Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

elegant method to inject a dll to processes BEFORE they start

I am making a 'mod' dll that modifies behaviour of the target process. I succeeded to inject my dll and hook some functions of target.

But it requires more work to do when I need to hook some APIs BEFORE main module starts(more clearly, before the entry-point). I need to start the target program manually with CREATE_SUSPENDED attribute, inject, then resume. But some applications start with its own launcher program, some often start from x64 processes... such various environment make it hard to automate it.

Seems like the best way's inject hooking dll to all process and handle CreateProcess. But sometimes it requires UAC, x64 developement.

Any advice would be appreciated.

like image 742
Laie Avatar asked Jul 29 '14 05:07

Laie


1 Answers

You could abuse the Image File Execution Options and register your modification DLL as the 'debugger' (see How to: Launch the Debugger Automatically for details).

The procedure is simple:

  1. Add a key with the name of your target process (e.g. victim.exe) under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options key.
  2. Under this key, add a new String Value with name debugger.
  3. Set the value to the path name of your modification binary. This must be either the fully qualified path name, or the image location must be in your PATH environment variable.

Whenever victim.exe is launched your modification binary is launched after victim.exe (and its dependencies) have been loaded, but before execution begins. This will happen regardless of how victim.exe is launched.

Note also that on a 64-bit OS the key is reflected in the Wow6432Node as well, so your modification binary will be launched for both 32-bit as well as 64-bit versions of victim.exe.

Another way to have your DLL loaded into each and every executable (at least those that link against user32.dll) is to abuse the AppInit_DLLs registry key (which also goes by the name Deadlock_Or_Crash_Randomly_DLLs). This is even messier than registering a random executable as a debugger, but still one hack that any self-respecting malware author absolutely needs to be familiar with. Note also, that this - uhm - feature may become unavailable in future versions of Windows. Windows Vista, Windows 7 and Windows Server 2008 R2 must be prepared for AppInit_DLLs to work.

like image 187
IInspectable Avatar answered Nov 15 '22 05:11

IInspectable