Chapter 22 -- DLL Injection and API Hooking

Chapter 22

In Microsoft Windows, each process gets its own private address space. When you use pointers to reference memory, the value of the pointer refers to a memory address in your own process's address space. Your process cannot create a pointer that references memory belonging to another process. So if your process has a bug that overwrites memory at a random address, the bug can't affect the memory used by another process.

Windows 98

---

Processes running under Windows 98 share the 2-GB address space from 0x80000000 through 0xFFFFFFFF. Only memory-mapped files and system components are mapped into this region. For more information, see Chapters 13, 14, and 17.

Separate address spaces are a great advantage for both developers and users. For developers, the system is more likely to catch wild memory reads and writes. For users, the operating system is more robust because one application cannot bring down another process or the operating system. Of course, this robustness comes at a price: it is much harder to write applications that can communicate with or manipulate other processes.

Situations that require breaking through process boundary walls to access another process's address space include the following:

• When you want to subclass a window created by another process
• When you need debugging aids (for example, when you need to determine which DLLs another process is using)
• When you want to hook other processes

In this chapter, I'll show you several mechanisms you can use to inject a DLL into another process's address space. Once your DLL code is in another address space, you can wreak unlimited havoc on the other process. This should scare you—always think twice about whether this is something you really need to do.