0

I'm working on an application (DLL) that logs specific WIN32 calls using Detours. It is injected into a target application that passes the filter. It has to absolutely log every call that the application makes, starting from the first instruction in the application's entry point.

I now am looking for a way to make my application (the one that always runs) inject the DLL as fast as possible, preferably without the target application making any other calls.

Is there any way to achieve this?

BartoszKP
  • 34,786
  • 15
  • 102
  • 130
Bart Pelle
  • 747
  • 1
  • 5
  • 18
  • You are asking for a hook to get your injection to run before the exe entry point. Seems a little implausible. – David Heffernan Oct 20 '13 at 20:46
  • How is this implausible? As soon as a new application starts (let's pick notepad.exe as example), it'll start to load. The OS will load the assembly into the memory and start to execute it. Right before it reaches the main() method (the entry point of the application) I need to interfere and do my magic to inject the DLL. – Bart Pelle Oct 20 '13 at 20:49
  • Well, main is not the entry point. I think it's implausible because I don't think the OS will give you that hook. Of course if you are starting the process, you can create it suspended. – David Heffernan Oct 20 '13 at 20:51
  • I'll try to clarify it a bit more. I've used 'procmon', the Process Monitor by Sysinternals quite often. It's that kind of method that I need to intercept API calls, as every call from start to end of a program is being logged there. – Bart Pelle Oct 20 '13 at 21:05
  • procmon uses ssdt hooks IIRC – David Heffernan Oct 20 '13 at 21:24

2 Answers2

3

You could use the AppInit_DLLs registry key to load a dll into a process. The dll is loaded during DLL_PROCESS_ATTACH of User32.dll. For regular applications this should happen prior to running any application code.

Keep in mind though that AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs.

IInspectable
  • 46,945
  • 8
  • 85
  • 181
  • Thank you for answering. I am going to evaluate this and see how it turns out. :) – Bart Pelle Oct 20 '13 at 20:28
  • Alright, after reading through it, I see that it's quite unstable to use and that Vista doesn't have this enabled unless the user does so. Is there any alternative to this problem? – Bart Pelle Oct 20 '13 at 20:33
  • It is unstable because programmers insist that their DLL needs to be injected in every process as early as possible. That must sound familiar :) LoadAppInit_DLLs is not disabled. – Hans Passant Oct 20 '13 at 21:03
  • I'm unsure about the availability on other platforms, but this is _exacly_ what I was looking for, and perfectly does its job on my Windows XP Professional virtual machine. Thank you, accepted! – Bart Pelle Oct 20 '13 at 21:25
1

As far as I know, there's no straightforward way of doing this in Windows.

Your options are:

  1. Hooking the CreateProcess (or lower) function in all processes. When a new process is created, change the arguments to create it as suspended, inject, and resume if needed.
  2. Using a driver.
Paul
  • 6,061
  • 6
  • 39
  • 70
  • Your second point is an interesting one. What are the capabilities if one creates a driver? Does this provide me with access to something that might solve my issue? – Bart Pelle Oct 20 '13 at 20:50
  • Drivers are not my area of experience, but I've seen a [hooking library](http://help.madshi.net/mchInjDrv.htm) which uses this technique. – Paul Oct 20 '13 at 20:55
  • The link you've provided is a very good one, and seems to be what I want. You're getting my upvote for now, and if it turns out this was the answer towards my goal I'll accept it. – Bart Pelle Oct 20 '13 at 20:57