AppInit Injection

The AppInit_DLLs value is found in the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

Appinit Injection is a technique Microsoft used to follow (It is still present in Windows 8/8.1), so that various applications can be launched when any other exe is run on the system. An example to understand its behavior: Suppose an antivirus has its dll injected into the AppInit registry, whenever any application is launched, that Anti virus will run and scan the application (Of course anti viruses use a different method). There are tons of malwares on the Internet that use this injection and will load an application when any process is run on the system.AppInit DLLs are loaded by user32.dll after it has been loaded. Infact that is how I learn about this injection.

I somehow got a malware (which SEP and Norton and Mcafee- the market leaders failed to detect and remove from my system and Thank you Microsoft for giving me Microsoft Securit essentials instantly removed). This malware ran on my machine and and stopped me from doing anything and ran a script to shutdown my system in 30 seconds. Moreover it spawned a new session every few seconds and everytime i tried to close the application. I was able to remove it but impressed with the sheer brialliance and simplicity of this malware decided to reverse engineer it.There was a malicious functionality in the DLL referenced by the registry key and all DLLs listed in that reg-key were loaded when any process started

Anyways, Now coming back to the topic…

All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

The AppInit DLLs are loaded by using the LoadLibrary() function during the DLL_PROCESS_ATTACH process of User32.dll. Therefore, executables that do not link with User32.dll do not load the AppInit DLLs. There are very few executables that do not link with User32.dll.

Because of their early loading, only API functions that are exported from Kernel32.dll are safe to use in the initialization of the AppInit DLLs.

We do not recommend that applications use this feature or rely on this feature. There are other techniques that can be used to achieve similar results. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

134655 AppInit_DLLs registry value and Windows 95

The AppInit_DLLs value has type “REG_SZ.” This value has to specify a NULL-terminated string of DLLs that is delimited by spaces or by commas. Because spaces are used as delimiters, do not use long file names. The system does not recognize semicolons as delimiters for these DLLs.

Typically, only the Administrators group and the LocalSystem account have write access to the key that contains the AppInit_DLLs value.

Reference and rip off from: http://support.microsoft.com/kb/197571

Print Friendly, PDF & Email

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *