EDN Admin
Well-known member
Hi,<br/><br/>Im injecting a dll to an external process using "CreateRemoteThread" (as described here: http://www.codeproject.com/KB/threads/winspy.aspx <span style="color:#0033cc http://www.codeproject.com/KB/threads/winspy.aspx )<br/>Meaning Im using CreateRemoteThread and activating "LoadLibraryA". Then in order to remove the dll Im using CreateRemoteThread with "FreeLibrary".<br/><br/>This works fine on Vista 32 bit.<br/> It also works fine on windows 7, 64 bit, when both my process and the remote process are 32 bit :<br/><br/> When the "CreateRemoteThread" with "FreeLibrary" is executed, I can see (using debug prints) that we enter the DllMain first with <br/> "<span style="font-size:xx-small <span style="font-size:x-small;color:#010001 <span style="font-size:x-small;color:#010001 DLL_THREAD_ATTACH" due to the new thread, then , since the dll is unloaded, we enter the Dllmain again with <br/> "DLL_PROCESS_DETACH". In procexp I can see that the dll was indeed unloaded.<br/><br/> My probelm is, when doing the same on a 64 bit version of both my process and the remote process. The injection takes place, but not the ejection. When the "CreateRemoteThread" with "FreeLibrary" is executed, I can see that we enter the DllMain with "DLL_THREAD_ATTACH" but then, appearently the unloading of the dll doesnt take place. The next thing i see is that we enter DllMain with DLL_THREAD_DETACH (because the remote thread has stopped executing). There is no <span style="font-size:x-small;color:#010001 <span style="font-size:xx-small DLL_PROCESS_DETACH event and in procexp i can see that the dll is still loaded to the process.<br/><br/>An important piece of information - for the sake of the test... the dll does nothing other than being loaded and then unloaded. All i have is OUtputDebugPrint calls in the DllMain...<br/><br/>I will appreciate any idea of what might be wrong...<br/><br/>TIA<br/><br/>Noa<br/>
View the full article
View the full article