deepzero Posted July 3, 2010 Posted July 3, 2010 Hey, I am trying to inject a dll into another running process. This is my code: HANDLE Proc; char buf[111]={0}; LPVOID Remotestr, LoadLib; DWORD ProcessID = 2768; //process ID of explorer.exe char DLL_NAME[222] = "C:\\t.dll"; //here`s my dll! Proc = OpenProcess(PROCESS_CREATE_THREAD, FALSE, ProcessID); LoadLib = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); Remotestr = (LPVOID)VirtualAllocEx(Proc, NULL, 1000, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); cout << GetLastError(); //debugging... I would now continue with WriteProcesMemory & CreateRemoteThread but VirtualAllocEx fails! The error code is "5". any ideas?
ragdog Posted July 3, 2010 Posted July 3, 2010 HiHere is a good paper for Dll injektion/>http://docs.google.com/viewer?a=v&q=cache:hfB2N80bqOEJ:www.milw0rm.com/papers/275+masm32+CreateRemoteThread&hl=de&gl=de&pid=bl&srcid=ADGEESjHoeDbUMG8pnPbuNozhza6tMZut1W0rE1y2lewaDr0HFoPPJkR1HTgE_ccpgEbN3Vnzhh75FHRe0xlYySlhUIwBz2rGhpwjF4HvoYejFRnWec3tu0uvziJj5QvsXVgLhGXndHK&sig=AHIEtbRmWY-On36lSw5i4QhMDDjCSdvXWwSorry if only in masm32 1
deepzero Posted July 3, 2010 Author Posted July 3, 2010 Thank you! But i understood how it works, now it`s "only" the coding, which gives me a headache...
Deathway Posted July 3, 2010 Posted July 3, 2010 (edited) .. are you sure you can combine MEM_RESERVE|MEM_COMMIT? (for me MEM_COMMIT is just enough), and PROCESS_CREATE_THREAD must be with PROCESS_VM_OPERATION in order to allow such allocations. Edited July 3, 2010 by Deathway
ragdog Posted July 3, 2010 Posted July 3, 2010 (edited) I have found a good C/c++ Tutorial on my driveIntroduction In this tutorial i'll try to cover all of the known methods(or at least, those that I know =p) of injecting dll's into a process. Dll injection is incredibly useful for TONS of stuff(game hacking, function hooking, code patching, keygenning, unpacking, etc..). Though there are scattered tutorials on these techniques available throughout the web, I have yet to see any complete tutorials detailing all of them(there may even be more out there than I have here, of course), and comparing their respective strength's and weakness's. This is precisely what i'll attempt to do for you in this paper. You are free to reproduce or copy this paper, so long as proper credit is given and you don't modify it without speaking to me first. The CreateRemoteThread method I've used this in tons of stuff, and I only recently realized that a lot of people have never seen it, or know how to do it. I can't take credit for thinking it up...I got it from an article on codeproject, but it's a neat trick that I think more people should know how to use. The trick is simple, and elegant. The windows API provides us with a function called CreateRemoteThread(). This allows you to start a thread in another process. For our purposes, i'll assume you know how threading works, and how to use functions like CreateThread(if not, you can go here ). The main disadvantage of this method is that it will work only on windows NT and above. To prevent it from crashing, you should use this function to check to make sure you're on an NT-based system(thanks to CatID for pointing this out): Code: bool IsWindowsNT() { // check current version of Windows DWORD version = GetVersion(); // parse return DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version))); DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version))); return (version < 0x80000000); } The MSDN definition for CreateRemoteThread is as follows: Code: HANDLE CreateRemoteThread( HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId ); So, it's essentially CreateThread, with an hProcess argument, so that we can tell it in which process to create the new thread. Now, normally we would want to start the thread executing on some internal function of the process that we are interacting with. However, to inject a dll, we have to do something a little bit different. Code: BOOL InjectDLL(DWORD ProcessID) { HANDLE Proc; char buf[50]={0}; LPVOID RemoteString, LoadLibAddy; if(!ProcessID) return false; Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID); if(!Proc) { sprintf(buf, "OpenProcess() failed: %d", GetLastError()); MessageBox(NULL, buf, "Loader", NULL); return false; } LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL); CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); CloseHandle(Proc); return true; } This code, calls CreateRemoteThread() with a lpStartAddress of LoadLibrary(). So, it starts a new thread in the remote process and executes the LoadLibrary() function. Luckily for us, this function takes only one argument, the name of the dll to load. We can pass this in the arg field of CreateRemoteThread(). However, there is a minor dilemma. Since this thread will not be executing in our address space, it won't be able to refer to strings(such as the name of the dll) that are in our address space. So, before calling CreateRemoteThread(), we have to allocate space in the other process, using VirtualAllocEx(), and write our string there. Finally, we pass the pointer to the string inside the remote process in the single arg field of CreateRemoteThread(), and voila...Our dll is now loaded and running smoothly within the remote process. This is the generic loader program I use whenever I need to load a dll. Complete source=CreateRemoteThread complete example source code Code: #include <windows.h> #include <stdio.h> #include <tlhelp32.h> #include <shlwapi.h> #define PROCESS_NAME "target.exe" #define DLL_NAME "injected.dll" //I could just use PROCESS_ALL_ACCESS but it's always best to use the absolute bare minimum of priveleges, so that your code works in as //many circumstances as possible. #define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) BOOL WriteProcessBYTES(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize); BOOL LoadDll(char *procName, char *dllName); BOOL InjectDLL(DWORD ProcessID, char *dllName); unsigned long GetTargetProcessIdFromProcname(char *procName); bool IsWindowsNT() { // check current version of Windows DWORD version = GetVersion(); // parse return DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version))); DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version))); return (version < 0x80000000); } int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) { if(IsWindowsNT()) LoadDll(PROCESS_NAME, DLL_NAME); else MessageBox(0, "Your system does not support this method", "Error!", 0); return 0; } BOOL LoadDll(char *procName, char *dllName) { DWORD ProcID = 0; ProcID = GetProcID(procName); if(!(InjectDLL(ProcID, dllName))) MessageBox(NULL, "Process located, but injection failed", "Loader", NULL); return true; } BOOL InjectDLL(DWORD ProcessID, char *dllName) { HANDLE Proc; char buf[50]={0}; LPVOID RemoteString, LoadLibAddy; if(!ProcessID) return false; Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID); if(!Proc) { sprintf(buf, "OpenProcess() failed: %d", GetLastError()); MessageBox(NULL, buf, "Loader", NULL); return false; } LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL); CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); CloseHandle(Proc); return true; } unsigned long GetTargetProcessIdFromProcname(char *procName) { PROCESSENTRY32 pe; HANDLE thSnapshot; BOOL retval, ProcFound = false; thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if(thSnapshot == INVALID_HANDLE_VALUE) { MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL); return false; } pe.dwSize = sizeof(PROCESSENTRY32); retval = Process32First(thSnapshot, &pe); while(retval) { if(StrStrI(pe.szExeFile, procName) ) { ProcFound = true; break; } retval = Process32Next(thSnapshot,&pe); pe.dwSize = sizeof(PROCESSENTRY32); } return pe.th32ProcessID; } Edited July 3, 2010 by ragdog
deepzero Posted July 3, 2010 Author Posted July 3, 2010 cheers @Deathway! Indeed, i needed more rights when opening the process: Proc = OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION , FALSE, ProcessID); Thanks anyways for the tut, ragdog! It`s working now, dll successfully injected into explorer.exe!!
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now