Best Practices for DLL Injection?

StackOverflow https://stackoverflow.com/questions/16254721

Domanda

Suppose I want to inject a DLL into a process that wants to edit the value of address A every 250 ms. I would need to use DllMain, right? The issue is that I'm not allowed to wait inside DllMain. So I would have to create a thread? Or does that not bypass the limitation? How would I go about doing this?

Also, are there any benefits for using DLL injection to edit the memory of an application over using an EXE?

Also, what should the stack size be in CreateThread? What if it is too small or too large? How do I know how much I need?

È stato utile?

Soluzione

From your description it seems you already know how to have the target process load your DLL. If my assumption is correct, then the answer is simple: create a thread from DLLMain and implement your logic in the thread. As long as your code respects the rules outlined below you should be fine.

This document describes what can and cannot be done in DLLMain and why.

As documented, you should never perform the following tasks from within DllMain:

  • Call LoadLibrary or LoadLibraryEx (either directly or indirectly). This can cause a deadlock or a crash.
  • Synchronize with other threads. This can cause a deadlock.
  • Acquire a synchronization object that is owned by code that is waiting to acquire the loader lock. This can cause a deadlock.
  • Initialize COM threads by using CoInitializeEx. Under certain conditions, this function can call LoadLibraryEx.
  • Call the registry functions. These functions are implemented in Advapi32.dll. If Advapi32.dll is not initialized before your DLL, the DLL can access uninitialized memory and cause the process to crash.
  • Call CreateProces. Creating a process can load another DLL.
  • Call ExitThread. Exiting a thread during DLL detach can cause the loader lock to be acquired again, causing a deadlock or a crash.
  • Call CreateThread. Creating a thread can work if you do not synchronize with other threads, but it is risky.
  • Create a named pipe or other named object (Windows 2000 only). In Windows 2000, named objects are provided by the Terminal Services DLL. If this DLL is not initialized, calls to the DLL can cause the process to crash.
  • Use the memory management function from the dynamic C Run-Time (CRT). If the CRT DLL is not initialized, calls to these functions can cause the process to crash.
  • Call functions in User32.dll or Gdi32.dll. Some functions load another DLL, which may not be initialized.
  • Use managed code.

The following tasks are safe to perform within DllMain:

  • Initialize static data structures and members at compile time.
  • Create and initialize synchronization objects
  • Allocate memory and initialize dynamic data structures (avoiding the functions listed above.)
  • Set up thread local storage (TLS).
  • Open, read from, and write to files.
  • Call functions in Kernel32.dll (except the functions that are listed above).
  • Set global pointers to NULL, putting off the initialization of dynamic members. In Microsoft Windows Vista™, you can use the one-time initialization functions to ensure that a block of code is executed only once in a multithreaded environment.

Your second question is less clear to me. To inject code into another process you must start from somewhere (browser, exe, whatever), then write into the target process memory to have it load your DLL.

Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a StackOverflow
scroll top