Injecting DLL: Windows CE
-
Hello, I had written an application to hook 'CreateProcess()' in Windows CE. But this is only for application level, that is hook is applicable only for current process. Now in order to hook this API system-wide, i need to load the HookDLL.dll (in which i have written the code for API hooking) to all the processes. On the internet i found that it can be done using registry. We need to insert the DLL name at following location HKEY_LOCAL_MACHINE\SYSTEM\KERNEL "InjectDLL" = REG_MULTI_SZ : "MyDLL1.DLL","MyDLL2.DLL", But i am not able to locate 'Kernel' key under the registry of Win CE. Is there any security issue involved with this? Thanks in Advance!!
-
Hello, I had written an application to hook 'CreateProcess()' in Windows CE. But this is only for application level, that is hook is applicable only for current process. Now in order to hook this API system-wide, i need to load the HookDLL.dll (in which i have written the code for API hooking) to all the processes. On the internet i found that it can be done using registry. We need to insert the DLL name at following location HKEY_LOCAL_MACHINE\SYSTEM\KERNEL "InjectDLL" = REG_MULTI_SZ : "MyDLL1.DLL","MyDLL2.DLL", But i am not able to locate 'Kernel' key under the registry of Win CE. Is there any security issue involved with this? Thanks in Advance!!
tony_udz wrote:
Is there any security issue involved with this?
You seriously don't know the answer to this question? Think about it. You're trying to inject an arbitrary .DLL with any code you want into every process in the system. Yep! If that doesn't define a huge security risk, I don't know what does.
tony_udz wrote:
We need to insert the DLL name at following location HKEY_LOCAL_MACHINE\SYSTEM\KERNEL "InjectDLL" = REG_MULTI_SZ : "MyDLL1.DLL","MyDLL2.DLL", But i am not able to locate 'Kernel' key under the registry of Win CE.
Is there something stopping you from adding the KERNEL key yourself??
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007, 2008 -
tony_udz wrote:
Is there any security issue involved with this?
You seriously don't know the answer to this question? Think about it. You're trying to inject an arbitrary .DLL with any code you want into every process in the system. Yep! If that doesn't define a huge security risk, I don't know what does.
tony_udz wrote:
We need to insert the DLL name at following location HKEY_LOCAL_MACHINE\SYSTEM\KERNEL "InjectDLL" = REG_MULTI_SZ : "MyDLL1.DLL","MyDLL2.DLL", But i am not able to locate 'Kernel' key under the registry of Win CE.
Is there something stopping you from adding the KERNEL key yourself??
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007, 2008Thanks Dave for your response. Actually i am naive to this enviornment. I agree with you that logically ishould be able to put any DLL in all the processes. I inferred it from the microsoft's blog: - ======================================================================= Susan Loh [MS] (Moderator): Q: My app uses the undocumented function PerformCallBack4 on Windows CE 2003. This now fails on Mobile 5. I know it's undocumented, and used at my own risk, but is there an alternative in Mobile 5? A: No. We are killing that off. We really should discuss why you needed it. MikeThom tells me you were using it to implement DLL injection into another application. There are ways to inject DLLs like that (our tools use them) but I'm not sure how accessible they are to you. Is your program running on PocketPC (which has low security) or Smartphone (which protects a lot of things)? I presume PPC since you probably couldn't PerformCallBack4 on SP anyway? MikeThom-MS (Expert): Q: My app uses the undocumented function PerformCallBack4 on Windows CE 2003. This now fails on Mobile 5. I know it's undocumented, and used at my own risk, but is there an alternative in Mobile 5? A: For security reasons this API was disabled. The only alternative to injecting a DLL would be to use the reg key "InjectDLL". The problem though still is that on a SmartPhone this maybe a secure key that you can not modify. PPC may still have this key open. Look in the Platform builder docs for information. Susan Loh [MS] (Moderator): Q: If DLL injection / sub classing controls is becoming impossible, will there be alternative methods (now or in the future) for applications to get access to global keyboard & mouse events? A: We have been discussing this and basically think there isn't any supported way to do it. For security reasons we don't want to expose that sort of thing (prevent hackers from stealing your password / credit card #). Maybe there's a way to use our IME (input method -something) interface. Otherwise you might have to wait for something better to be added for this scenario. ======================================================================= Do you think we cant inject DLL using this? Please let me know if you know any other method to do this.
-
Thanks Dave for your response. Actually i am naive to this enviornment. I agree with you that logically ishould be able to put any DLL in all the processes. I inferred it from the microsoft's blog: - ======================================================================= Susan Loh [MS] (Moderator): Q: My app uses the undocumented function PerformCallBack4 on Windows CE 2003. This now fails on Mobile 5. I know it's undocumented, and used at my own risk, but is there an alternative in Mobile 5? A: No. We are killing that off. We really should discuss why you needed it. MikeThom tells me you were using it to implement DLL injection into another application. There are ways to inject DLLs like that (our tools use them) but I'm not sure how accessible they are to you. Is your program running on PocketPC (which has low security) or Smartphone (which protects a lot of things)? I presume PPC since you probably couldn't PerformCallBack4 on SP anyway? MikeThom-MS (Expert): Q: My app uses the undocumented function PerformCallBack4 on Windows CE 2003. This now fails on Mobile 5. I know it's undocumented, and used at my own risk, but is there an alternative in Mobile 5? A: For security reasons this API was disabled. The only alternative to injecting a DLL would be to use the reg key "InjectDLL". The problem though still is that on a SmartPhone this maybe a secure key that you can not modify. PPC may still have this key open. Look in the Platform builder docs for information. Susan Loh [MS] (Moderator): Q: If DLL injection / sub classing controls is becoming impossible, will there be alternative methods (now or in the future) for applications to get access to global keyboard & mouse events? A: We have been discussing this and basically think there isn't any supported way to do it. For security reasons we don't want to expose that sort of thing (prevent hackers from stealing your password / credit card #). Maybe there's a way to use our IME (input method -something) interface. Otherwise you might have to wait for something better to be added for this scenario. ======================================================================= Do you think we cant inject DLL using this? Please let me know if you know any other method to do this.
tony_udz wrote:
Do you think we cant inject DLL using this?
The only way to tell is going to be to try it.
tony_udz wrote:
Please let me know if you know any other method to do this.
I don't know of any other ways to do this, and, apparently, Microsoft isn't telling either.
A guide to posting questions on CodeProject[^]
Dave Kreskowiak Microsoft MVP Visual Developer - Visual Basic
2006, 2007, 2008 -
Hello, I had written an application to hook 'CreateProcess()' in Windows CE. But this is only for application level, that is hook is applicable only for current process. Now in order to hook this API system-wide, i need to load the HookDLL.dll (in which i have written the code for API hooking) to all the processes. On the internet i found that it can be done using registry. We need to insert the DLL name at following location HKEY_LOCAL_MACHINE\SYSTEM\KERNEL "InjectDLL" = REG_MULTI_SZ : "MyDLL1.DLL","MyDLL2.DLL", But i am not able to locate 'Kernel' key under the registry of Win CE. Is there any security issue involved with this? Thanks in Advance!!
Hooking is doable, look at this article "Spy: A Windows CE API Interceptor": http://www.ddj.com/architect/184405459;jsessionid=XV1DHDS5U3T42QSNDLRSKH0CJUNN2JVN?_requestid=197369 sources can be found here: http://www.forwardlab.com/freestuff.htm they also contain code for injecting DLL to all other processes. They hook: CreateFile, CreateProcess and LoadLibrary I was able to make it work (as I remember also on WM5) also for CreateEvent, EventModify. Here are some API functions lists I found also of use: http://www.xs4all.nl/~itsme/projects/xda/wince-systemcalls.html http://www.xs4all.nl/~itsme/projects/xda/wince-handles.txt
-
Hooking is doable, look at this article "Spy: A Windows CE API Interceptor": http://www.ddj.com/architect/184405459;jsessionid=XV1DHDS5U3T42QSNDLRSKH0CJUNN2JVN?_requestid=197369 sources can be found here: http://www.forwardlab.com/freestuff.htm they also contain code for injecting DLL to all other processes. They hook: CreateFile, CreateProcess and LoadLibrary I was able to make it work (as I remember also on WM5) also for CreateEvent, EventModify. Here are some API functions lists I found also of use: http://www.xs4all.nl/~itsme/projects/xda/wince-systemcalls.html http://www.xs4all.nl/~itsme/projects/xda/wince-handles.txt
Hey, Thanks for your reply. I had gone through this article at Dr. Dobb's forum. In this code 'PerformCallBack4()' is used to inject DLL in other process. And as per my research this API is not supported on Win CE >= 5.0 platform. I have also read a article in which a gentleman claims that 'PerformCallBack4' API can be used in Win CE 5.0 platform all you require is the trusted application. I have tried it as well but it was not working.Please let me know if you have any idea regarding this. I found one more method of injecting DLL using registry keys. HKEY_LOCAL_MACHINE\SYSTEM\KERNEL "InjectDLL" = REG_MULTI_SZ : "MyDLL1.DLL","MyDLL2.DLL", The data type is REG_MULTI_SZ or an array of strings, which can list more than one DLL. The name of the DLL can contain the full path and file name, or just the file name. Here you need to take care of two things: 1) You need to create key and its subkey. 2) Dll you are injecting must be signed as trusted. Using this approach i can load my DLL to every processes except system processes.still my functionality is not working for the same. I'll work in this issue today and update you if you say. Thanks again and please correct me if i am wrong anywhere.
modified on Monday, April 28, 2008 11:25 PM
-
Hey, Thanks for your reply. I had gone through this article at Dr. Dobb's forum. In this code 'PerformCallBack4()' is used to inject DLL in other process. And as per my research this API is not supported on Win CE >= 5.0 platform. I have also read a article in which a gentleman claims that 'PerformCallBack4' API can be used in Win CE 5.0 platform all you require is the trusted application. I have tried it as well but it was not working.Please let me know if you have any idea regarding this. I found one more method of injecting DLL using registry keys. HKEY_LOCAL_MACHINE\SYSTEM\KERNEL "InjectDLL" = REG_MULTI_SZ : "MyDLL1.DLL","MyDLL2.DLL", The data type is REG_MULTI_SZ or an array of strings, which can list more than one DLL. The name of the DLL can contain the full path and file name, or just the file name. Here you need to take care of two things: 1) You need to create key and its subkey. 2) Dll you are injecting must be signed as trusted. Using this approach i can load my DLL to every processes except system processes.still my functionality is not working for the same. I'll work in this issue today and update you if you say. Thanks again and please correct me if i am wrong anywhere.
modified on Monday, April 28, 2008 11:25 PM
I have not tried using registry for injecting DLL. I tested today the CeAPISpy application (from mentioned web page) and it worked on WM6 (HTCP6500) (hooked were CreateFile, CreateEvent, OpenEvent). I was not able to create any new process while the application was running though. The source code is more up to date than the article, it provides some work around for lack of proper PerformCallBack4 functionality on Smartphones 2005. You might want to check it out.
-
I have not tried using registry for injecting DLL. I tested today the CeAPISpy application (from mentioned web page) and it worked on WM6 (HTCP6500) (hooked were CreateFile, CreateEvent, OpenEvent). I was not able to create any new process while the application was running though. The source code is more up to date than the article, it provides some work around for lack of proper PerformCallBack4 functionality on Smartphones 2005. You might want to check it out.
I searched out for the workaround for calling 'PerformCallBack4' API, somebody had tried this function on WinCE 5.0 using the trusted/signature. I also tried the same thing i.e imade my application trusted by getting it privileged certificate but 'PerformCallBack4()' was returning NULL.