Reputation: 5646
Hooking dll into running process using loadappinit_dlls registry key
Currently I am working on a application in which I need to hook dll into running application. In order to achieve this goal, I have updated the LoadAppInit_DLLs registry key to 1 and AppInit_DLLs has been set to the location of the dll.
This approach works fine as the application get opens the dll get injected into the process of that application.
However, this injection process not only inject the dll into the application that I am interested, but it injects it for all the applications that I am starting in windows operating system. How could I specify this inject to happen only for the application that I need it to inject and not for all the application. I am looking for a way to know from the dll that which application it is calling and then to decide whether to load it or ignore loading it.
Upvotes: 0
Views: 2992
Answers (2)
Reputation: 596001
How could I specify this inject to happen only for the application that I need it to inject and not for all the application.
Using AppInit_DLLs, you can't.
Working with the AppInit_DLLs registry value
All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.
I am looking for a way to know from the dll that which application it is calling
A DLL is loaded into the address space of a process. A DLL can call GetModuleFileName(NULL) to get the
full path and filename of the process it has been loaded into.
and then to decide whether to load it or ignore loading it.
Normally, a DLL's DllMain() entry point allows the DLL to selectively abort loading by returning FALSE to the DLL_PROCESS_ATTACH notification. However, AppInit_DLLs specifies additional DLLs that are deemed required for successful app initialization, similar to static-linked DLLs, so it does not allow DLLs the luxury of selective loading. If an AppInit DLL returns FALSE, the whole process is aborted.
You will have to manually hook the DLL into the target app yourself. You can do that by either:
Using
CreateRemoteThread()to callLoadLibrary()from inside a specific process to load the DLL into that same process. The DLL's entry point does not need to validate the loaded process, since the loading app has already done so when deciding which process to load the DLL into.This approach takes some setup, though. You have to use
VirtualAllocEx()andWriteProcessMemory()to copy the DLL's full path string into the target process before you can then have the remote thread callLoadLibrary()with that path string as input.Using
SetWindowsHookEx()to install a global system-wide hook that is implemented inside the DLL, so the DLL gets loaded into every running process.The difference between this approach and using
AppInit_DLLsis that this approach is handled dynamically after each process is running, and thus allows the DLL the luxury of selectively aborting its own loading without terminating each process it rejects.Configuring the Application Compatibility Toolkit to load your DLL into the specific app(s) you are interested in.
Upvotes: 5
Reputation: 5920
All DLLs, listed in the LoadAppInit_DLLs registry key will be loaded to the all processes, linked against user32.dll. If for some reason your dll is unable to load (for example - you had returned FALSE from the DllMain on DLL_PROCESS_ATTACH) the process will be terminated. Using LoadAppInit_DLLs even for the debugging purposes is messy and pretty dangerous. Perhaps you should choose another hooking mechanism, for example using SetWindowsHookEx
Upvotes: 1
Related Questions
- How to get a DLL loading process handle
- Calling functions in a DLL loaded by another process
- Windows Hooking and Dll Loading
- Hook dll into exe
- loading/registering a DLL before running the program
- Hooking to the windows process
- How to inject C# dll to another process
- Hooking windows API functions to intercept dll loading (Windows only)
- One time Hook DLL initialization
- Application to Global Hook DLLs