How does a dll injector work

Create a free Team What is Teams? Learn more. What is DLL Injection and how is it used for reversing? Ask Question. Asked 8 years, 5 months ago. Active 3 years ago.

Viewed 41k times. Improve this question. Rolf Rolles 6, 20 20 silver badges 30 30 bronze badges. Add a comment. Active Oldest Votes. I employed a DLL injection-based solution that worked as follows: Create the process suspended.

Inject the DLL. GetProcAddress hook waits for a specific string to be supplied and then returns its own hooked version of that function. The hooked function inspects the return address on the stack two frames up to figure out the starting address of the function call it Func that called it.

The hooked function then calls Func for each encrypted section, instructing it to decrypt each section. To make this work, the hooked function has to pass on the calls to the proper function in the DLL for these calls. After having done so, for every subsequent call to the hooked function, it simply returns 1 as though the call was successful. Having decrypted all the sections, the DLL now dumps the process' image onto the disk and reconstructs the import information.

After that it does a bunch of other stuff neutralizing the other protections. Improve this answer. Anshuman Goel 4 4 bronze badges.

Rolf Rolles Rolf Rolles 6, 20 20 silver badges 30 30 bronze badges. What a spectacular answer. You may have changed how I approach REing complex apps forever. How do I get rid of this? I don't even know where to go on my computer to start looking at these dll files in order to see if there is indeed an injection or not.

I've completely replaced the hard drive three times and have flashed the bios and neither of these have eliminated the issue -so I'm super confused about how to get rid of it. Some of the computers at work have information that needs to be secure, so I need to find a way to remediate this potential security risk. By Brad Antoniewicz. Labels: dll injection , software security.

Anonymous January 8, at PM. Unknown January 8, at PM. Unknown January 9, at AM. Arvind January 10, at PM. Fortunately, the CreateRemoteThread function makes this easy:. This function is very similar to the CreateThread function but has an additional hProcess parameter that identifies the process to which the new thread will belong. Then, we should allocate some memory in the target process in order to pass the DLL path, as the target process can access only its private memory:.

Then we can start a new thread. With the help of this thread, our DLL will be loaded into the target process. The instruction pointer of the target thread is first set to a custom piece of code. When the code is executed, the pointer is redirected to its original location.

First, we need to locate the target process and pick a thread within it. First, we use the OpenThread function to open the handle of the remote thread:. Then we need to allocate memory in the remote process to store our injected code and the DLL path in it:. While using the CreateRemoteThread function is the most universal way of setting API hooks with DLL injection, this method requires an extensive amount of preliminary coding.

To be able to follow your trail, make sure to add the latest version of the Mhook sources to your project. Sign up using Email and Password. Post as a guest Name. Email Required, but never shown. The Overflow Blog. Does ES6 make JavaScript frameworks obsolete? Podcast Do polyglots have an edge when it comes to mastering programming Featured on Meta. Now live: A fully responsive profile.

Linked Related 1. Hot Network Questions. Question feed. Stack Overflow works best with JavaScript enabled.