Related works

Sep 9, 2008 at 1:41 AM
Edited Sep 9, 2008 at 3:40 PM
Trying to put together a list of related works for reference. Only interested in User-Mode hooking, and the way should be generally applicable (SetWindowsHook is not generally applicable, for example).

Dll Injection


InjLib - A Library that implements remote code injection for all Windows versions

Injected Evil

Injecting Code Into Privileged Win32 Processes

CreateRemoteThread, Vista and separate sessions

A More Complete DLL Injection Solution Using CreateRemoteThread

Injection coverage on Vista with UAC


Dll Injection - Vista + UAC

How does one retrieve the 32-bit context of a Wow64 program from a 64-bit process on Windows Server 2003 x64?

Beware GetThreadContext on Wow64

API Interception

API Spying Techniques for Windows 9x, NT and 2000

Powerful x86/x64 Mini Hook-Engine

API Hooking Methods

Detours: Binary Interception of Win32 Functions


Intercepting System API Calls:

Why hooking system services is more difficult (and dangerous) than it looks

User Level API Hooking Mistakes to Avoid

Detour unhooking order

Lock contention, the loader lock and hidden API locks


Three ways to inject dll:
  • CreateRemoteThread (NtCreateThreadEx, RtlCreateUserThread...),
  • NtQueueAPCThread,
  • SetThreadContext.

The concerns around dll injection are:
  • WoW64,
  • Different Session (RunAs, RemoteDesktop and TerminalService),
  • System Process(Run As User System),
  • Native Process(Without Kernel32.dll),
  • Create and inject.
API interception concerns:
  • Instruction length
  • Unhookable instructions
  • Concurrency (Installing and Uninstalling time)
  • Intercept self (Infinite loop)
  • RIP-relative addressing