http://blogs.msdn.com/ntdebugging/archive/2008/06/20/how-it-works-dll-injection.aspxIntroduction Hi everyone, this is Bob again. I recently worked on an issue where the interaction of two threads in Winlogon led to a bugcheck. One thread was a Winlogon thread initializing GDI. The interesting thing about this scenario is how the otheren-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/ntdebugging/archive/2008/06/20/how-it-works-dll-injection.aspx#8626197Fri, 20 Jun 2008 21:09:01 GMT91d46819-8472-40ad-a661-2c78acb4018c:8626197a-foton &raquo; Blog Archive &raquo; How it Works: DLL Injection<p>PingBack from <a rel="nofollow" target="_new" href="http://blog.a-foton.ru/2008/06/20/how-it-works-dll-injection/">http://blog.a-foton.ru/2008/06/20/how-it-works-dll-injection/</a></p> http://blogs.msdn.com/ntdebugging/archive/2008/06/20/how-it-works-dll-injection.aspx#8627033Fri, 20 Jun 2008 23:37:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:8627033molotov<p>Good write-up, Bob - Thanks!</p> <p>Do you suspect the injection was related to malware?</p> <p>&gt;&gt; &nbsp;I recently worked on an issue where the interaction of two threads in Winlogon led to a bugcheck. &nbsp;One thread was a Winlogon thread initializing GDI. &nbsp;The interesting thing about this scenario is how the other thread ended up in this process. &nbsp;&lt;&lt;</p> <p>Wonder if you might care to indicate what the interaction was that led to the bugcheck?</p>http://blogs.msdn.com/ntdebugging/archive/2008/06/20/how-it-works-dll-injection.aspx#8641900Mon, 23 Jun 2008 15:36:08 GMT91d46819-8472-40ad-a661-2c78acb4018c:8641900Volodymyr Shcherbyna<p>Hello, </p> <p>I suppose things get wrong because of &quot;Address Space Randomization&quot; feature introduced in Vista to prevent successful execution of &quot;shell code&quot; in case of stack/heap corruptions (addresses of API functions usually are static in shell code).</p>http://blogs.msdn.com/ntdebugging/archive/2008/06/20/how-it-works-dll-injection.aspx#8646695Tue, 24 Jun 2008 13:25:05 GMT91d46819-8472-40ad-a661-2c78acb4018c:8646695Volodymyr Shcherbyna<p>&quot;Wonder if you might care to indicate what the interaction was that led to the bugcheck?&quot;</p> <p>To &quot;molotov&quot;: calling function on improper address usually results in access violations or simular errors. This leads to termination of process in which the dll was loaded. Since the process is winlogon.exe, the system goes into reboot, because it is critical process.</p>http://blogs.msdn.com/ntdebugging/archive/2008/06/20/how-it-works-dll-injection.aspx#8647339Tue, 24 Jun 2008 17:15:58 GMT91d46819-8472-40ad-a661-2c78acb4018c:8647339Matt Johnson's Technical Adventures<p>Ask the Directory Services Team : Custom Certificate Request in Windows Vista Microsoft Security Development</p> http://blogs.msdn.com/ntdebugging/archive/2008/06/20/how-it-works-dll-injection.aspx#8647478Tue, 24 Jun 2008 17:50:28 GMT91d46819-8472-40ad-a661-2c78acb4018c:8647478molotov<p>@Volodymyr - Yes, thanks - I am aware of that. &nbsp;I was curious for more details as to the specific interaction between the threads that caused the problem (one thread causing an access violation etc. would be enough to bring down winlogon and the system). &nbsp;The first thread is mentioned in the sentence &quot;One thread was a Winlogon thread initializing GDI.&quot;, and then is not mentioned again. &nbsp;The rest of the analysis revolves around the injected thread.</p> <p>Maybe I'm missing something...</p>http://blogs.msdn.com/ntdebugging/archive/2008/06/20/how-it-works-dll-injection.aspx#8926192Fri, 05 Sep 2008 14:40:28 GMT91d46819-8472-40ad-a661-2c78acb4018c:8926192calin_iaru<p>Typo:</p> <p>Starting address. &nbsp;This is not in any module displayed by “!peb”</p> <p>should be</p> <p>&quot;lm&quot;</p>