8

I have a malware sample that adds a DLL to the registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs. There is malicious functionality in the DLL referenced by the registry key but this malware sample does not load or call the DLL, nor does it exhibit any other malicious behavior.

Why would malware add a DLL to this registry key?

Improve this question

2 Answers 2

Reset to default
9

Basically, all DLLs listed in that reg-key are loaded when any process is started. For more info see Working with the AppInit_DLLs registry value.

All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

They are usually used by malicious code (tho it doesn't have to be malicious) as a way of DLL injection, to hook functions for example. To be more precise, AppInit DLLs are actually loaded only by the processes that link user32.dll.,as peter ferrie points out, AppInit DLLs are loaded by user32.dll after it has been loaded. The actual registry path differs between 64bit and 32bit version of OS.

So for for 32 bit DLL on 32 bit systems the path is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]

For 64 bit DLL on 64 bit system :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]

For for 32 bit DLL on 64 bit system:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs]

Multiple entries are split with space or comma, and the path to the DLL must not contain any spaces for obvious reasons. On Vista and later, the AppInit DLLs need to be signed, tho the registry value RequireSignedAppInit_DLLs can be set to 0 which disables this requirement.

Improve this answer
3
  • 1
    It's more correct to say that the AppInit_DLL dll is loaded by user32.dll when user32.dll itself is loaded, and that can happen dynamically (delay-load or manual load). There can be more than one registered DLL in there, too.
    – peter ferrie
    Commented Mar 29, 2013 at 22:36
  • 1
    AFAIK RequireSignedAppInit_DLLs was added around Vista/Windows7 but was still off by default, and only turned on by default with a windows 10 update.
    – NirIzr
    Commented Sep 11, 2017 at 15:56
  • I don't think this works on Windows 10 anymore.
    – c00000fd
    Commented Jan 1, 2019 at 9:56
9

The implementation of AppInit DLL in windows 7 is as follows:

In user32.dll!ClientThreadSetup the LoadAppInitDlls export from kernel32.dll is being called for any process except the LogonProcess.

kernel32.dll!LoadAppInitDlls checks the LoadAppInit_DLLs registry key and if set calls BasepLoadAppInitDlls (except when offset 3 of the PEB has value 2).

BasepLoadAppInitDlls calls LoadLibraryEx for each DLL set in the AppInit_DLLs registry key. If signing is required (when the RequireSignedAppInit_DLLs registry value is set) the LOAD_LIBRARY_REQUIRE_SIGNED_TARGET flag is passed to LoadLibraryEx.

So by setting this registry key, the malware dll will be injected into every process started after setting this key. On previous OS versions AppInit DLL's were not called for non gui/console processes but at least on Windows 7 it's also called for non gui processes.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.