Injecting a DLL in a Modern UI Metro Application

Dll injection is one of the oldest techniques used to run custom code inside a target application in Windows. It is usually used to intercept and modify normal application behavior or add new functionality.

Injecting a DLL in a target process is a relatively easy task: you simply create a remote thread that calls LoadLibrary using CreateRemoteThread or NtCreateThreadEx. You will need some privileges to be able to access the injected process but that is beyond the scope of this article.

When you try to inject a library into a Windows 8 Modern UI Metro application you will find that although the injection code works as expected, your DLL will NOT load, LoadLibrary will return FALSE and GetLastError will return ERROR_ACCESS_DENIED.

Well, you think… Modern UI applications have very limited access to computer resources and run in a sandboxed environment, so problems are to be expected.

While doing some research on how to add new functionallity to the Windows Mail application that comes with Windows 8 and how to hook Modern UI apps using Deviare, we needed find out why LoadLibrary was failing.

Reverse engineering comes into play

We started to analyze what LoadLibrary does. It calls LoadLibraryEx with dwFlags=0 and LoadLibraryEx does some checks. First stop.

If you want to load a package you must use the LoadPackagedLibrary API. If you want to load a normal DLL, you have to use LoadLibrary[Ex]. LoadPackagedLibrary documentation says that the path cannot be absolute or contain “..” but these checks are mainly done in the LoadLibraryEx routine. The only difference between LoadLibrary and LoadPackagedLibrary is wether the dwFlags parameter has a value of 4 or of zero.

Among other things, LoadLibraryEx will build the search path to locate your DLL and then call the undocumented LdrLoadDll. Because we want to enforce using the path where our library is located, we changed our code to call LdrLoadDll directly.

Second Try:

Although LdrLoadDll correctly found our dll, when we used SpyStudio to check for errors, we saw that a call to NtOpenFile failed, reporting STATUS_ACCESS_DENIED. We realized that there was a security-related issue.

Using the icacls.exe utility, we set the DLL file privileges to allow read and execute access to low integrity processes. Also we added a special Windows 8 user named “ALL APPLICATION PACKAGES” to the list of users with permission to read and execute the DLL code.

Third Try:

NtOpenFile passed initial security checks, but our DLL was still not loading.

Continuing to research LdrLoadDll, we jumped into the kernel-mode of the “NtCreateSection” API and got that the “CiValidateImageHeader” function of ci.dll was returning  a STATUS_INVALID_IMAGE_HASH error so we added a digital signature to the file. To prevent future problems, we used a real certificate instead of the self-signed one.

Now CiValidateImageHeader was ok, but a later call to “CiValidateImageData” returned the same error. We then added the “/ph” parameter to the SignTool.exe utility to include pages hashes in the signing process.

Fourth Try:

Well, we thought: we have a signed dll, privileges are ok. Let’s try again.

FAIL.

This time, the culprit was a function named “SeGetImageRequiredSigningLevel” located in ntoskrnl.exe. SeGetImageRequiredSigningLevel checks the minimum certificate requirements to load a DLL inside a WinRT application.

We realized we needed to sign our DLL with a cross-certificate, like those used to sign kernel-mode drivers.

Conclusion:

We could not continue our tests because we do not have that kind of certificate right now, but we discovered that a kernel setting determines what kind of certificate is checked by SeGetImageRequiredSigningLevel.

This blog post explains how to manually bypass the security check and run untrusted applications on a Microsoft Surface device using WinDbg. We can follow a similar procedure to manually bypass the security check and correctly map and inject the DLL in the WinRT application on the desktop Windows operating system.

The exception:

Before starting our whole research, we already had a method for injecting a DLL in WinRT applications: copy the DLL file inside the System32 folder and voilá! Although you need administrative privileges to copy a file to the System32 folder, once there, you can load it using LoadLibrary without using a path, since this folder is one of the default locations the Windows operating system will search. In addition, because you are using a relative-path, some security checks are skipped. Another plus is that you will not ever need to digitally sign the file!

But like many companies, we want to avoid copying DLL files into the ever-growing System32 folder and keep our files in the same location as our application. This is why we started our research.

Related Services

  1. Reverse Engineering
  2. Interception and Filter Drivers Services
  3. Application Virtualization and Packaging
  • Iker De Echaniz

    Hi, maybe you could try free certum dot eu certificates for open source projects

    • http://blog.databigbang.com Sebastian Wain

      Look at https://www.certum.eu/certum/cert,offer_cert_comparision_cs.xml the open source certificate does not support cross-certified certificate, so it will not work.

      • Trabelsi Marwen

        Hi sebastian, i can’t get the mail confirmation when i register into deviare forum, please i feel like something wrong, please add me. PS: I’m sorry i have no choice, even i contacted nektra via their website also no respond.

        • http://blog.databigbang.com/ Sebastian Wain

          Hi Trabelsi, when did you joined our forum and under what username? Please also let me know when did you contacted nektra and under which form. Thanks.

          • Trabelsi Marwen

            there are few days when i joined the forum under “smatytwiti” as username, but i can’t get the confirmation mail. “under which form.”: via the contact form http://www.nektra.com/contact/

          • http://blog.databigbang.com/ Sebastian Wain

            I can’t find your account. Please subscribe and post to http://forum.nektra.com also check that the automatic e-mail is outside the spam folder.

          • Trabelsi Marwen

            Thx the mail is already in the spam folrder :), also is “smaRtytwiti” not “smatytwiti”, Thank you.

  • itsho

    can ‘mklink’ help fooling the loadlibrary with system32 folder? just wondering…

    • Mauro Leggieri

      No. At the time the dll is being loaded and security checks done, symbolic links were resolved to the real location.

  • mena99260

    No. At the time the dll is being loaded and security checks done, symbolic links were resolved to the real location.
    social media

  • David John Michael

    No. At the time the dll is being loaded and security checks done, symbolic links were resolved to the real location.
    high PR
    backlinks service

  • Black Men

    target application in Windows. It is usually used to intercept and modify normal application behavior or add new functionality.
    SEO
    Company in Gurgaon

  • Imtiaz Ali

    .Deviare2.dll to the Lib directory inside the project..
    additional
    hints

    • Imtiaz Ali

      Want
      Higher Ranking In Google?? Nothing Is Better Than HIGH PR BLOG COMMENTING
      SERVICE. Google Love These Kinds Of Back Links Because Your Website Is
      Linking To Authority Site That Is Already Index In Search Engines. This
      Service Is A WIN For Both Your Site, And Sites Where We Will Place Your Link
      With Additional Unique Content.

      link Building

  • Imtiaz Ali

    but also has a tough shell, which is true for the expedition challenge the limits..
    social media marketing

  • Imtiaz Ali

    loaded and security checks done, symbolic links were resolved to the real location…
    delhi to jaipur
    cab

  • Imtiaz Ali

    which is true for the expedition challenge the limits…
    jaipur local
    sightseeing by car

  • Imtiaz Ali

    ey to emulating a complete platform. Reverse engineering is also very important ..

    st. anthony
    recycling

  • Imtiaz Ali

    tough shell, which is true for the expedition challenge the limits..

    st. anthony
    recycling

  • Ashar Arain

    I am really impressed by this and I must ask from you to deliver good articles like this on more often basis. Thanks…
    free credit report gov

  • Imtiaz Ali

    Finding these sources is an important, and often times challenging, aspect of WLAN performance management.

    Nanatsu No Taizai

  • imtiaz

    Hi sebastian, i can’t get the mail confirmation when i register into deviare forum..
    delhi to jaipur
    cab

  • imtiaz

    the dll is being loaded and security checks done, symbolic links were resolved to the real location.

    email addresses list

  • https://twitter.com/SeoComenting SEO Commenting

    Execution hooks (aka: ‘Add Exec Hookallow the user to add hooks when
    an application starts. It’s useful to debug an application that crashes
    at startup.
    psd to html

  • imtiaz

    You actually know how to take a challenge to light making it essential.
    start a blog
    on wordpress

  • https://twitter.com/SeoComenting canadian web host

    Yes, homosexual people will be able to get married in more and more states and countries, but that doesn’t change the fact that the population will still look at them differently. dong ho deo tay gia re

  • peterseo

    We then added the “/ph” parameter to the SignTool.exe utility to include pages hashes in the signing process.
    email lists for sale

  • https://twitter.com/SeoComenting John SEO

    If you are interested in the finest vets inside Shropshire you then need Playground Issa. This leading veterinary service can provide your pets every one of the health care they want…
    GramiChicago.com

  • https://twitter.com/SeoComenting John SEO

    I appreciate everything you have added to my knowledge base.Admiring the
    time and effort you put into your blog and detailed information you
    offer Thanks

    salvia for sale

  • Carl Harris

    Great post! Thanks for sharing it! Find out more about rhinoplasty recovery.

  • https://twitter.com/SeoComenting CanadiaN WeB HosT

    I love the blog. Great post. It is very true, people must learn how to learn before they can learn. lol i know it sounds funny but its very true. . .
    alcohol rehab treatment center

  • https://twitter.com/SeoComenting CanadiaN WeB HosT

    Great post! Thanks for sharing it! Find out more about
    what is dedicated hosting

  • https://twitter.com/SeoComenting CanadiaN WeB HosT

    Your valuable key points implies much a person like me and my office workers to read more on your posts.
    start a blog on wordpress

  • https://www.facebook.com/ SEO Worker

    I know your expertise on this. I must say we should have an online discussion on this. Writing only comments will close the discussion straight away! And will restrict the benefits from this information.

    targeted email leads

  • https://www.facebook.com/ SEO Worker

    This is a very good tip particularly to those new to the blogosphere. Simple but very accurate info… Appreciate your sharing this one. A must read post!
    blackberry 8310 unlock code

  • imtiiz seo

    arranging a project from your bottom to
    help top, or through the end goal after which it the step-by-step back…
    taxi from delhi to jaipur

  • robinseo

    should have an online discussion on this. Writing only comments will
    close the discussion straight away! And will restrict the benefits from
    thiek…..

    seo link building services

  • robinseo

    a level that
    is an option. Items purchased must be identical to the items advertised.
    Backlinks

  • Sami Jaws

    Thank you for helping people get the information they need.

    The E-Factor Diet ebook

  • imtiiz seo

    the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. Thanks
    fumigation

  • robinjack529

    We Are A
    Full-Service Provider Of High Quality Backlinks That Help Boost Traffic,
    Increase Rankings, And Build Authority. With Years Of Experience We Know
    Exactly What Type Of Manual Dofollow Blog Comments It Takes To Quickly
    Increase Your Online Visibility…

    Manual blog comments

  • Slami Saka

    Thank you for helping people get the information they need.

    Ancient Secrets Of Kings

  • AJ seo1

    High Quality Backlinks That Help Boost Traffic,
    Increase Rankings,
    living room ideas

  • AJ seo1

    That Help Boost Traffic,
    Increase Rankings, And Build Authority.
    vector logo

  • AJ seo1

    Backlinks That Help Boost Traffic,
    Increase Rankings, And Build Authority.

    farm property insurance

  • https://www.youtube.com/watch?v=T9plYcLAVjA Worker

    Your very own commitment to getting the message throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals.
    sim
    unlocking service

  • maaz seo

    I really loved reading your blog. It was very well authored and easy to
    understand.. .

    taxi from delhi to jaipur

  • maaz seo

    Lucky to me I came to your website not on purpose, but now I have bookmarked it. .
    packers and movers pune to hyderabad

  • maaz seo

    since this folder is one of the default locations the Windows operating system will search.
    idaho falls home builders

  • robinjack529

    nice written and include approximately all important infos. I would like to read this
    Low
    OBL backlinks < 100

  • Slami Saka

    Diabetes Destroyer Review is a revolutionary natural product designed to eliminate diabetes symptoms, so as to enable

    suffering patients lead normal lives. Created by Ricky Everret, a diabetic who was able to conquer the condition,

    https://www.youtube.com/embed/SSjazV8La-k

  • robinjack529

    .I am pretty much pleased with your good work.You put really
    very helpful information. Keep it up. Keep blogging. Looking to reading
    your next pos

    Get More Info

  • loferboy

    Hey what a brilliant post I have come across and believe me I have been
    searching out for this similar kind of post for past a week and hardly
    came across this. Thank you very much and will look for more postings
    from you.
    read this

  • roshan seo

    I decidedly getting a charge out of every tad bit of it and I have you bookmarked to look at new stuff you weblog post
    gurgaon to jaipur cab

  • roshan seo

    I have come across and believe me I have been
    searching out for this similar kind of post for past a week
    bike transport pune

  • roshan seo

    throughout came to be rather powerful and have consistently enabled employees just like me to arrive at their desired goals.
    bike transport pune

  • Slami Saka

    Thanks for sharing nice information with us. i like your post and all you share with us is uptodate and quite informative,

    i would like to bookmark the page so i can come here again to read you, as you have done a wonderful job.

    Bar Brothers Review

  • roshan seo

    ..
    decent stuff on the subject and haven’t had any luck up until this point, You just got a new biggest fan!..

    gurgaon to jaipur cab

  • ayeshakhan

    A very awesome blog post. We are really grateful for your blog post. You
    will find a lot of approaches after visiting your post. I was exactly
    searching for. Thanks for such post and please keep it up. Great work…..
    VENUS WORKOUTS

  • https://www.fiverr.com/blackman111 BlackMen

    enabled employees just like me to arrive at their desired goals.m88