Get full access to Learning Malware Analysis and 60K+ other titles, with a free 10-day trial of O'Reilly.

There are also live events, courses curated by job role, and more.

3.3 DLL Injection Using SetWindowsHookEx()

In the previous chapter (refer to Section 1.3.2, Keylogger Using SetWindowsHookEx), we looked at how malware uses the SetWindowsHookEx() API to install a hook procedure to monitor keyboard events. The SetWindowsHookEx() API can also be used to load a DLL into a target process address space and execute malicious code. To do that, a malware first loads the malicious DLL into its own address space. It then installs a hook procedure (a function exported by the malicious DLL) for a particular event (such as a keyboard or mouse event), and it associates the event with the thread of the target process (or all of the threads in the current desktop). The idea is that when a particular event is triggered, ...

Get Learning Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Don’t leave empty-handed

Get Mark Richards’s Software Architecture Patterns ebook to better understand how to design components—and how they should interact.

It’s yours, free.

Get it now

Check it out now on O’Reilly

Dive in for free with a 10-day trial of the O’Reilly learning platform—then explore all the other resources our members count on to build skills and solve problems every day.

Start your free trial Become a member now