Related works

Sep 9, 2008 at 1:41 AM
Edited Sep 9, 2008 at 3:40 PM
Trying to put together a list of related works for reference. Only interested in User-Mode hooking, and the way should be generally applicable (SetWindowsHook is not generally applicable, for example).

Dll Injection

Win32 LD_PRELOAD
http://www.deez.info/sengelha/code/win32-ldpreload/

InjLib - A Library that implements remote code injection for all Windows versions
http://www.codeproject.com/KB/library/InjLib.aspx

Injected Evil
http://www.rootkit.com/newsread_print.php?newsid=831

Injecting Code Into Privileged Win32 Processes
http://mnin.blogspot.com/2007/05/injecting-code-into-privileged-win32.html

CreateRemoteThread, Vista and separate sessions
http://blog.assarbad.net/20080723/createremotethread-vista-and-separate-sessions/

A More Complete DLL Injection Solution Using CreateRemoteThread
http://69.10.233.10/KB/threads/completeinject.aspx

Injection coverage on Vista with UAC
http://www.celceo.com/blogs/windows-insight/2008/02/injection-coverage-on-vista-wi.html

WoW64

Dll Injection - Vista + UAC
http://forum.madshi.net/viewtopic.php?p=15825

How does one retrieve the 32-bit context of a Wow64 program from a 64-bit process on Windows Server 2003 x64?
http://www.nynaeve.net/?p=191

Beware GetThreadContext on Wow64
http://www.nynaeve.net/?p=129

API Interception

API Spying Techniques for Windows 9x, NT and 2000
http://www.internals.com/articles/apispy/apispy.htm

Powerful x86/x64 Mini Hook-Engine
http://www.ntcore.com/Files/nthookengine.htm

API Hooking Methods
http://help.madshi.net/ApiHookingMethods.htm

Detours: Binary Interception of Win32 Functions
http://research.microsoft.com/~galenh/publications/huntusenixnt99.pdf

DEVIARE API HOOK
http://www.nektra.com/products/deviare/hooklib/index.php

Intercepting System API Calls:
http://softwarecommunity.intel.com/articles/eng/3651.htm

Why hooking system services is more difficult (and dangerous) than it looks
http://www.nynaeve.net/?p=210

User Level API Hooking Mistakes to Avoid
http://www.celceo.com/blogs/windows-insight/2007/09/pitfalls-of-api-hooking-at-the.html

Detour unhooking order
http://www.celceo.com/blogs/windows-insight/2008/02/detour-unhooking-order.html

Lock contention, the loader lock and hidden API locks
http://www.celceo.com/blogs/windows-insight/2007/10/lock-contention-the-loader-loc.html

Summary


Three ways to inject dll:
  • CreateRemoteThread (NtCreateThreadEx, RtlCreateUserThread...),
  • NtQueueAPCThread,
  • SetThreadContext.

The concerns around dll injection are:
  • WoW64,
  • Different Session (RunAs, RemoteDesktop and TerminalService),
  • System Process(Run As User System),
  • Native Process(Without Kernel32.dll),
  • Create and inject.
API interception concerns:
  • Instruction length
  • Unhookable instructions
  • Concurrency (Installing and Uninstalling time)
  • Intercept self (Infinite loop)
  • RIP-relative addressing