not, it's still fun to learn: Injection through windows hooks, injection using remote threads, injection as debugger, memory mapped file, or createprocess.

Hope this helps people who are trying to learn dll injection with what to look for while searching.
Reply With Quote
  #10  
Old 02-26-2005, 16:51
hacrack
 
Posts: n/a
HOOKPROC hkprcSysMsg;
static HINSTANCE hinstDLL;
static HHOOK hhookSysMsg;

hinstDLL = LoadLibrary((LPCTSTR) "c:\\windows\\sysmsg.dll");
hkprcSysMsg = (HOOKPROC)GetProcAddress(hinstDLL, "SysMessageProc");
hhookSysMsg = SetWindowsHookEx(WH_SYSMSGFILTER,hkprcSysMsg,hinstDLL,0);
Reply With Quote
  #11  
Old 03-05-2005, 10:16
drocon
 
Posts: n/a
if you are looking for process injection on all of win32, then some level of 'trickery' is involved.
The shortcut are the APIs CreateRemoteThread() and VirtualAllocEx(), allowing you to allocate a thread and memory in another process. the remotely executed code *should* be relocation-independent (meaning the API addresses AND code would have to be passed down through a structure ...) but that's another thing. The remotely injected code (in this case) would then call LoadLibrary() to actually load the dll

under 9x, there are various well-docummented hacks to inject, or at least emulate, the injection of a thread. VirtualAllocEx is absent, however, there are several workarounds. First of all, look up matt pietrek's trick, the 8000000h flag trick, that, when passed on to VirtualAlloc(), will return a block of memory >0x80000000, or >2gig, therefore in shared memory region. An alternative way, but the same method, is to simply create a empty file mapping under 9x, and the address will be >2gig as well.

There are several other hacks for allocation of memory into a remote process under 9x, including some secret ordinals (which i can't quite recall right now)...

as for the actual injection part, there is a secret kernel routine under 9x, which handles the creation of a new thread under any process, which is internally called by DebugActiveProcess(). it's just a hint, hunt around, it's easy.

Likewise, there are other undocummented APIs like CreateKernelThread(), which is sorta similar to process injection..

anyways, another way completely would be to enumerate the processes and their threads, suspend a thread, alter eip, and inject your code that way. the method involves using SetThreadContext, and the debug apis are found on all of win32. HOWEVER, OpenThread() isn't present in 9x, but there are various hacks to easily unobfuscate the address anyways. But this whole mumbo is too long to write in a post...


oh well enough rambling.
Reply With Quote
  #12  
Old 03-05-2005, 16:19
MaRKuS-DJM's Avatar
MaRKuS-DJM MaRKuS-DJM is offline
Cracker + Unpacker
 
Join Date: Aug 2003
Location: Virtual World / Network
Posts: 553
Rept. Given: 7
Rept. Rcvd 6 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 16 Times in 10 Posts
MaRKuS-DJM Reputation: 6
what i think about this AppInit_DLLs:
this would make us crackers possible to write a DLL which accesses a configuration file (maybe crack.txt) with all neccessary information to inline-patch nearly every packed program (thread instantly checking on loading-time of DLL for neccessary bytes). a configuration file like this one from ASLoad:

Exe:file.exe
Mod:1
Crash:0
Patch:
Offsetriginal byteatched byte

what do you think of this? a universal inline-patcher... you don't need cracks anymore, only the neccessary bytes
Reply With Quote
  #13  
Old 03-06-2005, 04:19
Ramon Ramon is offline
Friend
 
Join Date: Jan 2002
Location: JAPAN
Posts: 24
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
Ramon Reputation: 0
Great idea MaRKuS

Another option is create a dll stub to "msgina.dll" and inject your dll on every new process (requires apihooking)

I have code in C++ to do this if you want

But WindowsHooks is more easy
Reply With Quote
  #14  
Old 03-06-2005, 08:55
thewhiz
 
Posts: n/a
I would find the msgina.dll approach a bit interesting to read through if you would be so kind as to post your source code.
Reply With Quote
  #15  
Old 03-07-2005, 18:16
Ramon Ramon is offline
Friend
 
Join Date: Jan 2002
Location: JAPAN
Posts: 24
Rept. Given: 1
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 1
Thanks Rcvd at 1 Time in 1 Post
Ramon Reputation: 0
Ok, I will search my HDD and pack the code to post here
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hiding processes using FROST (64bit) typedef x64 OS 6 05-22-2014 23:21
LordPE limited to 60 processes? tbone General Discussion 0 07-01-2004 06:35
IDA debugging sub processes Bram Kate General Discussion 2 05-03-2004 18:28


All times are GMT +8. The time now is 17:13.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )