標籤:server lib 08 r2 2008 r2 get window sign code sig
AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. Microsoft is modifying the AppInit DLLs facility in Windows 7 and Windows Server 2008 R2 to add a new code-signing requirement. This will help improve the system reliability and performance, as well as improve visibility into the origin of software.
簡單的說就是:AppInit_DLLs用來全域注入dll模組,凡是匯入了user32.dll的程式都會 主動載入這個索引值下的模組。
相比XP,Win7下多了兩個值:
LoadAppInit_DLLs 為1開啟,為0關閉,(Win7預設為0)
RequireSignedAppInit_DLLs 值為1表明模組需要簽名才能載入,反之。
AppInit_DLLs索引值介紹(Win7系統)
http://msdn.microsoft.com/en-us/library/dd744762(v=vs.85).aspx
64位系統:
AppInit_Dlls(64位程式讀取)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]
AppInit_Dlls(32位程式讀取)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]
32位系統:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows [AppInit_DLLs]
如何調試:
下USER32!LoadAppInitDlls斷點,後面NtOpenKey 和NtQueryValueKey 讀取AppInit_Dlls索引值,得到模組名,接著LoadLibrary該模組。
jpg改rar
DLL注入之Appinit_Dlls