Didier Stevens

Wednesday 19 October 2011

LoadDLLViaAppInit 64-bit

Filed under: My Software — Didier Stevens @ 16:47

Many of my security tools are DLLs. If you want to use these tools inside a 64-bit process, you’re stuck, because you can’t use 32-bit DLLs inside a 64-bit process (and vice versa).

LoadDLLViaAppInit is a tool I released to load DLLs inside selected processes. If you want to use this 32-bit version of LoadDLLViaAppInit on a 64-bit Windows machine, you need to configure AppInit_DLLs in this registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows

You also need to copy LoadDLLViaAppInit.dll in this directory: C:\Windows\SysWOW64

Today I’m releasing a 64-bit version of LoadDLLViaAppInit: LoadDLLViaAppInit64.dll. This will help you to load DLLs inside 64-bit processes.

This 64-bit version has to be installed and configured just like its 32-bit version on a 32-bit OS: you copy the DLL in directory C:\Windows\System32 and you configure the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

The configuration file is LoadDLLViaAppInit64.bl.txt.

This 64-bit version has only been tested on 64-bit Windows, not on 64-bit XP neither on 64-bit Windows Server. I expect it to work on these systems too, but you need to test first. I’ve also compiled this 64-bit version with Visual Studio 2010 and an option to include the runtime Visual C++ libraries inside the DLL, so you don’t need to install the Microsoft Visual C++ 2010 Redistributable Package. But this option has a drawback: when Microsoft releases a patch for the libraries, I (or you) will have the recompile the DLL with the new version of the libraries.

LoadDLLViaAppInit64_V0_0_0_1.zip (https)
MD5: 94C38717690CE849976883FFE4B22CA1
SHA256: 447C8F61A6398CBE6BD5E681FCE28C55D426D4E4EA49BBE367AE5B334B073A55

5 Comments »

  1. [But this option has a drawback: when Microsoft releases a patch for the libraries, I (or you) will have the recompile the DLL with the new version of the libraries.]

    Can you explain this line Didier? in other words I dont agree, if you are compiling with /MT then nothing will stop it from running afaik?

    Comment by Anonymous — Thursday 20 October 2011 @ 18:29

  2. [But this option has a drawback: when Microsoft releases a patch for the libraries, I (or you) will have the recompile the DLL with the new version of the libraries.]

    Can you explain why this wouldnt work if we use /MT flag?

    Comment by hi — Thursday 20 October 2011 @ 18:34

  3. What I mean is the following: I’ve compiled this with the /MT flag, which makes that the linker includes the C++ runtime in the DLL.
    The advantage is that it will run on all x64 systems.
    The drawback is the following: say that a vulnerability is found in the runtime, and that Microsoft releases a patch for the runtime. Applying this patch on your system will not remove the vulnerability in the runtime inside LoadDLLViaAppInit64.dll. The only way to remove this vulnerability is to apply the patch for Visual Studio, and then recompile.

    Comment by Didier Stevens — Thursday 20 October 2011 @ 18:43

  4. […] DLL মুছে ফেলতে: RemoteDLL UnDLL LoadDLLViaAppInit […]

    Pingback by কিছু ভাইরাস/মলওয়্যার রিমুভাল টুল | পিসি হেল্পলাইন বিডি (বাংলাদেশ) — Thursday 26 April 2012 @ 7:21


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: