DLL Injection and Hooking

I’ve spent some time researching and implementing different methods of DLL injection and process hooking. What I’ve found is an ancient form of black magic that can interrupt compiled programs to execute code somewhere else. Let’s dig in.


No, not that kind! I’m talking about hooking processes and functions, silly. “Hooking” covers the techniques used to alter or interrupt the behavior of processes and services. Function calls, messages, events, and other member data are susceptible to a hook. A hook can be executed both before a process is run and during its life-cycle.

One method of hooking involves physically modifying an executable or library before an application is run. For instance, the entry point of a function can be found through an assembly debugger (OllyDbg). Then, you can intercept the call to load modules and force the application to load your custom library.

Another method involves accessing the Import Address Table (IAT) of a program. Because a compiled program cannot know the memory location of the libraries it depends on, an indirect jump is required.  The Import Table is a list of all modules a process will be using and pointers to the functions in those modules and the parent process. As a dynamic linker loads modules and joins them, it writes the physical memory addresses into the IAT. This way, when an API function is called, the IAT is accessed to find the real address of the function to call.

DLL Injection

This is the process of injecting a DLL into a process to take over or extend functionality. A common example is Steam’s injection to enable the Steam Overlay. There are multiple methods available to achieve DLL injection:

1. Using the CreateRemoteThread windows function.
2. Using hooks (Imagine that!) such as SetWindowsHookEx.
3. Using SuspendThread or NtSuspendThread function to suspend all threads, then SetThreadContext or NtSetContextThread to modify an existing thread’s context in the application to execute injected code. This injected code would load another library into the thread.
4. Exploiting design limitations in applications that call LoadLibrary without specifying the full-qualified path to the DLL being loaded (think SQL injection).
5. Replacing an existing DLL an application depends on with one of your own.


Take a look at the image above to see an example of DLL Injection.

What does this even accomplish?

For the mad man, anything from keylogging, monitoring resource consumption, installing viruses, extending program functionality, and more is possible. These two weeks have been grueling, and I believe I’m ready to begin development on my own injector to modify the code of a computer game.

Helpful Resources

These websites and resources were invaluable in my conquest over DLL injection and process hooking. Please look to them for information!
Open Security Research
Code Project: API Hooking with MS Detours
Code Project: API Monitoring Unleashed
Code Project: Subclassing using DLL Injection
C++ DLL Injection
Wikipedia: Hooking

Wikipedia: DLL Injection