locked
AppInit_Dlls can't inject the 64bit dll into 64bit process ? RRS feed

  • Question

  • In WinXP X64 or Win7 X64, i want to add the 64bit dll's name into the regedit key "AppInit_DLLs", so i can inject the dll into 64bit process with the USER32.dll LoadLibrary in 32bit process

    i set the regedit , and copy the 64bit dll into Windows/sysWow64 , But  failed to inject , WHY?

    Friday, October 16, 2009 8:43 AM

All replies

  • in 32bit process what you see is the virtualized Wow6432Node registry. sysWow64 is the virtualized system32 folder for for 32 bit processes. Not sure what exactly you are trying to do. 

    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful.
    Visual C++ MVP
    Friday, October 16, 2009 10:35 PM
  • Hi,

    AFAIU: You want to "inject" your own dll into a x64(64-bit)-running process, right?
    Well, then you need to look at the Microsoft Windows Execution (exe) format, the old DOS is "MZ"-format.
    And the new one is: Portable Executable (PE) or PE-format. 

    Check out Microsoft Portable Executable and Common Object File Format Specifications by clicking here.

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    • Proposed as answer by Fisnik Hasani Thursday, December 10, 2009 1:55 PM
    Friday, November 13, 2009 7:57 PM
  •  Not sure what exactly you are trying to do. 

    The following is signature, not part of post
    Please mark the post answered your question as the answer, and mark other helpful posts as helpful.
    Visual C++ MVP

    Hi Sheng:

    I think he wants to "inject" his own dll code into a already running Process actually a x64 process.
    I think he need the PE-format information, also this is wat virus makers do every day, it's by injecting
    code where you make infections.

    Example bellow:

    4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0e 9a e9 4a 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 08 00 00 18 00 00 00 08 00 00 00 00 00 00 4e 37 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 02 00 40 05 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 36 00 00 57 00 00 00 00 40 00 00 20 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 64 36 00 00 1c 00 00 00

    The above is Hexa data.

    9f 2g 77 01 23 33 99 00 04 00 00 00 ff ff 00 00 b8 00 1b cc 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 0b 02 30 00 99 00 00 00 00 09 34 f0 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 79 he 30 64 9f 99 90 7d 8f 44 75 3e ad fd fa d4 r0 fg0 f0 d0 90 99 00 80 45 00 007803 00 0e 9a e9 4a 00 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 0e 9a e9 4a 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 08 00 00 18 00 00 00 08 00 00 00 00 00 00 4e 37 00 00 00 20 00 00 00 40 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 00 00 00 02 00 00 00 00 00 00 02 00 40 05 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f4 36 00 00 57 00 00 00 00 40 00 00 20 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 0c 00 00 00 64 36 00 00 1c 00 00 00

    The above: The HEXA data added in "bold" is the new injected data which presents virus infection code.

    I hope this helps...

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    • Proposed as answer by Fisnik Hasani Thursday, December 10, 2009 1:55 PM
    Friday, November 13, 2009 8:08 PM
  • HI,

    is this thread solved or NOT?

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Thursday, November 26, 2009 12:36 PM
  • HI,

    is this thread solved or NOT?

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Thursday, December 10, 2009 1:55 PM
  • Hi again:

    How is the situation on your side?
    Is this thread solved?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik
    Coder24.com
    Sunday, December 27, 2009 9:35 AM
  • Hi again:

    How is the situation on your side?
    Is this thread solved?

    Please tell me!

    Have a nice day...

    Best regards,
    Fisnik

    Coder24.com
    Saturday, January 2, 2010 3:05 PM