Early Injection

How It Works

1. User arms injection with target process name (e.g., "notepad.exe") and DLL path
2. Kernel's PsSetLoadImageNotifyRoutine callback monitors DLL loads
3. When kernel32.dll loads in a matching target process:
   • • Allocate memory, write DLL path
   • • Resolve LoadLibraryW via PEB walking
   • • Queue kernel APC targeting the main thread
4. APC fires during process initialization, calling LoadLibraryW(dll_path)
5. One-shot mode: auto-disarm after first successful injection

Why APC Method

The APC method triggers when kernel32.dll loads — at this point:

• • ✓ PEB.Ldr is fully initialized
• • ✓ LoadLibraryW is available and callable
• • ✓ Process initialization is far enough along for DLL loading
• • ✓ Still before any application code runs

Usage

1. Ensure the kernel driver is loaded
2. Click Early Injection button in Process tab toolbar
3. In the modal:
   • • Enter target process name (e.g., "notepad.exe")
   • • Browse for DLL to inject
   • • Toggle one-shot mode if desired
4. Click Arm to enable injection
5. Launch the target process — DLL will be injected automatically
6. Click Disarm to disable injection

Status Information

The modal displays live status:

• • Armed State — Whether injection is active
• • Target Process — Name being monitored
• • DLL Path — Path to inject
• • Injection Count — Number of successful injections
• • Last Injected PID — Most recent target PID
• • Last Status — Success or error message

Use Cases

• • Inject monitoring DLLs — Before application code runs
• • Bypass DLL load order restrictions — Load before dependencies
• • Security research — Analyze early-stage process behavior
• • Anti-cheat research — Inject before protection initializes

Implementation