\n\nThis page has been machine-translated from the original page.
\n
This time, I tried several methods for creating a DLL file on Windows and loading it into a process.
\nThis article is not intended to publish information that violates laws or ethics.
\n\nIn Visual Studio, create a new DLL project and replace dllmain.cpp with the following code to create a DLL that displays the string Hello, World! in a message box when it is loaded.
#include <Windows.h>\n\n// Exported function\nextern \"C\" {\n __declspec(dllexport) void ShowMessage() {\n MessageBoxA(NULL, \"Hello, World!\", \"DLL Message\", MB_OK | MB_ICONINFORMATION);\n }\n\n __declspec(dllexport) void ShowMessage2() {\n MessageBoxA(NULL, \"Hello, New World!\", \"DLL Message\", MB_OK | MB_ICONINFORMATION);\n }\n}\n\nBOOL APIENTRY DllMain( HMODULE hModule,\n DWORD ul_reason_for_call,\n LPVOID lpReserved\n )\n{\n switch (ul_reason_for_call)\n {\n case DLL_PROCESS_ATTACH: {\n ShowMessage();\n break;\n };\n case DLL_THREAD_ATTACH:\n case DLL_THREAD_DETACH:\n case DLL_PROCESS_DETACH:\n break;\n }\n return TRUE;\n}At this time, ShowMessage, which is the function that displays the message box, is defined as an exported function by extern __declspec(dllexport) void ShowMessage().
Reference: Exporting from a DLL Using __declspec(dllexport) | Microsoft Learn
\nBecause this ShowMessage function is called during DLL_PROCESS_ATTACH, it runs when the DLL is loaded into the process.
When building the sample DLL code, disable the precompiled header, which is not particularly necessary here.
\nThe DllMain function appears to have several restrictions because it runs while the loader lock is held, as shown in the following diagram.
\nAs described in the public information below, which summarizes best practices for DllMain, you need to be careful not to cause deadlocks or crashes through DllMain behavior.
\nFor example, because the DllMain thread holds the loader lock, it cannot dynamically load additional DLLs.
\nReference: Dynamic-Link Library Best Practices - Win32 apps | Microsoft Learn
\nA process can load a module file from disk by using the LoadLibrary function and specifying the module’s file name.
HMODULE LoadLibraryA(\n [in] LPCSTR lpLibFileName\n);Reference: LoadLibraryA function (libloaderapi.h) - Win32 apps | Microsoft Learn
\nAt this time, it seems that you can specify either a full path or just a file name for lpLibFileName, but if you specify only the file name, the DLL is loaded according to the standard search order.
The standard search order varies depending on several conditions, but for now, if the “safe DLL search mode,” which is enabled by default, is active and the application is not using an alternate search order, DLLs appear to be searched in the following order.
\nThe key point is that the current directory, which is relatively easy to abuse, is lower in the order.
\nReference: Dynamic-link library search order - Win32 apps | Microsoft Learn
\nReference: Dynamic-Link Library Security - Win32 apps | Microsoft Learn
\nIn fact, when I tried this on my local Windows 10 environment, I was able to confirm events that seemed to show the DLL search proceeding in the order above, starting from the folder where the application’s executable file was located.
\nAt that time, the search order for the DLL to load was, by default, the same as the standard search order.
\nHowever, because the process doing the loading is the remote process, the preferred lookup location is not the execution folder of the program performing the DLL injection, but the folder where the target process’s executable file exists.
\nTherefore, when performing DLL injection with this method, you need to specify the full path to the target DLL file or place the DLL file to be loaded in advance in the application folder, system folder, or another folder included in PATH.
\nBelow is the search order for TESTDLL.dll when attempting DLL injection into Notepad++.
The DLL injection method above simply loads a DLL that exists as a file.
\nHowever, when DLL injection techniques are used for malicious purposes, it seems that a technique called Reflective DLL Injection is often abused instead of this kind of classic method.
\nReference: Reflective DLL Injection | Sunano Katamari
\nReference: Investigating Malware with Reflective DLL Injection - CyberFortress
\nI will not describe the detailed implementation because it could potentially cause some trouble, but the articles above explained it in great detail and were very helpful.
\nThis time, I summarized several methods for loading DLLs on Windows.
","fields":{"slug":"/windows-create-dll-en","tagSlugs":["/tag/win-dbg/","/tag/reversing/","/tag/english/"]},"frontmatter":{"date":"2025-01-05","description":"I created a DLL file on Windows and tried loading it into a process in various ways.","tags":["WinDbg","Reversing","English"],"title":"Create a DLL File on Windows and Try Loading It into a Process in Various Ways","socialImage":{"publicURL":"/static/ef75a61ab35d3aa8f659b3ad8e77557e/windows-create-dll.png"}}}},"pageContext":{"slug":"/windows-create-dll-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}