Many of my security tools are DLLs. If you want to use these tools inside a 64-bit process, you’re stuck, because you can’t use 32-bit DLLs inside a 64-bit process (and vice versa).
LoadDLLViaAppInit is a tool I released to load DLLs inside selected processes. If you want to use this 32-bit version of LoadDLLViaAppInit on a 64-bit Windows machine, you need to configure AppInit_DLLs in this registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows
You also need to copy LoadDLLViaAppInit.dll in this directory: C:\Windows\SysWOW64
Today I’m releasing a 64-bit version of LoadDLLViaAppInit: LoadDLLViaAppInit64.dll. This will help you to load DLLs inside 64-bit processes.
This 64-bit version has to be installed and configured just like its 32-bit version on a 32-bit OS: you copy the DLL in directory C:\Windows\System32 and you configure the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
The configuration file is LoadDLLViaAppInit64.bl.txt.
This 64-bit version has only been tested on 64-bit Windows, not on 64-bit XP neither on 64-bit Windows Server. I expect it to work on these systems too, but you need to test first. I’ve also compiled this 64-bit version with Visual Studio 2010 and an option to include the runtime Visual C++ libraries inside the DLL, so you don’t need to install the Microsoft Visual C++ 2010 Redistributable Package. But this option has a drawback: when Microsoft releases a patch for the libraries, I (or you) will have the recompile the DLL with the new version of the libraries.
LoadDLLViaAppInit64_V0_0_0_1.zip (https)
MD5: 94C38717690CE849976883FFE4B22CA1
SHA256: 447C8F61A6398CBE6BD5E681FCE28C55D426D4E4EA49BBE367AE5B334B073A55
Didier Stevens 
[But this option has a drawback: when Microsoft releases a patch for the libraries, I (or you) will have the recompile the DLL with the new version of the libraries.]
Can you explain this line Didier? in other words I dont agree, if you are compiling with /MT then nothing will stop it from running afaik?
Comment by Anonymous — Thursday 20 October 2011 @ 18:29
[But this option has a drawback: when Microsoft releases a patch for the libraries, I (or you) will have the recompile the DLL with the new version of the libraries.]
Can you explain why this wouldnt work if we use /MT flag?
Comment by hi — Thursday 20 October 2011 @ 18:34
What I mean is the following: I’ve compiled this with the /MT flag, which makes that the linker includes the C++ runtime in the DLL.
The advantage is that it will run on all x64 systems.
The drawback is the following: say that a vulnerability is found in the runtime, and that Microsoft releases a patch for the runtime. Applying this patch on your system will not remove the vulnerability in the runtime inside LoadDLLViaAppInit64.dll. The only way to remove this vulnerability is to apply the patch for Visual Studio, and then recompile.
Comment by Didier Stevens — Thursday 20 October 2011 @ 18:43
[…] http://securityxploded.com/remotedll.php http://www.nod32.it/tools/undll.php https://blog.didierstevens.com/2011/10/19/loaddllviaappinit-64-bit/ http://www.nirsoft.net/utils/registered_dll_view.html […]
Pingback by ~ পাঁচমিশালি সফটওয়্যার ও টিপস ~ | পিসি হেল্পলাইন বিডি (বাংলাদেশ) — Friday 9 March 2012 @ 4:00
[…] DLL মুছে ফেলতে: RemoteDLL UnDLL LoadDLLViaAppInit […]
Pingback by কিছু ভাইরাস/মলওয়্যার রিমুভাল টুল | পিসি হেল্পলাইন বিডি (বাংলাদেশ) — Thursday 26 April 2012 @ 7:21
[…] https://blog.didierstevens.com/2011/10/19/loaddllviaappinit-64-bit/ […]
Pingback by Persistence – AppInit DLLs | Penetration Testing Lab — Tuesday 7 January 2020 @ 9:40