Win32 ProgrammingLesson 21: DLL Magic

Where are we? We’ve looked at DLLs from a

build/link/execute perspective, as well as some more advanced techniques

Today, start looking at Thread Local Storage and DLL interception >:)

Thread Local Storage (TLS) What does the strtok function do? How does it work? What happens in a multithreaded

environment?

TLS Provides simple method for storing variables

on a per-thread basis Two types: dynamic and static; we’ll be

looking at both.

Supporting Structures

So… We call:

DWORD TlsAlloc(); Returns TLS_OUT_OF_INDEXES if no storage is

available Else, returns an index number which can be used to store

a DWORD BOOL TlsSetValue(

   DWORD dwTlsIndex,    PVOID pvTlsValue);

Cleaning Up It’s C++, so there’s not a lot of cleaning up

done for us… PVOID TlsGetValue(DWORD dwTlsIndex); BOOL TlsFree(DWORD dwTlsIndex);

Using Static TLS Can also do this:

__declspec(thread) DWORD gt_dwStartTime = 0; Creates a .tls section Allocates the necessary storage automatically

DLL Injection So, life can be interesting Windows provides limited process isolation But sometimes we want to “hook” into

another process One way to do this is by leveraging DLLs

Danger, Will Robinson Some of these techniques will make global

changes to how your computer functions. You need to carefully decide whether to do this on your main machine, or if a VM is a better option. You have been warned!

(That said, I do this all on my own laptop…)

The Trick What are we actually trying to do?

Registry HKEY_LOCAL_MACHINE\Software\

Microsoft    \Windows NT\CurrentVersion\Windows\AppInit_DLLs

Hmmm. Advantages? Drawbacks?

Drawbacks… You must restart your computer Only mapped into processes which use

User32.dll You’re in *every* GUI app… … for it’s entire lifetime

Better… SetWindowsHookEx

E.g: HHOOK hHook = SetWindowsHookEx(

WH_GETMESSAGE, GetMsgProc,     hinstDll, 0

); Why hinstDll?

Walkthrough DIPS