Jump to content
Tuts 4 You

Dll injection failing ... sometimes ...

Killboy

By Killboy
in Programming and Coding

Recommended Posts

Killboy

Killboy

Posted
Posted

Hi,

I'm using this code to inject a dll into a process:

bool InjectDll(HANDLE hProcess, char * Dll)
{
size_t AllocSize;
void * Alloc;
HANDLE hThread;
DWORD dwExitCode = 0;	AllocSize = strlen(Dll) + 1;	Alloc = VirtualAllocEx(hProcess, 0, AllocSize, MEM_COMMIT, PAGE_READWRITE);
	if(Alloc)
	{
		WriteProcessMemory(hProcess, Alloc, Dll, AllocSize, 0);
		hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), Alloc, 0, 0);
		if(hThread)
		{
			if(WAIT_OBJECT_0 == WaitForSingleObject(hThread, 5000))
			{
				GetExitCodeThread(hThread, &dwExitCode);
			}
			CloseHandle(hThread);
		}
		VirtualFreeEx(hProcess, Alloc, 0, MEM_RELEASE);
	}	return (dwExitCode != 0);
}

This is basically taken from the source atomos posted at RES some time ago.

The code works fine for most apps but for one it just fails. All APIs succeed, only the thread exit code is 0.

ie. LoadLibrary was unable to load the dll.

However, if I load the app into Olly and use Ollyadvanced to inject the dll, it works just fine

I looked at what it does internally and it seems to write a piece of code that calls LoadLibraryA and sets EIP to that memory.

Could this fail because of missing privileges?

Any help much appreciated :)

ghandi

ghandi

Posted
Posted

Looking at this code, it creates a remote thread at LoadLibraryA itself, with the parameter for the thread being the address of the dll string (which was written in after some memory is allocated for this). There is no ExitThread because the RET 4 from LoadLibraryA will be returning directly to the kernel code where the thread proc was called from and ExitThread can be found there...

This looks very neat, as there is no extra code written, its making use of the kernel code already there. Clever.

HR,

Ghandi

Loveless

Loveless

Posted
Posted (edited)

Yeah it's standard code in some game hacks I analyze from time to time. I think the problem may be in the entry of your DLL. I remember a lot of the DLLs I analyzed called DisableThreadLibraryCalls or some API with a similar name like that. You might want to look into that.

Edited by Loveless
GamingMasteR

GamingMasteR

Posted
Posted (edited)

Hi Killboy,

Is it possible to upload that exe ?

Edited by GamingMasteR
Killboy

Killboy

Posted
  • Author
Posted

Hm it's 60MB so uploading is not really an option :/

I sort of fixed it. I forgot to remove a breakpoint on an API that seems to have been called from within LoadLibraryA.

Kinda weird as the debug thread should have taken care of it.

Thanks for you help :)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...