Injecting a DLL into a Windows Executable By Modifying PE Import Table

type

status

date

slug

summary

category

icon

password

When a Windows program starts, the PE loader looks at its import table. This table tells the loader what DLL files need to be loaded along with the program. Each item in the import table, or IMAGE_IMPORT_DESCRIPTOR, represents a DLL used by the program.

Now, if we want to add our own DLL into a Windows PE file so that it will be loaded at program startup together with all the other DLLs used by the executable, we can do this by adding a new entry in the import table. This new entry will point to our DLL.

The IMAGE_IMPORT_DESCRIPTOR has some important fields. One is ThunkData. This is the address that points to the IAT table of the DLL. We've discussed this table in a previous blog. Another is OriginalThunkData, which is just a copy of the IAT table before the program runs.

When we add a new entry in the import table, we also need to make some room for the IAT and INT table. The program doesn't use any functions in our DLL, so we can just fill the IAT and INT table with whatever values we want. But it's important that the new IAT and INT table has at least one entry. Otherwise, the PE loader will simply ignore it. Moreover, any function name or function ordinal number we put in the IAT and INT table has to match an entry in the DLL’s export table, so that the PE loader can replace the value in the IAT table with the actual function address during runtime.

This is probably the easiest way to inject a DLL into a program. However, it has some downsides: One is that it only works for new processes. It doesn't work for a process that's already running because the import descriptor list is only read when the process first starts.

For this guide, we used a DLL that has a DLLMain function. This function automatically runs a call to the Windows MessageBox API when the DLL is attached or detached from the process. This lets us show a message box when the DLL is loaded or unloaded. Finally, because we specified in the new IAT/INT table that we want to use the function exported by ordinal number 1, we must ensure at least one function is exported in our DLL. This is because the ordinal numbering of exported functions starts at 1 by default.