#1
|
|||
|
|||
How to inject my dll into all user processes [Win]?
I want to hide some windows original dll with my well prepared dll, on unix I have a environment def to make it possible, how to do the same on Windows ?
|
#2
|
|||
|
|||
Not sure about hiding but easiest way to inject DLL into all processes under NT is via AppInit_DLLs registry entry.
The AppInit_DLLs value is found in the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows All of the DLLs specified in this value are loaded by each Windows-based application running within the current logon session. |
#3
|
|||
|
|||
Hiding DLL
<Check follow link> hxxp://forum.exetools.com/showthread.php?t=6457 And Injection DLL <Check Follow link> hxxp://www.codeproject.com/dll/RemoteLib.asp |
#4
|
||||
|
||||
Is this the stuff you're looking for: hxxp://help.madshi.net/DllInjecting.htm ?
|
#5
|
|||
|
|||
AppInit_DLLs based injection only works for executables linked with user32.dll:
hXXp://support.microsoft.com/kb/q197571/ |
#6
|
|||
|
|||
Take a look into the source code at:
hxxp://iamaphex.net/downloads/ and hxxp://www.rootkit.com (ring-3 rootkits) Regards, Opc0de |
#7
|
|||
|
|||
I was looking something similiar to LD_PRELOAD and I think the registry method is ok for me and I will check it.
I checked out the rest of the links/methods and I think I have idea how to make a thing I wanted to do. Also I found out something usefull on MS site. hxxp://research.microsoft.com/sn/detours/ ..."Detours intercepts Win32 functions by re-writing target function images."... |
#8
|
|||
|
|||
I think the Registry is the best way to hide your DLL and also keep
it run (loaded) . if you put your dll in the following key (On Win NT) , ur dll would be loaded by Explorer during windows startup :-) HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks Enjoy PS : u should register the dll and puts the CLSID in ShellExecuteHooks. |
#9
|
|||
|
|||
Few things about the HKEY_LOCAL_MACHINE\Software\Microsoft
\Windows NT\CurrentVersion\Windows\AppInit_DLLs method of Injecting a DLL. Windows 98 will ignore this registry key, so you cannot use this technique under windows 98. When you're adding dlls to the key, only the first dll can have a path name. All other paths will be ignored, so you should put your dll in the windows directory. After you change the registry key, you must restart the machine so windows initializes and saves the value to the key. Then when the user32.dll is mapped into a process, it will call the dllmain of your dll with reason DLL_PROCESS_ATTACH so each library can initialize itself. Because your injected dll is loaded early in the process's lifetime, you must excercise caution when calling functions. Of all the methods for injecting dlls, this is the easiest. --------------------------------------------------------- Some other ways that you might want to look into, whether you need it or not, it's still fun to learn: Injection through windows hooks, injection using remote threads, injection as debugger, memory mapped file, or createprocess. Hope this helps people who are trying to learn dll injection with what to look for while searching. |
#10
|
|||
|
|||
HOOKPROC hkprcSysMsg;
static HINSTANCE hinstDLL; static HHOOK hhookSysMsg; hinstDLL = LoadLibrary((LPCTSTR) "c:\\windows\\sysmsg.dll"); hkprcSysMsg = (HOOKPROC)GetProcAddress(hinstDLL, "SysMessageProc"); hhookSysMsg = SetWindowsHookEx(WH_SYSMSGFILTER,hkprcSysMsg,hinstDLL,0); |
#11
|
|||
|
|||
if you are looking for process injection on all of win32, then some level of 'trickery' is involved.
The shortcut are the APIs CreateRemoteThread() and VirtualAllocEx(), allowing you to allocate a thread and memory in another process. the remotely executed code *should* be relocation-independent (meaning the API addresses AND code would have to be passed down through a structure ...) but that's another thing. The remotely injected code (in this case) would then call LoadLibrary() to actually load the dll under 9x, there are various well-docummented hacks to inject, or at least emulate, the injection of a thread. VirtualAllocEx is absent, however, there are several workarounds. First of all, look up matt pietrek's trick, the 8000000h flag trick, that, when passed on to VirtualAlloc(), will return a block of memory >0x80000000, or >2gig, therefore in shared memory region. An alternative way, but the same method, is to simply create a empty file mapping under 9x, and the address will be >2gig as well. There are several other hacks for allocation of memory into a remote process under 9x, including some secret ordinals (which i can't quite recall right now)... as for the actual injection part, there is a secret kernel routine under 9x, which handles the creation of a new thread under any process, which is internally called by DebugActiveProcess(). it's just a hint, hunt around, it's easy. Likewise, there are other undocummented APIs like CreateKernelThread(), which is sorta similar to process injection.. anyways, another way completely would be to enumerate the processes and their threads, suspend a thread, alter eip, and inject your code that way. the method involves using SetThreadContext, and the debug apis are found on all of win32. HOWEVER, OpenThread() isn't present in 9x, but there are various hacks to easily unobfuscate the address anyways. But this whole mumbo is too long to write in a post... oh well enough rambling. |
#12
|
||||
|
||||
what i think about this AppInit_DLLs:
this would make us crackers possible to write a DLL which accesses a configuration file (maybe crack.txt) with all neccessary information to inline-patch nearly every packed program (thread instantly checking on loading-time of DLL for neccessary bytes). a configuration file like this one from ASLoad: Exe:file.exe Mod:1 Crash:0 Patch: Offsetriginal byteatched byte what do you think of this? a universal inline-patcher... you don't need cracks anymore, only the neccessary bytes |
#13
|
|||
|
|||
Great idea MaRKuS
Another option is create a dll stub to "msgina.dll" and inject your dll on every new process (requires apihooking) I have code in C++ to do this if you want But WindowsHooks is more easy |
#14
|
|||
|
|||
I would find the msgina.dll approach a bit interesting to read through if you would be so kind as to post your source code.
|
#15
|
|||
|
|||
Ok, I will search my HDD and pack the code to post here
|
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Hiding processes using FROST (64bit) | typedef | x64 OS | 6 | 05-22-2014 23:21 |
LordPE limited to 60 processes? | tbone | General Discussion | 0 | 07-01-2004 06:35 |
IDA debugging sub processes | Bram Kate | General Discussion | 2 | 05-03-2004 18:28 |