Simple DLL injection not working using AppInit_DLLs. DllMain() not getting called

Question

I've written the simplest injection dll possible. Here is the code in its entirety:

#include "stdafx.h"
#include <stdio.h>

BOOL APIENTRY DllMain(HANDLE hModule, 
                      DWORD  ul_reason_for_call, 
                      LPVOID lpReserved)
{
    FILE * File = fopen("D:\\test.txt", "w");
    if(File != NULL)
    {
        fclose(File);
    }
    return TRUE;
}

Super simple right? Well I can't even get this to work. This code compiles to a dll and I've placed the path to this dll in the registry under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]. I should also mention that LoadAppInit_DLLs registry value is set to 1. From doing this I expect to see the file "D:\test.txt" appear when I start other applications (like notepad.exe), but it doesn't. I don't get it. There is another .dll, which is very old and written in visual studio '97, (which I'm trying to replace) that works just fine when I set AppInit_DLLs to point to it and start an arbitrary application. I can tell that it is getting loaded when other applications are started.

I'm not sure whats going on here, but this should work shouldn't it? It can't get any simpler. I'm using VS 2010, by all accounts I think I've created a very plane Jane .dll so I don't think any project settings should be out of whack, but I'm not completely sure about that. What am I missing here?

---

Setup Info

• OS: Windows 7 64-bit
• OS Version: 6.1.7601 Service Pack 1 Build 7601
• IDE: Visual Studio 2010
• IDE version: 10.0.40219.1 SP1Rel

Answer 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs] is NOT the registry key used for injection for into 32-bit processes. Its the registry key if your OS is 32-bit.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs] is the correct registry key to use if your OS is 64-bit.

I was under the assumption that the former was for 32-bit processes and the latter was for 64-bit processes. But really, the OS is going to ignore one of those registry keys depending on whether or not the OS itself is 64-bit or 32-bit.

Answer 2

@Ultratrunks: This is not completely correct.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ] is for both 32 as well as 64 bit OS.

But If we want to run 32 bit processes on 64 bit machine then we need to modify the following registry key- [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]

Wow is basically concept of making 64 bit system to be compatible of running 32 bit processes.

I verified it after running my programs on both 32 as well as 64 bit OS and running 32 bit processes on 64 bit machine.

Hence

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs for 32/64 bit OS

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs for 32 bit processes on 64 bit OS

Answer 3

First at all about the SOFTWARE\Microsoft vs SOFTWARE\Wow6432Node\Microsoft it's true that if both 32 or 64 so go into SOFTWARE\Microsoft and if you want to inject 32 bit dll in OS64 so go into SOFTWARE\Wow6432Node\Microsoft.

My problem was that the value need to be up to 8 characters and if there is in the path or name above this you need to use shortcut.

Example: if your dll name is inject~1.dll

Don't Forget to set all three reg value

1. AppInit_DLLs -> dllname if is in system32 or full path with out "
2. LoadAppInit_DLLs -> 1
3. RequireSignedAppInit_DLLs -> 0