Geek Answers Handbook

Best practices for injection dll?

Suppose I want to add a DLL to a process that wants to edit the value of address A every 250 ms. I will need to use DllMain, right? The problem is that I am not allowed to wait inside DllMain. So I need to create a thread? Or does this go around the limit? How can i do this?

Also, are there any advantages to using DLL injections to edit application memory using EXE?

Also, what size stack should be in CreateThread? What if it is too small or too large? How do I know how much I need?

+4
source share
1 answer

From your description, it looks like you already know how to configure the target loading process of your DLL. If my assumption is correct, the answer is simple: create a stream from DLLMain and implement your logic in the stream. As long as your code complies with the rules below, you should be fine.

This document describes what can and cannot be done in DLLMain and why.

As stated, you should never perform the following tasks from DllMain:

  • Call LoadLibrary or LoadLibraryEx (directly or indirectly). This can lead to a deadlock or failure.
  • Sync with other streams. This can lead to a deadlock.
  • Get a synchronization object that belongs to code that is waiting for the bootloader to receive a lock. This can lead to a deadlock.
  • Initialize COM threads using CoInitializeEx. Under certain conditions, this function may call LoadLibraryEx.
  • Call registry functions. These functions are implemented in advapi32.dll. If Advapi32.dll is not initialized before your DLL, the DLL can access uninitialized memory and cause the process to crash.
  • Call CreateProces. Creating a process may load another DLL.
  • Call ExitThread. Exiting a thread when a DLL is disconnected can result in a re-acquisition of the bootloader lock, which can lead to a deadlock or crash.
  • Call CreateThread. Creating a thread may work if you do not synchronize with other threads, but this is risky.
  • Create a named pipe or other named object (Windows 2000 only). In Windows 2000, named objects are provided by the Terminal Services library. If this DLL is not initialized, calls to the DLL may cause a crash process.
  • Use the memory management function from Dynamic C Run-Time (CRT). If the CRT DLL is not initialized, calls to these functions may cause the process to crash.
  • Call functions in User32.dll or Gdi32.dll. Some functions load another DLL that cannot be initialized.
  • Use managed code.

In DllMain, you can perform the following tasks:

  • Initialize static data and member structures at compile time.
  • Creating and initializing synchronization objects
  • Allocate memory and initialize dynamic data structures (avoiding the functions listed above.)
  • Configure local thread storage (TLS).
  • Open, read and write to files.
  • Call functions in Kernel32.dll (with the exception of the functions listed above).
  • Set global pointers to NULL, overriding the initialization of dynamic members. In Microsoft Windows Vista โ„ข, you can use one-time initialization functions to ensure that a block of code runs only once in a multi-threaded environment.

The second question is less clear to me. To enter code into another process, you have to start with something (browser, exe, whatever), and then write to the processโ€™s target memory to load its DLL.

+5
source

More articles:


All Articles