Dll Injection
Win32 LD_PRELOAD
http://www.deez.info/sengelha/code/win32-ldpreload/
InjLib - A Library that implements remote code injection for all Windows versions
http://www.codeproject.com/KB/library/InjLib.aspx
Injected Evil
http://www.rootkit.com/newsread_print.php?newsid=831
Injecting Code Into Privileged Win32 Processes
http://mnin.blogspot.com/2007/05/injecting-code-into-privileged-win32.html
CreateRemoteThread, Vista and separate sessions
http://blog.assarbad.net/20080723/createremotethread-vista-and-separate-sessions/
A More Complete DLL Injection Solution Using CreateRemoteThread
http://69.10.233.10/KB/threads/completeinject.aspx
Injection coverage on Vista with UAC
http://www.celceo.com/blogs/windows-insight/2008/02/injection-coverage-on-vista-wi.html
WoW64
Dll Injection - Vista + UAC
http://forum.madshi.net/viewtopic.php?p=15825
How does one retrieve the 32-bit context of a Wow64 program from a 64-bit process on Windows Server 2003 x64?
http://www.nynaeve.net/?p=191
Beware GetThreadContext on Wow64
http://www.nynaeve.net/?p=129
API Interception
API Spying Techniques for Windows 9x, NT and 2000
http://www.internals.com/articles/apispy/apispy.htm
Powerful x86/x64 Mini Hook-Engine
http://www.ntcore.com/Files/nthookengine.htm
API Hooking Methods
http://help.madshi.net/ApiHookingMethods.htm
Detours: Binary Interception of Win32 Functions
http://research.microsoft.com/~galenh/publications/huntusenixnt99.pdf
DEVIARE API HOOK
http://www.nektra.com/products/deviare/hooklib/index.php
Intercepting System API Calls:
http://softwarecommunity.intel.com/articles/eng/3651.htm
Why hooking system services is more difficult (and dangerous) than it looks
http://www.nynaeve.net/?p=210
User Level API Hooking Mistakes to Avoid
http://www.celceo.com/blogs/windows-insight/2007/09/pitfalls-of-api-hooking-at-the.html
Detour unhooking order
http://www.celceo.com/blogs/windows-insight/2008/02/detour-unhooking-order.html
Lock contention, the loader lock and hidden API locks
http://www.celceo.com/blogs/windows-insight/2007/10/lock-contention-the-loader-loc.html
Summary
Three ways to inject dll:
- CreateRemoteThread (NtCreateThreadEx, RtlCreateUserThread...),
- NtQueueAPCThread,
- SetThreadContext.
The concerns around dll injection are:
- WoW64,
- Different Session (RunAs, RemoteDesktop and TerminalService),
- System Process(Run As User System),
- Native Process(Without Kernel32.dll),
- Create and inject.
- Instruction length
- Unhookable instructions
- Concurrency (Installing and Uninstalling time)
- Intercept self (Infinite loop)
- RIP-relative addressing