Sorry don't know the technical term. How do you register a dll to be loaded into every process? (Also how do you get the list of all the dlls loaded into every process?)

On a side note, is this documentation on writing a driver still good (it is 4-5 years old)? Is there something I should know/worry about when making a driver?

Developing a device driver isn't a children playground, the most important thing i know about it is ALWAYS use Try/Except to avoid BSOD's.

example:

{
Try
 // Code that fails here
Except
 DbgPrint( .. );
}

Edited February 10, 200916 yr by Rot1

You can do it via registry if you want to but the process must already at minumum import user32.dll

DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process so add yours there.

Will probably need a restart to get it going.....

You can do it via registry if you want to but the process must already at minumum import user32.dll

DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process so add yours there.

Will probably need a restart to get it going.....

Thanks .

You can do it via registry if you want to but the process must already at minumum import user32.dll

DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process so add yours there.

Will probably need a restart to get it going.....

How do the other programs do it though? Cause Kernel Detective picks up lots of registered dlls, yet none are in there.

Kernel Detective picks up lots of registered dlls, yet none are in there.

Did not understand you clearly !!

Kernel Detective picks up lots of registered dlls, yet none are in there.

Did not understand you clearly !!

He is asking how it is possible that there are other registered dlls running (which he picked up with Kernel Detective) which are not registered in that specified registry entry.

Some DLLs load other DLLs for some reasons

I once had a funny app that loaded a driver which hid all the entries of its dll in all sorts of places, even hid all its files and folders so explorer couldnt see it.

KernelDetective came to rescue, killed the task and removed all the entries and files.

Working fine ever since.

Thanks to GamingMaster and his wonderful tool <3 hehe

Thanks Killboy

It must hide it's components by kernel level hooks, Kernel Detective can bypass kernel level hooks generically .

But if a DLL unlinks ifself from the process PEB then Kernel Detective can't see it because i don't rely on "MZ" signature scanning or any other method for DLLs detection, actually DLLs is the most neglected part in Kernel Detective

But like for example where is the AVG dll registered?

I have a ton of dlls that are loaded before olly even hooks the process, where are those registered?

A good reference is to open Autoruns tool and look for these DLLs location in registry

Edited February 11, 200916 yr by GamingMasteR

A good reference is to open Autoruns tool and look for these DLLs location in registry

Cool tool, thanks .