Turn from: Hacker anti-virus
DLL injection technology relies on trusted process injection
Relying on the principle of trusted process injection is to take advantage of the higher Services.exe process in Windows system, first inject a.dll far thread into Services.exe, and then use A.dll to inject b.dll far thread into the process to be injected. The exact process is as follows:
Here is a little trick, when injected into the DLL in the Services.exe, want to do things silently after the release of their own, in Windows has such an API function Freelibraryandexitthread (), It can unload itself and exit the thread, with the following code:
DWORD ThreadProc (cmfcservicesinjectdllapp* pThis) { //Toggle MFC Module afx_manage_state (AfxGetStaticModuleState ()) ; Pthis->m_injectobj.attach ( _t ("Calc.exe"), _t ("d:\\mydll\\relyservicesinject\\debug\\ MfcExeInjectDLL.dll ")); Unload itself and exit thread Freelibraryandexitthread (pthis->m_hinstance,0) in the threads; return 0;} Cmfcservicesinjectdllapp Initialization of bool Cmfcservicesinjectdllapp::initinstance () { DWORD dwthreadid; M_hthread =:: CreateThread (null, NULL, (lpthread_start_routine) ThreadProc, this , null,&dwthreadid); return TRUE;}
Relying on trusted process injection is actually the enhanced version of the far-thread injection, it takes advantage of the high-level process of the system for remote injection, greatly improving the injection success rate, and after the injection is complete release themselves, reducing the likelihood of being avira.
Reproduced DLL injection technology relies on trusted process injection