Thursday, July 20, 2006

DLL Injections

I ran across this posting on sysinternals.com which, according to my hosting company, is a respected source. For some reason the posting has been removed but I was able to pull up the topic from the Google cache - for however long this works:

DLL Injection

Basically here's the info:

Someone read about a utility called InjectedDLL from www.nirsoft.net which provides a list of DLL files injected into other processes. The writer had not heard of DLL injecting before but apparently it's quite common method use by Malware infections.
He wanted more info.

Here are some responses:

DLL loads in address space of the process. Then loads all of its dependency modules and then dll entry point called.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs key (WinAll)

provides list of dll that injects to any started process automatically by windows

other method - call CreateRemoteThread function.

call FreeLibrary by CreateRemoteThread

DLL injection usualy uses CreateRemoteThread/WriteProcessMemory technic. When DLL injected it is initializes and execute its code.

The code: codeproject

another dll injection example