In a previous post, I was discussing the idea of adding more events to Excel by adding a window hook.

Under the hood, the idea is that we can load a DLL in the Excel process simply by transforming that DLL into a COM add-in, which is automatically loaded by Excel.

This post covers the situation of programs that don’t implement an add-in mechanism so loading a DLL into their process requires DLL injection.

The topic of DLL injection has been covered in various other articles [1][2], so this post is mainly a summary and a sample of the basic mechanism for DLL injection.

We need to create a DLL that attaches a Windows hook when loaded. We then need to load this DLL through DLL injection in the address space of the target program.

So the basic steps are:

  1. Create a DLL
  2. In the DllMain method of the DLL attach a windows hook which will log some CBT messages
  3. Start the target process
  4. Allocate some memory in the address space of the target process
  5. Write the path to the DLL in the allocated memory
  6. Call the LoadLibrary function from the kernel32 library in the target process passing the allocated memory as an argument. This will load the library specified by the written path.

Notes:

  • Step 4: Uses VirtualAllocEx
  • Step 5: Uses WriteProcessMemory
  • Step 6: Uses CreateRemoteThread with the address of the LoadLibrary function taken from GetProcAddress

As mentioned in the following post, this is the main idea behind monitoring software such as Spy++ or other profiles.

A very cool implementation was done in: http://easyhook.codeplex.com/