Comments on: LoadDLLViaAppInit

By: Exploit writing tutorial part 11 : Heap Spraying Demystified | Corelan Team

Exploit writing tutorial part 11 : Heap Spraying Demystified | Corelan Team — Sun, 01 Jan 2012 06:53:50 +0000

[...] is delivered as a dll file. You can make sure the dll gets loaded into every process using LoadDLLViaAppInit or by including the heaplocker dll in the IAT of the application you want to [...]

By: Didier Stevens

Didier Stevens — Wed, 27 Oct 2010 21:34:49 +0000

@bluegene I don’t know where you got the idea that this is designed to load DLLs inside malware?
It is not. If you read the older posts I’m referring too, you’ll see that it is designed as an alternative to load DLLs inside user programs you want to protect, like AcroRd32.exe

It will not load in every process, like you said, only in processes that load user32.dll. I’ve discussed alternatives to this method in older posts. Furthermore, this DLL is designed to unload automatically after it has done its work, it will never remain loaded. I coded the DLL to avoid undesirable results. For example, this DLL uses only kernel32 functions. That is why the configuration is written in a text file and not in the registry.
The reason why Microsoft discourages using this key in their KB article, is that they don’t garantee that this feature will be available in newer versions of Windows.

By: bluegene

bluegene — Wed, 27 Oct 2010 16:58:46 +0000

It will only work with executables which load user32.dll. Most malicious applications don’t need user32.dll. Another issue with this approach is, that it will inject in every process, which may produce undesirable results.

http://support.microsoft.com/kb/197571

By: Update: LoadDLLViaAppInit « Didier Stevens

Update: LoadDLLViaAppInit « Didier Stevens — Tue, 26 Oct 2010 09:04:57 +0000

[...] Filed under: My Software,Update — Didier Stevens @ 9:04 This new version of LoadDLLViaAppInit allows you to load more than one DLL inside a process. You separate the DLL names with a semi-colon [...]

By: LowerMyRights « Didier Stevens

LowerMyRights « Didier Stevens — Mon, 11 Oct 2010 08:41:26 +0000

[...] as it is loaded inside every process (even at boot time), so please test first. Or else you use LoadDLLViaAppInit, or add it to the import table like explained [...]

By: Didier Stevens

Didier Stevens — Fri, 22 Jan 2010 09:19:58 +0000

True, I’ve another unreleased DLL doing this. But like you started, I need more flexibility.

By: Mike Myers

Mike Myers — Thu, 21 Jan 2010 23:41:46 +0000

I realize this approach allows a lot of flexibility, but you could also just change the code for your injected DLL: in DllMain(), check if the fdwReason parameter is DLL_PROCESS_ATTACH, and then check the process name via GetModuleFileName(NULL, szProcess, sizeof(szProcess)). Then decide to load or not. If not, return FALSE from DllMain().

By: Didier Stevens

Didier Stevens — Tue, 29 Dec 2009 20:00:51 +0000

@Harlan All processes (CUI and GUI), provided they load user32.dll (most applications do).

By: H. Carvey

H. Carvey — Thu, 24 Dec 2009 18:10:06 +0000

Didier,

Does this work with *all* processes or only GUI-based apps?

http://support.microsoft.com/kb/197571