Jump to content
Tuts 4 You

My Dll Injector Code Does Not Work-


Caliber

Recommended Posts

Posted (edited)

this is a console app. what it is supposed to do is list the info for notepad.exe and then inject the .dll into the notepad.exe executable space.

it seems to list the program info correctly, but the injection does not work. (verified with ollydbg, the .dll isn't present)

anyone can help would be appreciated.

best,

Cal

here's the main code:


// List Processes and Modules.cpp : Defines the entry point for the console application.
//#include "stdafx.h"// test.cpp : Defines the entry point for the console application.
//#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <stdio.h>
#include <string>#define MAXWAIT 10000// Forward declarations:
BOOL GetProcessList( );
BOOL ListProcessModules( DWORD dwPID );
BOOL ListProcessThreads( DWORD dwOwnerPID );
void printError( TCHAR* msg );
bool insertDll(DWORD procID, std::string dll);void main( )
{
GetProcessList( );
}BOOL GetProcessList( )
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD dwPriorityClass;
CHAR filename[260] = "notepad.exe";
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printError( TEXT("CreateToolhelp32Snapshot (of processes)") );
return( FALSE );
} // Set the size of the structure before using it.
pe32.dwSize = sizeof( PROCESSENTRY32 ); // Retrieve information about the first process,
// and exit if unsuccessful
if( !Process32First( hProcessSnap, &pe32 ) )
{
printError( TEXT("Process32First") ); // show cause of failure
CloseHandle( hProcessSnap ); // clean the snapshot object
return( FALSE );
} // Now walk the snapshot of processes, and
// display information about each process in turn
do
{ if (!strcmp(pe32.szExeFile,filename))
{
printf( "\n\n=====================================================" );
_tprintf( TEXT("\nPROCESS NAME: %s"), filename);//pe32.szExeFile );
printf( "\n-----------------------------------------------------" ); // Retrieve the priority class.
dwPriorityClass = 0;
hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
if( hProcess == NULL )
printError( TEXT("OpenProcess") );
else
{
dwPriorityClass = GetPriorityClass( hProcess );
if( !dwPriorityClass )
printError( TEXT("GetPriorityClass") );
CloseHandle( hProcess );
} printf( "\n Process ID = 0x%08X", pe32.th32ProcessID );
printf( "\n Thread count = %d", pe32.cntThreads );
printf( "\n Parent process ID = 0x%08X", pe32.th32ParentProcessID );
printf( "\n Priority base = %d", pe32.pcPriClassBase );
if( dwPriorityClass )
printf( "\n Priority class = %d", dwPriorityClass ); // List the modules and threads associated with this process insertDll(pe32.th32ParentProcessID, "C:\Caliber.dll"); // this is where we try to inject ListProcessModules( pe32.th32ProcessID );
ListProcessThreads( pe32.th32ProcessID ); } } while( Process32Next( hProcessSnap, &pe32 ) ); CloseHandle( hProcessSnap );
return( TRUE );
}
BOOL ListProcessModules( DWORD dwPID )
{
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );
if( hModuleSnap == INVALID_HANDLE_VALUE )
{
printError( TEXT("CreateToolhelp32Snapshot (of modules)") );
return( FALSE );
} // Set the size of the structure before using it.
me32.dwSize = sizeof( MODULEENTRY32 ); // Retrieve information about the first module,
// and exit if unsuccessful
if( !Module32First( hModuleSnap, &me32 ) )
{
printError( TEXT("Module32First") ); // show cause of failure
CloseHandle( hModuleSnap ); // clean the snapshot object
return( FALSE );
} // Now walk the module list of the process,
// and display information about each module
do
{
_tprintf( TEXT("\n\n MODULE NAME: %s"), me32.szModule );
_tprintf( TEXT("\n Executable = %s"), me32.szExePath );
printf( "\n Process ID = 0x%08X", me32.th32ProcessID );
printf( "\n Ref count (g) = 0x%04X", me32.GlblcntUsage );
printf( "\n Ref count (p) = 0x%04X", me32.ProccntUsage );
printf( "\n Base address = 0x%08X", (DWORD) me32.modBaseAddr );
printf( "\n Base size = %d", me32.modBaseSize ); } while( Module32Next( hModuleSnap, &me32 ) ); CloseHandle( hModuleSnap );
return( TRUE );
}BOOL ListProcessThreads( DWORD dwOwnerPID )
{
HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
THREADENTRY32 te32; // Take a snapshot of all running threads
hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
if( hThreadSnap == INVALID_HANDLE_VALUE )
return( FALSE ); // Fill in the size of the structure before using it.
te32.dwSize = sizeof(THREADENTRY32 ); // Retrieve information about the first thread,
// and exit if unsuccessful
if( !Thread32First( hThreadSnap, &te32 ) )
{
printError( TEXT("Thread32First") ); // show cause of failure
CloseHandle( hThreadSnap ); // clean the snapshot object
return( FALSE );
} // Now walk the thread list of the system,
// and display information about each thread
// associated with the specified process
do
{
if( te32.th32OwnerProcessID == dwOwnerPID )
{
printf( "\n\n THREAD ID = 0x%08X", te32.th32ThreadID );
printf( "\n Base priority = %d", te32.tpBasePri );
printf( "\n Delta priority = %d", te32.tpDeltaPri );
}
} while( Thread32Next(hThreadSnap, &te32 ) ); CloseHandle( hThreadSnap );
return( TRUE );
}void printError( TCHAR* msg )
{
DWORD eNum;
TCHAR sysMsg[256];
TCHAR* p; eNum = GetLastError( );
FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, eNum,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
sysMsg, 256, NULL ); // Trim the end of the line and terminate it with a null
p = sysMsg;
while( ( *p > 31 ) || ( *p == 9 ) )
++p;
do { *p-- = 0; } while( ( p >= sysMsg ) &&
( ( *p == '.' ) || ( *p < 33 ) ) ); // Display the message
_tprintf( TEXT("\n WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );
}
bool insertDll(DWORD procID, std::string dll)
{
//Find the address of the LoadLibrary api, luckily for us, it is loaded in the same address for every process
HMODULE hLocKernel32 = GetModuleHandle("Kernel32");
FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA");
//Open the process with all access
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID); //Allocate memory to hold the path to the Dll File in the process's memory
dll += '\0';
LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT, PAGE_READWRITE); //Write the path to the Dll File in the location just created
DWORD numBytesWritten;
WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten); //Create a remote thread that starts begins at the LoadLibrary function and is passed are memory pointer
HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL); ResumeThread(hRemoteThread); //cout << hRemoteThread << endl; //Wait for the thread to finish
bool res = false;
if (hRemoteThread)
res = (bool)WaitForSingleObject(hRemoteThread, MAXWAIT) != WAIT_TIMEOUT; //Free the memory created on the other process
VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE);
//Release the handle to the other process
CloseHandle(hProc); return res;
}

i included the project file for visual studio 2008 c++ in the attached .rar and also the Caliber.dll that gets injected.

thanks for any help!

best,

Caliber

Projects.rar

Edited by Caliber
Posted

sorry we cant help commercial projects.

Posted
sorry we cant help commercial projects.

?

Posted (edited)

Caliber where is the source for the dll? I'm willing to offer a suggestion but im not injecting your code into notepad. lol not unless I can see the source of the dll file.

;)

look at human's post count and time he joined here... I think what he means is include the source code for your library too! not just the "loader" ;)

this is a loader i use for injecting a library into hl2.exe

// loader.cpp
#include <windows.h>
#include <TLHELP32.H> // PROCESSENTRY32
#include <stdio.h> // sprintf#include "Loader.h"HWND hWnd;PROCESSENTRY32 PE32;char szTarget[] = "hl2.exe";
char szPath[256], szDllToInject[256];// Forward declarations of functions used in this program
LRESULT CALLBACK MainDlgProc( HWND hDlg, UINT Msg, WPARAM wParam, LPARAM lParam );
DWORD WINAPI InjectionThread( LPVOID lpParam );int WINAPI WinMain( HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd )
{
char *intro = "Minimize Loader & Start Game";
MessageBox( NULL, intro, "Attention!", MB_ICONWARNING | MB_OK ); GetModuleFileName( 0, szPath, sizeof(szPath) );
strcpy( szDllToInject, szPath );
szDllToInject[ strlen(szPath) - 3] = 'd';
szDllToInject[ strlen(szPath) - 2] = 'l';
szDllToInject[ strlen(szPath) - 1] = 'l'; WIN32_FIND_DATA fnd;
HANDLE DllHnd = FindFirstFile( szDllToInject, &fnd );
if( DllHnd == INVALID_HANDLE_VALUE )
{
char szFailMsg[512] = { 0 };
sprintf( szFailMsg, "The library to be injected could not be found:\n\n\"%s\"", szDllToInject );
MessageBox( NULL, szFailMsg, "Error!", MB_ICONERROR | MB_OK );
return FALSE;
} DWORD dwParam1, dwThreadID1, dwParam2, dwThreadID2;
CreateThread( NULL, 0, InjectionThread, &dwParam1, 0, &dwThreadID1 ); DialogBox( hInstance, MAKEINTRESOURCE(IDD_MAIN), hWnd, (DLGPROC)MainDlgProc ); return 0;
}LRESULT CALLBACK MainDlgProc( HWND hDlg, UINT Msg, WPARAM wParam, LPARAM lParam )
{
switch( Msg )
{
case WM_INITDIALOG:
return TRUE; case WM_COMMAND:
if( LOWORD( wParam ) == IDCANCEL )
{
EndDialog( hDlg, LOWORD( wParam ) );
return TRUE;
} break;
} return FALSE;
}DWORD WINAPI InjectionThread( LPVOID lpParam )
{
while( 1 )
{
HANDLE hSnapshot, hModule, hProcess; hSnapshot = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
PE32.dwSize = sizeof(PROCESSENTRY32);
Process32First( hSnapshot, &PE32 ); while( Process32Next( hSnapshot, &PE32 ) )
{
if( strcmp( PE32.szExeFile, szTarget ) == 0 )
{ Sleep( 3 ); hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, PE32.th32ProcessID );
hModule = VirtualAllocEx( hProcess, 0, sizeof(szDllToInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE );
WriteProcessMemory( hProcess, hModule, (LPVOID)szDllToInject, sizeof(szDllToInject), NULL );
CreateRemoteThread( hProcess, NULL, 0, (unsigned long(__stdcall *)(void *))GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), hModule, 0, NULL );
CloseHandle( hProcess ); ExitProcess( 0 );
break;
} }
CloseHandle(hSnapshot);
Sleep( 5 );
} return 0;
}
Edited by D1N
Posted

Maybe a dumb remark but isn't it:

insertDll(pe32.th32ParentProcessID, "C:\Caliber.dll"); insertDll(pe32.th32ParentProcessID, "C:\\Caliber.dll");
Posted

no i didnt ment that. i mean he sells his trainers and asks for our help. more and more, thats pathetic.

so earns money on warez and our knowledge

Posted

Teddy asks money too to run the site. Besides, the amount of money in question is so little that it's hardly worth mentioning =/

Posted (edited)

maybe he asks, due all do that, but this is free will. not everybody pay. and doesnt ask new members to pay again.

like cheathappens. where calibre is. so its 180 degree different. if you wanna help its your choice i just express my opinion about it.

what you do its up to you.

Edited by human
Teddy Rogers
Posted
Teddy asks money too to run the site. Besides, the amount of money in question is so little that it's hardly worth mentioning =/

But you don't get charged for being here. It is a donation not a fee, if you choose to donate. I'll argue against your point there :)

Anyway, I certainly don't make any money from running this site, I only ask for donations to cover a certain amount of the running costs - if you like and enjoy the site. Nothing more and nothing less. There are no guarantees or a request by me that an amount has to be reached every year for the site to remain online. Donations or not it'll still be here...

Ted.

Posted
Teddy asks money too to run the site. Besides, the amount of money in question is so little that it's hardly worth mentioning =/

But you don't get charged for being here. It is a donation not a fee, if you choose to donate. I'll argue against your point there :)

Anyway, I certainly don't make any money from running this site, I only ask for donations to cover a certain amount of the running costs - if you like and enjoy the site. Nothing more and nothing less. There are no guarantees or a request by me that an amount has to be reached every year for the site to remain online. Donations or not it'll still be here...

Ted.

i sure don't want to cause any problems here. i apologize for the disruptions.

a couple things-

1) regarding the website i work with: everyone of our trainers is put out for free within a month of their release date. nobody has to buy anything. i've done hundreds of trainers for games at this point (including the patches). i don't want to debate the right or wrong of it here. i apologize if people are upset with what we do, but nobody has to buy anything. we post our full version trainers on gamecopyworld, filefront, etc. for free several weeks after we release them to our members. i spend ungodly amounts of time doing this an helping members with troubleshooting, etc. unfortunately we aren't making the millions people think we are. i just enjoy doing this and the funds we get help to keep the site going and to pay for our time and server, etc. i don't understand the hate. i myself have put out tutorials and helped the so called 'newbs' get a handle on some of these gamehacking topics/concepts.

now i have made the move from another language to c++ mainly to try to get around the 32/64 bit hurdle. my previous language/programming suite only creates 32 bit files so in essence i am starting over, trying to learn the api calls from vis c++. i have had quite a run in the 32 bit world and now i am trying to move to 64 bit. learning to do these things in 32 bit vis c++ is the first step.

regarding the code above-

1) you can inject any .dll you desire. i just included the .dll to complete the code. inject any windows .dll or one of your own. i just want the code to work, that's all.

2) i note with the visual studio IDE that the line:

HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);

after this line is executed, hProc still is 0x00000000

so for some reason the handle is not being give by the OpenProcess() api call. Any idea why? this might be why it is not injected or certainly a big part of it-

thanks again for all the responses above!

Mike

Posted (edited)

well sheep was earlier in flt and other groups doing trainers. now also sells them. its not scene like way.

if i do something i do it for fun, learning not money. for money i got a job. like most crackers,dox people do.

i stoped doing trainers when gry-online.pl started to sell my free trainers(also pay year fee or send sms for 1 trainer). and they response for my req to remove stolen stuff was "it free on web so we dont steal"

i wonder why then fbi,mpaa and riaa chase so many if its also free on web. nobody paid for mp3,movie,game.

D1N you cant openprocess on some exe with all_access, better is set only those required also Adjust Process Token Privileges

Edited by human
Posted
Maybe a dumb remark but isn't it:
insertDll(pe32.th32ParentProcessID, "C:\Caliber.dll"); insertDll(pe32.th32ParentProcessID, "C:\\Caliber.dll");

i tried this to be thorough but it doesn't work.

i am sure that it needs to be pe32.th32ProcessID-

thanks for the posting- i gave it try-

best.

Mike

Posted (edited)
D1N you cant openprocess on some exe with all_access, better is set only those required also Adjust Process Token Privileges

Yeah your right :)

I was just thinking about that earlier when I was looking at the source. it works great right now but the objective is like you said openproc with all_access and yes I do need to adjust the Process Token Privileges. Thanks dude! :worthy:

Edited by D1N
Posted

D1N regarding your code you posted,

i used:

	std::string szDllToInject = "c:\Caliber.dll";	HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, pe32.th32ProcessID );
LPVOID hModule = VirtualAllocEx( hProcess, 0, sizeof(szDllToInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE );
WriteProcessMemory( hProcess, hModule, szDllToInject.c_str(), sizeof(szDllToInject), NULL );
CreateRemoteThread( hProcess, NULL, 0, (unsigned long(__stdcall *)(void *))GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), hModule, 0, NULL );
CloseHandle( hProcess );

however at:

HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, pe32.th32ProcessID );

once again after this instruction is executed, you would expect hProcess to have a number but it is 0x00000000, which is why the injection isn't taking place.

pe32.th32ProcessID has a value, so i don't understand why then OpenProcess() isn't working and filling hProcess with a value-

any help would be appreciated-

best,

Mike

Posted
D1N regarding your code you posted,

i used:

	std::string szDllToInject = "c:\Caliber.dll";	HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, pe32.th32ProcessID );
LPVOID hModule = VirtualAllocEx( hProcess, 0, sizeof(szDllToInject), MEM_COMMIT, PAGE_EXECUTE_READWRITE );
WriteProcessMemory( hProcess, hModule, szDllToInject.c_str(), sizeof(szDllToInject), NULL );
CreateRemoteThread( hProcess, NULL, 0, (unsigned long(__stdcall *)(void *))GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), hModule, 0, NULL );
CloseHandle( hProcess );

however at:

HANDLE hProcess = OpenProcess( PROCESS_ALL_ACCESS, false, pe32.th32ProcessID );

once again after this instruction is executed, you would expect hProcess to have a number but it is 0x00000000, which is why the injection isn't taking place.

pe32.th32ProcessID has a value, so i don't understand why then OpenProcess() isn't working and filling hProcess with a value-

any help would be appreciated-

best,

Mike

if i change PROCESS_ALL_ACCES to PROCESS_VM_READ it gets past the OpenProcess() but then fails at VirtualAllocEx !?!!?! as hModule then gets set as 0x00000000. it's like something is blocking it or something. the injection from my other programs works fine. however from visual c++ IDE with this code, no joy-

any help appreciated.

best,

Mike

Posted

OK i got it to finally work.

here's the updated code:

// List Processes and Modules.cpp : Defines the entry point for the console application.
//#include "stdafx.h"// test.cpp : Defines the entry point for the console application.
//#include <windows.h>
#include <tlhelp32.h>
#include <tchar.h>
#include <stdio.h>
#include <string>#define MAXWAIT 10000// Forward declarations:
BOOL GetProcessList( );
BOOL ListProcessModules( DWORD dwPID );
BOOL ListProcessThreads( DWORD dwOwnerPID );
void printError( TCHAR* msg );
bool insertDll(DWORD procID, std::string dll);void main( )
{
GetProcessList( );
}BOOL GetProcessList( )
{
HANDLE hProcessSnap;
HANDLE hProcess;
PROCESSENTRY32 pe32;
DWORD dwPriorityClass;
CHAR filename[260] = "notepad.exe";
// Take a snapshot of all processes in the system.
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );
if( hProcessSnap == INVALID_HANDLE_VALUE )
{
printError( TEXT("CreateToolhelp32Snapshot (of processes)") );
return( FALSE );
} // Set the size of the structure before using it.
pe32.dwSize = sizeof( PROCESSENTRY32 ); // Retrieve information about the first process,
// and exit if unsuccessful
if( !Process32First( hProcessSnap, &pe32 ) )
{
printError( TEXT("Process32First") ); // show cause of failure
CloseHandle( hProcessSnap ); // clean the snapshot object
return( FALSE );
} // Now walk the snapshot of processes, and
// display information about each process in turn
do
{ if (!strcmp(pe32.szExeFile,filename))
{
printf( "\n\n=====================================================" );
_tprintf( TEXT("\nPROCESS NAME: %s"), filename);//pe32.szExeFile );
printf( "\n-----------------------------------------------------" ); // Retrieve the priority class.
dwPriorityClass = 0;
hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );
if( hProcess == NULL )
printError( TEXT("OpenProcess") );
else
{
dwPriorityClass = GetPriorityClass( hProcess );
if( !dwPriorityClass )
printError( TEXT("GetPriorityClass") );
CloseHandle( hProcess );
} printf( "\n Process ID = 0x%08X", pe32.th32ProcessID );
printf( "\n Thread count = %d", pe32.cntThreads );
printf( "\n Parent process ID = 0x%08X", pe32.th32ParentProcessID );
printf( "\n Priority base = %d", pe32.pcPriClassBase );
if( dwPriorityClass )
printf( "\n Priority class = %d", dwPriorityClass ); // List the modules and threads associated with this process insertDll(pe32.th32ProcessID, "c:\CH.dll"); // this is where we try to inject ListProcessModules( pe32.th32ProcessID );
ListProcessThreads( pe32.th32ProcessID ); } } while( Process32Next( hProcessSnap, &pe32 ) ); CloseHandle( hProcessSnap );
return( TRUE );
}
BOOL ListProcessModules( DWORD dwPID )
{
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32; // Take a snapshot of all modules in the specified process.
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );
if( hModuleSnap == INVALID_HANDLE_VALUE )
{
printError( TEXT("CreateToolhelp32Snapshot (of modules)") );
return( FALSE );
} // Set the size of the structure before using it.
me32.dwSize = sizeof( MODULEENTRY32 ); // Retrieve information about the first module,
// and exit if unsuccessful
if( !Module32First( hModuleSnap, &me32 ) )
{
printError( TEXT("Module32First") ); // show cause of failure
CloseHandle( hModuleSnap ); // clean the snapshot object
return( FALSE );
} // Now walk the module list of the process,
// and display information about each module
do
{
_tprintf( TEXT("\n\n MODULE NAME: %s"), me32.szModule );
_tprintf( TEXT("\n Executable = %s"), me32.szExePath );
printf( "\n Process ID = 0x%08X", me32.th32ProcessID );
printf( "\n Ref count (g) = 0x%04X", me32.GlblcntUsage );
printf( "\n Ref count (p) = 0x%04X", me32.ProccntUsage );
printf( "\n Base address = 0x%08X", (DWORD) me32.modBaseAddr );
printf( "\n Base size = %d", me32.modBaseSize ); } while( Module32Next( hModuleSnap, &me32 ) ); CloseHandle( hModuleSnap );
return( TRUE );
}BOOL ListProcessThreads( DWORD dwOwnerPID )
{
HANDLE hThreadSnap = INVALID_HANDLE_VALUE;
THREADENTRY32 te32; // Take a snapshot of all running threads
hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 );
if( hThreadSnap == INVALID_HANDLE_VALUE )
return( FALSE ); // Fill in the size of the structure before using it.
te32.dwSize = sizeof(THREADENTRY32 ); // Retrieve information about the first thread,
// and exit if unsuccessful
if( !Thread32First( hThreadSnap, &te32 ) )
{
printError( TEXT("Thread32First") ); // show cause of failure
CloseHandle( hThreadSnap ); // clean the snapshot object
return( FALSE );
} // Now walk the thread list of the system,
// and display information about each thread
// associated with the specified process
do
{
if( te32.th32OwnerProcessID == dwOwnerPID )
{
printf( "\n\n THREAD ID = 0x%08X", te32.th32ThreadID );
printf( "\n Base priority = %d", te32.tpBasePri );
printf( "\n Delta priority = %d", te32.tpDeltaPri );
}
} while( Thread32Next(hThreadSnap, &te32 ) ); CloseHandle( hThreadSnap );
return( TRUE );
}void printError( TCHAR* msg )
{
DWORD eNum;
TCHAR sysMsg[256];
TCHAR* p; eNum = GetLastError( );
FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,
NULL, eNum,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
sysMsg, 256, NULL ); // Trim the end of the line and terminate it with a null
p = sysMsg;
while( ( *p > 31 ) || ( *p == 9 ) )
++p;
do { *p-- = 0; } while( ( p >= sysMsg ) &&
( ( *p == '.' ) || ( *p < 33 ) ) ); // Display the message
_tprintf( TEXT("\n WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );
}
bool insertDll(DWORD procID, std::string dll)
{
//Find the address of the LoadLibrary api, luckily for us, it is loaded in the same address for every process
HMODULE hLocKernel32 = GetModuleHandle("Kernel32");
FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA"); //Open the process with all access
HANDLE hProc = OpenProcess(STANDARD_RIGHTS_REQUIRED | SYNCHRONIZE | 4095, TRUE, procID); //Allocate memory to hold the path to the Dll File in the process's memory
dll += '\0';
LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); //Write the path to the Dll File in the location just created
DWORD numBytesWritten;
WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten); //Create a remote thread that starts begins at the LoadLibrary function and is passed are memory pointer
HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, NULL, NULL); ResumeThread(hRemoteThread); //cout << hRemoteThread << endl; //Wait for the thread to finish
bool res = false;
if (hRemoteThread)
{
WaitForSingleObject(hRemoteThread, INFINITE);
}
//Free the memory created on the other process
VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE);
//Release the handle to the other process
CloseHandle(hProc); return res;
}

note that if you run notepad.exe from Start-Programs it runs notepad.exe from system32 directory which the above code will not inject into a program run from system32 directory

if you copy notepad.exe to c: drive and then run it from there it injects fine.

thanks for all the help and input. moving on to the next part-

best,

Cal

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...