DLL Redirection: No Modifing on Disk or in Memory

Searching_ _ _ · Mar 2, 2009

RootRepeal is one tool that checks on disk and in memory for modifications in the detection of rootkits. With DLL Redirection this detection method can be bypassed.

It is relatively simple to implement.

It allows us to view and modify parameters passed to an API function, change return values of that function, and run any other code we desire.

While most other methods require code to be injected into the target process or run from an external application, DLL redirection requires only write access to the target application's working directory.

We can intercept any API call without modifying the target (either on disk or in memory) or any system files.

Click to expand...

Intercepted! Windows Hacking via DLL Redirection

The article contains How to with tools required.

EraserHW · Mar 2, 2009

http://msdn.microsoft.com/en-us/library/ms682586.aspx

If SafeDllSearchMode is enabled, the search order is as follows:

1. The directory from which the application loaded.
2. The system directory. Use the GetSystemDirectory function to get the path of this directory.
3. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
4. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
5. The current directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.

If SafeDllSearchMode is disabled, the search order is as follows:

1. The directory from which the application loaded.
2. The current directory.
3. The system directory. Use the GetSystemDirectory function to get the path of this directory.
4. The 16-bit system directory. There is no function that obtains the path of this directory, but it is searched.
5. The Windows directory. Use the GetWindowsDirectory function to get the path of this directory.
6. The directories that are listed in the PATH environment variable. Note that this does not include the per-application path specified by the App Paths registry key. The App Paths key is not used when computing the DLL search path.
Click to expand...

Log in or Sign up

DLL Redirection: No Modifing on Disk or in Memory

Searching_ _ _ Registered Member

EraserHW Malware Expert

Log in or Sign up

DLL Redirection: No Modifing on Disk or in Memory

Searching_ _ _ Registered Member

EraserHW Malware Expert

Useful Searches