Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Dll injection failing ... sometimes ...

Featured Replies

Posted

Hi,

I'm using this code to inject a dll into a process:

bool InjectDll(HANDLE hProcess, char * Dll)
{
size_t AllocSize;
void * Alloc;
HANDLE hThread;
DWORD dwExitCode = 0; AllocSize = strlen(Dll) + 1; Alloc = VirtualAllocEx(hProcess, 0, AllocSize, MEM_COMMIT, PAGE_READWRITE);
if(Alloc)
{
WriteProcessMemory(hProcess, Alloc, Dll, AllocSize, 0);
hThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA"), Alloc, 0, 0);
if(hThread)
{
if(WAIT_OBJECT_0 == WaitForSingleObject(hThread, 5000))
{
GetExitCodeThread(hThread, &dwExitCode);
}
CloseHandle(hThread);
}
VirtualFreeEx(hProcess, Alloc, 0, MEM_RELEASE);
} return (dwExitCode != 0);
}

This is basically taken from the source atomos posted at RES some time ago.

The code works fine for most apps but for one it just fails. All APIs succeed, only the thread exit code is 0.

ie. LoadLibrary was unable to load the dll.

However, if I load the app into Olly and use Ollyadvanced to inject the dll, it works just fine

I looked at what it does internally and it seems to write a piece of code that calls LoadLibraryA and sets EIP to that memory.

Could this fail because of missing privileges?

Any help much appreciated :)

Looking at this code, it creates a remote thread at LoadLibraryA itself, with the parameter for the thread being the address of the dll string (which was written in after some memory is allocated for this). There is no ExitThread because the RET 4 from LoadLibraryA will be returning directly to the kernel code where the thread proc was called from and ExitThread can be found there...

This looks very neat, as there is no extra code written, its making use of the kernel code already there. Clever.

HR,

Ghandi

Yeah it's standard code in some game hacks I analyze from time to time. I think the problem may be in the entry of your DLL. I remember a lot of the DLLs I analyzed called DisableThreadLibraryCalls or some API with a similar name like that. You might want to look into that.

Edited by Loveless

Hi Killboy,

Is it possible to upload that exe ?

Edited by GamingMasteR

  • Author

Hm it's 60MB so uploading is not really an option :/

I sort of fixed it. I forgot to remove a breakpoint on an API that seems to have been called from within LoadLibraryA.

Kinda weird as the debug thread should have taken care of it.

Thanks for you help :)

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.