Conversation

Check out my newly published blog post about DLL injection, thread local storage, TLS callbacks, and the problems that all these can cause. The blog post also shows how a thread can avoid invoking TLS callbacks, and that it can lead to other problems.

m417z.com

A guest in another process - a story of a remote thread crash

In one of my previous blog posts, Implementing Global Injection and Hooking in Windows, I wrote about my journey in implementing global DLL injection for Windhawk, the customization marketplace for...

131

namazso

@namazso

Dll injection in general is just a horrible idea from a stability standpoint in almost all cases. There are only two fairly reliable solutions:

4:53 AM · Feb 10, 2023

921

Views

Bookmark

1. Injecting when the process/thread is in a known good state - This means (non-special) APCs, and window hook libraries. This is limited in what process it works on, but does avoid most problems, in part because the thread expects callbacks already, just not this kind.

namazso

@namazso

Feb 10

2. Injecting in a more rootkit-like fashion - This means freestanding / ntdll-only injected dll, preferably mapped as a section, and called with some hook (like an instrumentation callback). This always works, but severely limits you in how you can write your injected module.

Show replies