Best dll injection way?

Sep 8, 2008 at 3:04 PM
In user mode, for api hooking, it is very obvious the trampoline way is the best.
But for dll injection, which one is best? Basically, there are three generic ways:
1. CreateRemoteThread (or NtCreateThreadEx)
2. SetThreadContext (change the EIP)
3. NtQueueAPCThread (async procedure call)
Which is one is the best? In terms of stability and application range. Or, more specifically, given we are going to use it under the CreateAndInject case (create a process in suspended state then inject, or intercept the NtResumeThread and inject code there), which one is the best?
Sep 17, 2008 at 7:59 PM
CreateRemoteThread: The only drawback is that AVs may prevent it... This could possibly be bypassed with AuthentiCode...

SetThreadContext: It is very tricky to get it working... See EasyHook stealth injection and has several drawbacks. It doesn't work for managed injections and this will also affect other code that requires a similar stable environment...  Also you will need at least one active thread or things will get ugly.. The main and only advantage is that AVs will not detect such injections...

NtQueueAPCThread: I never tried this. It will work but I think it has the same drawbacks as SetThreadContext and also the same and only advantage with the AVs...

So in my opinion CreateRemoteThread or one of its childs will always win this competition ;-)