Dll injection on boot

c++ / delphi package - dll injection and api hooking
Post Reply
_NN_
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Dll injection on boot

Post by _NN_ »

Hello,
Do you have functionality to configure driver to run on boot and inject dll automatically in all processes as early as possible ?
If there is no such, how can I achieve this ?
_NN_
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Re: Dll injection on boot

Post by _NN_ »

I think I found the answer here:
http://help.madshi.net/DllInjecting.htm

Code: Select all

// permanent:       shall the dll be injected permanently? (= stay active after reboots)
Is it correct ?

Btw, is there any explanation what is file mask ?
Can I use only wildcards , or there are more options ?

Thanks
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Dll injection on boot

Post by madshi »

Yes, madCodeHook v4 has introduced a "permanent" DLL injection option. So basically you install the injection driver, then tell madCodeHook that you want a specific DLL injection to always be done (even after reboots).

File masks support * and ? wildcards. It's a bit more flexible than what other tools sometimes support. So e.g. you could use "C:\*\some.exe".

When you say "as early as possible":

1) Do you mean the driver should start to inject into newly created processes as early as possible in the OS boot phase? That should already be the case. Although of course the driver has a few requirements (file system must be up and running etc), so there's a limit to how soon it can start running.

2) Or do you mean that your hook DLL should be initialized in each newly created process as early as possible during the new process initialization phase? If so, currently v4 injects in such a way that your hook dll gets initialized (DLL_PROCESS_ATTACH) right after all other DLLs which are statically linked by the EXE are initialized, and before the EXE's "main" starts running. I'm working on a new DLL injection method right now which will initialize your hook dll even earlier - basically only those dlls which your hook dll statically links to will be initialized before your hook dll. After that comes your hook dll, and only afterwards the other dlls the EXE is statically linking to. The new injection method should hopefully be ready next week.
_NN_
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Re: Dll injection on boot

Post by _NN_ »

1. This is okay. I just need to be able to cover all Windows services.
2. Loading dll as early as possible is the feature I need. Glad to hear it will be ready soon.

Is there any document describing how injection driver works ?
Can you write a few words how driver loads the dll ?
Does it patch dlls import list or you have something else ?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Dll injection on boot

Post by madshi »

Currently the driver hooks NtTestAlert within each newly created user mode process. NtTestAlert is usually called the first time right before the EXE's "main" is called.

The next driver version will instead modify the IAT table of the EXE module of the newly created process, to make it look like your hook dll is the EXE's first statically linked dll.
_NN_
Posts: 55
Joined: Mon Jan 21, 2013 4:00 pm

Re: Dll injection on boot

Post by _NN_ »

Does it work well with .NET and Java processes ?

Next driver is that one you are going to release next week ? Will it be part of v4 or you will release v5 ?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Re: Dll injection on boot

Post by madshi »

It seems to work with .NET, at least early tests suggest so. Haven't tested Java yet, but I don't expect problems. Still developing, so not a lot of tests done yet.

Yes, this is the driver I'm going to release soon, hopefully next week. It will be part of v4. I've switched to a subscription model with v4, so there's no real reason for me to go v5.
Post Reply