When processes need to do basic stuff like reading from a file, sending data across the network or accessing the registry, they call an API function provided by the operating system for that task.
#Redirector exe citrix install
But wait: I explained how you can get your DLL loaded into another process’ memory, but how do you make that other process execute your code so that you can install the API hook? Easy: whenever a DLL is loaded, the OS automatically calls the DllMain function of the DLL.
Think of AppInit_DLLs as a free delivery mechanism that puts your code right into the heart of all processes running on your Windows machine.
As User32.dll is one of the most common Windows DLLs this basically affects every single process. When User32.dll initializes, it reads the AppInit_DLLs registry value and loads all DLL names it finds in that value into memory. Technically, AppInit_DLLs is a registry value located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows. Because tampering with unsuspecting processes can have severe security and stability implications Microsoft disabled the functionality by default starting with Vista, but enabling it is as simple as changing a registry value ( LoadAppInit_DLLs). That is exactly what AppInit_DLLs does.ĪppInit_DLLs has been part of Windows since the dawn of time. It is by far easier to use a technique not too dissimilar to a trojan horse and have your code automatically loaded into all processes created in the system.
Getting access to the memory of another process can be tricky. Second, you manipulate memory addresses so that whenever the other process wants to call certain operating system API functions, your code is called instead. More precisely: tricking other processes into doing things differently from what their developers programmed.ĪPI hooking is done in two steps: first, you need access to another process’ memory. API hooking is all about making others do things they never even knew they could do.
0 kommentar(er)
