Dll Injection - What is possible with it?

There was a very good project done in Microsoft Research about this very subject, focussing on intercepting calls to WinAPI functions by using dll injection.

This is the link, it should keep you busy for a while: Detours


In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend. For example, the injected code could trap system function calls, or read the contents of password textboxes, which cannot be done the usual way.

Source and more info here: http://en.wikipedia.org/wiki/DLL_injection You can find also some good references to external sources.

Dll Injection can be used for a good reason when you have a legacy system with no source code for it and you need to change its behaviour. It is a dirty hack though and should be used as a last resort, IMO.


There are several uses that come to my mind:

  • Hot patching: Allows you to update/patch parts of your code without actually shutting down the process or restarting. Microsoft itself made sure large parts of Windows are hot-patchable by prefixing functions with a 5-byte NOP block. Why? Because you can JMP to any other part of your code in 5 bytes, so hot-patching basically overwrites the prefix bytes with a JMP to the updated/patched code and voila, your code does something entirely new. This is often used together with DLL injection to load the new code into the target process, and while not mandatory, it's one of its uses.

  • Logging: In the same spirit, detouring code is often used to prefix a function for logging purposes, i.e. to see with what parameters it is called. Also, some applications that record screen output from DirectX applications do this by detouring the DirectX calls, which again involves injecting a DLL into the process that monitors calls.

  • Subclassing: Not in the OOP sense, but in the Windows sense, i.e. providing a new WndProc for an existing window to alter its behavior. While you can simply set a different message handling routine via SetWindowLongPtr, the limiting factor to this is that the function needs to reside in the target process address space. This is where injection comes in once again: you provide a new implementation in a DLL, inject this into the target process and call SetWindowLongPtr. This can be used to provide custom, additional drawing on a foreign window, for example.

I have personally had to deal with all of the above use cases in the past, in regular business applications, from using hot patching to ensure uptime on a critical notification system in medical services to using detours/logging to allow a proprietary record management (by a then already dead software shop) to talk to a full-blown CRM solution in real-time.

As always, it's just a tool in your box, and there is nothing inherently "evil" about it. It's for whatever purpose you make use of it that counts.