changes.
| | | User32.dll is a magic item. As a programmer, if you want to take the machine over, then user32.dll is your best friend. User32 is a system DLL that gets loaded into all programs, system and user, that do anything with the GUI. User32 has a nice side benefit that it also loads other DLLs, by name. The list of DLLs to load is stored in the registry in a string item, AppInit_Dlls. Yes, this space is only writable by privileged proceses, but if you can get yourself on the AppInit_Dlls list, you're golden\! and you load into almost every process in the system. This is so handy that it is a common method that viruses use to attach themselves to all the processes on a system and ... is how application isolation systems like Citrix Application Streaming do their work. |
| | | User32.dll is a magic item. As a programmer, if you want to take the machine over, then user32.dll is your best friend. User32 is a system DLL that gets loaded into all programs, system and user, that do anything with the GUI. User32 has a nice side benefit that it also loads other DLLs, by name. The list of DLLs to load is stored in the registry in a string item, AppInit_Dlls. Yes, this space is only writable by privileged proceses, but if you can get yourself on the AppInit_Dlls list, you're golden\! This is so handy that it is a common method that viruses use to attach themselves to all the processes on a system and ... is how application isolation systems like Citrix Application Streaming do their work. |
| | |
| | Notice above, I said ALMOST all processes link to user32.dll. |
| | |
| | There are many processes which do not load user32.dll and if they don't, then things that load as part of AppInit_Dlls will not get loaded. If you're in the application isolation business, this is not good because it means that you can't isolate that application. |
| | |
| | *A common question* \- Does Citrix Application Streaming depend on the application loading user32.dll in order for the isolation system to hook the app's execution? |
| | |
| | Answer: No. |
| | |
| | The more elaborate answer is that AIE on Presentation Server 4.0 did depend on the application loading of user32.dll, but Application Streaming does not have this limitation. |
| | |
| | *Propeller talk on user32.dll.* |
| | |
| | If you want to know more about hooking processes and user32.dll, here are some good and entertaining references. |
| | * [User32.dll is really important|http://en.wikipedia.org/wiki/User32.dll] |
| | * [AVG Virus scanner incorrectly recommends erasing user32.dll (Awesome\!)|http://securityandthe.net/2008/11/10/avg-virus-scanner-removes-critical-windows-file/] |
| | * [AppInit_DLLs should be renamed Deadlock_Or_Crash_Randomly_DLLs|http://blogs.msdn.com/oldnewthing/archive/2007/12/13/6648400.aspx] |
| | * [How virus loads|http://www.scribd.com/doc/4061199/How-Virus-Loads] |
| | * [Microsoft Malware Protection Center blog (good reading)|http://blogs.technet.com/mmpc/Default.aspx?p=2] |
| | |
| | Probably best for a separate post, but the second item here is really interesting. If you think you have a virus and do a google search for "user32.dll virus" you'll get 574,000 hits\! Sometimes, it seems like the "fix" for virus is worse than the virus itself. If you delete user32.dll, you're up a creek with no paddle\! You can hope that the Windows XP system file protection will put it back, but it's still a scary proposition. |
| | |
| | Consider that if you are evil, and you're inserted into system code, then the obvious next step is to hide from anti-virus. This must be an [interesting battle|http://blogs.technet.com/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx]. |
| | |
| | Enjoy, |
| | |
| | Joe Nord |
| | \\ |
| | \\ |
