Simple DLL injection not working using AppInit_DLLs. DllMain() not getting called

dll dll-injection
Ultratrunks picture Ultratrunks · Jan 27, 2012 · Viewed 8.5k times · Source

I've written the simplest injection dll possible. Here is the code in its entirety:

#include "stdafx.h"
#include <stdio.h>

BOOL APIENTRY DllMain(HANDLE hModule, 
                      DWORD  ul_reason_for_call, 
                      LPVOID lpReserved)
{
    FILE * File = fopen("D:\\test.txt", "w");
    if(File != NULL)
    {
        fclose(File);
    }
    return TRUE;
}

Super simple right? Well I can't even get this to work. This code compiles to a dll and I've placed the path to this dll in the registry under [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]. I should also mention that LoadAppInit_DLLs registry value is set to 1. From doing this I expect to see the file "D:\test.txt" appear when I start other applications (like notepad.exe), but it doesn't. I don't get it. There is another .dll, which is very old and written in visual studio '97, (which I'm trying to replace) that works just fine when I set AppInit_DLLs to point to it and start an arbitrary application. I can tell that it is getting loaded when other applications are started.

I'm not sure whats going on here, but this should work shouldn't it? It can't get any simpler. I'm using VS 2010, by all accounts I think I've created a very plane Jane .dll so I don't think any project settings should be out of whack, but I'm not completely sure about that. What am I missing here?

Setup Info

  • OS: Windows 7 64-bit
  • OS Version: 6.1.7601 Service Pack 1 Build 7601
  • IDE: Visual Studio 2010
  • IDE version: 10.0.40219.1 SP1Rel

Answer

Ultratrunks picture Ultratrunks · Jan 27, 2012

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs] is NOT the registry key used for injection for into 32-bit processes. Its the registry key if your OS is 32-bit.

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs] is the correct registry key to use if your OS is 64-bit.

I was under the assumption that the former was for 32-bit processes and the latter was for 64-bit processes. But really, the OS is going to ignore one of those registry keys depending on whether or not the OS itself is 64-bit or 32-bit.

Related questions

DLL Injection with CreateRemoteThread

If you take a look at the following working code of a simple DLL injection: //Open the target process with read , write and execute priviledges Process = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_…

Read More
How do I register a DLL file on Windows 7 64-bit?

I have tried to use the following code: cd c:\windows\system32 regsvr32.exe dllname.ax But this is not working for me. How can I register a DLL file on Windows 7 with a 64-bit processor?

Read More
PHP 7: Missing VCRUNTIME140.dll

I have an error when I start PHP 7 on Windows. When I run php on the command line, it returns a message box with system error: The program can't start because VCRUNTIME140.dll is missing from your computer. Try reinstalling …

Read More