Injecting 32-bit DLL from 64-bit process?

Mar 18, 2010 at 10:33 AM

Dears,

 

So, is it possible to inject 32-bit DLL from 64-bit process?

 

/** The below doesn't inject the 32-bit DLL to 32-bit target app. from 64-bit process...
  * So I guess it's not possible then?
  *
  */

NTSTATUS status = RhInjectLibrary(process_info->th32ProcessID, 0, EASYHOOK_INJECT_DEFAULT, _T("MyHook32.dll"), _T("MyHook64.dll"), NULL, 0);

Can it be done in some way?

Mar 18, 2010 at 1:31 PM
Yes, but you have to find a way from relaying this request from your 64
bit process to a 32 bit environment & let the 32 bit environment
injecting the corresponding 32 bits process & vice versa...

This is automatically done with the Managed version of EasyHook. by
using the C/asm native apis, you will have to find ways to relay this
request (events, tcp, ...). But yes, it is faisable.
nhaa123 a �crit :
>
> From: nhaa123
>
> Dears,
>
>
>
> So, is it possible to inject 32-bit DLL from 64-bit process?
>
>
>
> /** The below doesn't inject the 32-bit DLL to 32-bit target app. from 64-bit process...
> * So I guess it's not possible then?
> *
> */
>
> NTSTATUS status = RhInjectLibrary(process_info->th32ProcessID, 0, EASYHOOK_INJECT_DEFAULT, _T("MyHook32.dll"), _T("MyHook64.dll"), NULL, 0);
>
>
> Can it be done in some way?
>
> Read the full discussion online
> <http://easyhook.codeplex.com/Thread/View.aspx?ThreadId=205348&ANCHOR#Post419620>.
>
> To add a post to this discussion, reply to this email
> ([email removed]
> <mailto:[email removed]?subject=%5Beasyhook:205348%5D>)
>
> To start a new discussion for this project, email
> [email removed]
> <mailto:[email removed]>
>
> You are receiving this email because you subscribed to this discussion
> on CodePlex. You can unsubscribe or change your settings
> <https://easyhook.codeplex.com/subscriptions/thread/project/edit> on
> codePlex.com.
>
> Please note: Images and attachments will be removed from emails. Any
> posts to this discussion will also be available online at codeplex.com
>
Mar 18, 2010 at 1:58 PM

So you're saying that I need to have another process (32-bit) which handles the injection? Meaning, that my 64-bit process

sends a request to 32-bit process via IPC which then makes the injection?

 

Mar 18, 2010 at 4:55 PM
yes, that's correct.
you should have a 32 bit process (best is running it as service)
receiving the 64 bit process request & then spawning if needed &/or
injecting the 32 bit target process.
But but but... let me warn you, looking to my background using multiple
different toolkits, you will not be able to inject .net programs.

I don't know for what you are using easyhook. But Microsoft decided to
make more secure (that's such a shame when you see really great
developers making so good applications using injection mechanisms due to
a small number of hackers but that is another discussion) next programs
loader/platform by forbidding injection in .net programs.
If you need also to inject managed codes, you will have to overwrite the
mscoree.dll which is the managed core.

If it is for monitoring file accesses or other stuffs, you should
prefere using other technologies like kernel level codes.

Hope that I was able to give you a better picture
Louis


nhaa123 a �crit :
>
> From: nhaa123
>
> So you're saying that I need to have another process (32-bit) which
> handles the injection? Meaning, that my 64-bit process
>
> sends a request to 32-bit process via IPC which then makes the injection?
>
>
>
> Read the full discussion online
> <http://easyhook.codeplex.com/Thread/View.aspx?ThreadId=205348&ANCHOR#Post419718>.
>
> To add a post to this discussion, reply to this email
> ([email removed]
> <mailto:[email removed]?subject=%5Beasyhook:205348%5D>)
>
> To start a new discussion for this project, email
> [email removed]
> <mailto:[email removed]>
>
> You are receiving this email because you subscribed to this discussion
> on CodePlex. You can unsubscribe or change your settings
> <https://easyhook.codeplex.com/subscriptions/thread/project/edit> on
> codePlex.com.
>
> Please note: Images and attachments will be removed from emails. Any
> posts to this discussion will also be available online at codeplex.com
>