In a previous post, I was discussing the idea of adding more events to Excel by adding a window hook.
Under the hood, the idea is that we can load a DLL in the Excel process simply by transforming that DLL into a COM add-in, which is automatically loaded by Excel.
This post covers the situation of programs that don’t implement an add-in mechanism so loading a DLL into their process requires DLL injection.
We need to create a DLL that attaches a Windows hook when loaded. We then need to load this DLL through DLL injection in the address space of the target program.
So the basic steps are:
- Create a DLL
- In the DllMain method of the DLL attach a windows hook which will log some CBT messages
- Start the target process
- Allocate some memory in the address space of the target process
- Write the path to the DLL in the allocated memory
- Call the LoadLibrary function from the kernel32 library in the target process passing the allocated memory as an argument. This will load the library specified by the written path.
- Step 4: Uses VirtualAllocEx
- Step 5: Uses WriteProcessMemory
- Step 6: Uses CreateRemoteThread with the address of the LoadLibrary function taken from GetProcAddress
As mentioned in the following post, this is the main idea behind monitoring software such as Spy++ or other profiles.
A very cool implementation was done in: http://easyhook.codeplex.com/