Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Simple DLL injection not working using AppInit_DLLs. DllMain() not getting called

I've written the simplest injection dll possible. Here is the code in its entirety:

#include "stdafx.h"
#include <stdio.h>

BOOL APIENTRY DllMain(HANDLE hModule, 
                      DWORD  ul_reason_for_call, 
                      LPVOID lpReserved)
{
    FILE * File = fopen("D:\\test.txt", "w");
    if(File != NULL)
    {
        fclose(File);
    }
    return TRUE;
}

Super simple right? Well I can't even get this to work. This code compiles to a dll and I've placed the path to this dll in the registry under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]. I should also mention that LoadAppInit_DLLs registry value is set to 1. From doing this I expect to see the file "D:\test.txt" appear when I start other applications (like notepad.exe), but it doesn't. I don't get it. There is another .dll, which is very old and written in visual studio '97, (which I'm trying to replace) that works just fine when I set AppInit_DLLs to point to it and start an arbitrary application. I can tell that it is getting loaded when other applications are started.

I'm not sure whats going on here, but this should work shouldn't it? It can't get any simpler. I'm using VS 2010, by all accounts I think I've created a very plane Jane .dll so I don't think any project settings should be out of whack, but I'm not completely sure about that. What am I missing here?


Setup Info

  • OS: Windows 7 64-bit
  • OS Version: 6.1.7601 Service Pack 1 Build 7601
  • IDE: Visual Studio 2010
  • IDE version: 10.0.40219.1 SP1Rel
like image 430
Ultratrunks Avatar asked Dec 07 '22 16:12

Ultratrunks


2 Answers

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs] is NOT the registry key used for injection for into 32-bit processes. Its the registry key if your OS is 32-bit.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs] is the correct registry key to use if your OS is 64-bit.

I was under the assumption that the former was for 32-bit processes and the latter was for 64-bit processes. But really, the OS is going to ignore one of those registry keys depending on whether or not the OS itself is 64-bit or 32-bit.

like image 166
Ultratrunks Avatar answered May 16 '23 08:05

Ultratrunks


@Ultratrunks: This is not completely correct.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ] is for both 32 as well as 64 bit OS.

But If we want to run 32 bit processes on 64 bit machine then we need to modify the following registry key- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]

Wow is basically concept of making 64 bit system to be compatible of running 32 bit processes.

I verified it after running my programs on both 32 as well as 64 bit OS and running 32 bit processes on 64 bit machine.

Hence

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs for 32/64 bit OS

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs for 32 bit processes on 64 bit OS

like image 37
Raghav Guar Avatar answered May 16 '23 07:05

Raghav Guar