PE-inject 1.0


PE-inject - How does it work?

If you are interested in the background of PE-inject concept, you are on the right place. I am sure, that you have many questions about this revolutionary concept, so I will try to explain them all.

InjectFile(), what's behind?
InjectFile function is used, when you want to inject your DLL file into host PE file. First of all, InjectFile loads both DLL and host file. Because we don't want to place the DLL file on harddisk, when the injected file will be started, we need to convert the DLL file to a format which allows us to load the library from a specific memory location. The format, which was specially invented for this purpose is called MSL (migeel's SmartLink). This is the format which, besides the size decrease, gives us the benefit of using functions from a DLL without placing the DLL on hard drive.
After we converted the injected DLL to a MSL file, we call the InjectMappedFile function, which is the heart of PE-inject. InjectMappedFile starts with checking the injection flags. If the INJECT_FLAG_STRIPRELOCS is set, the relocations are stripped from the host executable, thus reducing the resulting file size. The INJECT_FLAG_COMPRESSDLL tells PE-inject to compress the injected DLL file. This flag is recommended, because it lowers the injection overhead. Then, it prepares all the data, which will be included into the host file (PE-inject stub, configuration data, MSL data and extra user data (if any)). After this, the PE-inject stub is being configured. InjectMappedFile tells him, what we want from him to do. Most users will surely want to process the relocations and imports. This is the thing, which is normally done by Windows PE-loader, but because we are managing the startup of host application, we have to handle it. In the last phase, all the data is placed into a new section in host executable, PE header is updated and the file is saved to disk.


Figure 1: Structure of embedded data


Behind the scene: starting injected application
When a PE-inject modified file is started, the first thing he needs to do is to unpack (if compressed) the linked MSL file. After the MSL is decompressed in memory, it can start to map it on it's imagebase. The process is very same as Windows does when loading a DLL file. After it is mapped, it tryes to find there a function called BeforeHandlers. If BeforeHandlers exists, it is called. After BeforeHandlers's return, the import and relocation section is being handled (but only if INJECT_FLAG_DOIMPORTS and INJECT_FLAG_HANDLERELOC were specified). The handers are followed by a call to AfterHandlers. This function can be used to perform additional tasks (like replacing some addresses in import table with our own ones). The next step occurs by DLL files - it tryes to find a function called DllMain and if successfull, it calls it with the same parameters as the host DLL became. If everything worked well, the PE-inject stub cleans up and gives control to host application.