I need to detect process creation of a third-party .NET application. My goal is to inject a plugin DLL to enhance functionality of this application. I would prefer to inject this as early as possible so I can catch the application's initialization events. Is there any way to detect when this process is created and inject the DLL before Main is called?
+4
A:
The usual solution is to replace the targeted application image with a stub that launches the original image under controlled parameters.
There are other ways, like GFlags, but they're intended for debugging not for normal operations.
Remus Rusanu
2009-12-01 00:08:58
Thanks, I had forgotten about the Image File Execution Options. Replacing the applicaiton isn't really an option, as it is a popular third-party program which is prone to be reinstalled semi-frequently (blowing away my modified copy).After further testing, I just decided to go with periodic polling ot the process list. It is ugly, but it works. I also found that I need to do a WaitForInputIdle before injection anyway, or else I try to initialize the .NET framework concurrently in multiple threads, which causes unusual crashes.
Dark Falcon
2009-12-01 13:49:11
+2
A:
If you can't replace the original application as Remus suggested, you might want to look into using a system level hook and intercept CreateProcess() API family functions and monitor all their invocations.
See : API hooking revealed
It's a bit complicated and you might run into all sorts of problems, such as problems on vista and with other hooking libraries: http://forum.madshi.net/viewtopic.php?p=15833
dtroy
2009-12-01 00:36:03
Thanks for the recommendations. I'd prefer to use a kernel-mode hook if I chose to go that route. I've messed with API hooking before and the results were just too unreliable--too many assumptions about how things work caused some programs to crash.
Dark Falcon
2009-12-01 13:46:31
A:
Bad idea.
You might think I'm being harsh, but I've seen my process crash because some joker thought it was a bright idea to inject some random DLL into it for "enhanced functionality". You are potentially destabilizing everybody else's address spaces. Stop it. What's more, they will get blamed when your bad code screws them over.
The APIs which allow you to inject code into another process are really meant for writing a debugger. If you're not writing a debugger, please do not use them in production code. You are playing with fire.
asveikau
2009-12-01 00:41:18
Thanks for the unhelpful response. I am fully aware of the risks and my customer is willing to take them for the functionality I'm adding.
Dark Falcon
2009-12-01 13:43:23