After more research, I found that the reason certain DLLs such as kernel32.dll or user32.dll cannot be overridden normally is because they are Known DLLs - Windows has a list of commonly used DLLs like these which automatically default to the System32 versions, rather than the default behaviour of checking the folder of the application first.
If you want to work around this, for example to make a proxy DLL, you need to include two files in the application directory: applicationName.exe.local and applicationName.exe.manifest where applicationName is the name of your EXE file.
These need to be the contents of the manifest file:
<?xml version="1.0" encoding="UTF-8" standalone="yes" ?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity version="1.0.0.0" name="redirector" type="win32" />
<file name="kernel32.dll" />
</assembly>
The assemblyIdentity tag is intended to give information about your application's version number and name, but we can basically just ignore it. The important part is the file tag which specifies a file to load locally. Replace kernel32.dll
with DLL you'd like to load locally.
Also, Windows only refreshes the contents of .manifest files either upon restart, or when the EXE file is modified, so you could just open the EXE file in some hex editor, erase the first character and add it back and save... etc. to refresh the manifest file. Do this if you manifest file seems to be ignored.
- On Windows 2000 and below, adding a .local file will be enough to
convince it to load the local version of kernel32.dll .
- On Windows XP and above, you need to use the .manifest file.
- It's possible for an application to have a .manifest file embedded within
it. In this case, you can delete the resource with a tool like Stud_PE.
known dll
support in windows. – josh poley