June 2018
Beginner
510 pages
13h 7m
English
Content preview from Learning Malware Analysis
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
3.3 DLL Injection Using SetWindowsHookEx()
In the previous chapter (refer to Section 1.3.2, Keylogger Using SetWindowsHookEx), we looked at how malware uses the SetWindowsHookEx() API to install a hook procedure to monitor keyboard events. The SetWindowsHookEx() API can also be used to load a DLL into a target process address space and execute malicious code. To do that, a malware first loads the malicious DLL into its own address space. It then installs a hook procedure (a function exported by the malicious DLL) for a particular event (such as a keyboard or mouse event), and it associates the event with the thread of the target process (or all of the threads in the current desktop). The idea is that when a particular event is triggered, ...