Jump to content
Tuts 4 You

dll injection


deepzero

Recommended Posts

Hey,

I am trying to inject a dll into another running process.

This is my code:

   HANDLE Proc;
char buf[111]={0};
LPVOID Remotestr, LoadLib; DWORD ProcessID = 2768; //process ID of explorer.exe
char DLL_NAME[222] = "C:\\t.dll"; //here`s my dll!
Proc = OpenProcess(PROCESS_CREATE_THREAD, FALSE, ProcessID); LoadLib = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); Remotestr = (LPVOID)VirtualAllocEx(Proc, NULL, 1000, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
cout << GetLastError(); //debugging
...

I would now continue with WriteProcesMemory & CreateRemoteThread but VirtualAllocEx fails! :kick:

The error code is "5".

any ideas? :turned:

Link to comment

Hi

Here is a good paper for Dll injektion
/>http://docs.google.com/viewer?a=v&q=cache:hfB2N80bqOEJ:www.milw0rm.com/papers/275+masm32+CreateRemoteThread&hl=de&gl=de&pid=bl&srcid=ADGEESjHoeDbUMG8pnPbuNozhza6tMZut1W0rE1y2lewaDr0HFoPPJkR1HTgE_ccpgEbN3Vnzhh75FHRe0xlYySlhUIwBz2rGhpwjF4HvoYejFRnWec3tu0uvziJj5QvsXVgLhGXndHK&sig=AHIEtbRmWY-On36lSw5i4QhMDDjCSdvXWw

Sorry if only in masm32

  • Like 1
Link to comment

.. are you sure you can combine MEM_RESERVE|MEM_COMMIT? (for me MEM_COMMIT is just enough), and PROCESS_CREATE_THREAD must be with PROCESS_VM_OPERATION in order to allow such allocations.

Edited by Deathway
Link to comment

I have found a good C/c++ Tutorial on my drive

Introduction

In this tutorial i'll try to cover all of the known methods(or at least, those that I know =p) of injecting dll's into a process.

Dll injection is incredibly useful for TONS of stuff(game hacking, function hooking, code patching, keygenning, unpacking, etc..).

Though there are scattered tutorials on these techniques available throughout the web, I have yet to see any complete tutorials detailing

all of them(there may even be more out there than I have here, of course), and comparing their respective strength's and weakness's.

This is precisely what i'll attempt to do for you in this paper. You are free to reproduce or copy this paper, so long as proper

credit is given and you don't modify it without speaking to me first.

The CreateRemoteThread method

I've used this in tons of stuff, and I only recently realized that a lot of people have never seen it, or know how to do it.

I can't take credit for thinking it up...I got it from an article on codeproject, but it's a neat trick that I think more

people should know how to use.

The trick is simple, and elegant. The windows API provides us with a function called CreateRemoteThread(). This allows you

to start a thread in another process. For our purposes, i'll assume you know how threading works, and how to use functions like

CreateThread(if not, you can go here ). The main disadvantage of this method is that it will work only on windows NT and above.

To prevent it from crashing, you should use this function to check to make sure you're on an NT-based system(thanks to CatID for

pointing this out):

Code:

bool IsWindowsNT()

{

// check current version of Windows

DWORD version = GetVersion();

// parse return

DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));

DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));

return (version < 0x80000000);

}

The MSDN definition for CreateRemoteThread is as follows:

Code:

HANDLE CreateRemoteThread( HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize,

LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags,

LPDWORD lpThreadId );

So, it's essentially CreateThread, with an hProcess argument, so that we can tell it in which process to create the new thread.

Now, normally we would want to start the thread executing on some internal function of the process that we are interacting with.

However, to inject a dll, we have to do something a little bit different.

Code:

BOOL InjectDLL(DWORD ProcessID)

{

HANDLE Proc;

char buf[50]={0};

LPVOID RemoteString, LoadLibAddy;

if(!ProcessID)

return false;

Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);

if(!Proc)

{

sprintf(buf, "OpenProcess() failed: %d", GetLastError());

MessageBox(NULL, buf, "Loader", NULL);

return false;

}

LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);

WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME,strlen(DLL_NAME), NULL);

CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);

CloseHandle(Proc);

return true;

}

This code, calls CreateRemoteThread() with a lpStartAddress of LoadLibrary(). So, it starts a new thread in the remote process

and executes the LoadLibrary() function. Luckily for us, this function takes only one argument, the name of the dll to load. We can

pass this in the arg field of CreateRemoteThread(). However, there is a minor dilemma. Since this thread will not be executing in

our address space, it won't be able to refer to strings(such as the name of the dll) that are in our address space. So, before calling

CreateRemoteThread(), we have to allocate space in the other process, using VirtualAllocEx(), and write our string there. Finally,

we pass the pointer to the string inside the remote process in the single arg field of CreateRemoteThread(), and voila...Our dll is

now loaded and running smoothly within the remote process. This is the generic loader program I use whenever I need to load a dll.

Complete source

=CreateRemoteThread complete example source code

Code:

#include <windows.h>

#include <stdio.h>

#include <tlhelp32.h>

#include <shlwapi.h>

#define PROCESS_NAME "target.exe"

#define DLL_NAME "injected.dll"

//I could just use PROCESS_ALL_ACCESS but it's always best to use the absolute bare minimum of priveleges, so that your code works in as

//many circumstances as possible.

#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

BOOL WriteProcessBYTES(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize);

BOOL LoadDll(char *procName, char *dllName);

BOOL InjectDLL(DWORD ProcessID, char *dllName);

unsigned long GetTargetProcessIdFromProcname(char *procName);

bool IsWindowsNT()

{

// check current version of Windows

DWORD version = GetVersion();

// parse return

DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));

DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));

return (version < 0x80000000);

}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)

{

if(IsWindowsNT())

LoadDll(PROCESS_NAME, DLL_NAME);

else

MessageBox(0, "Your system does not support this method", "Error!", 0);

return 0;

}

BOOL LoadDll(char *procName, char *dllName)

{

DWORD ProcID = 0;

ProcID = GetProcID(procName);

if(!(InjectDLL(ProcID, dllName)))

MessageBox(NULL, "Process located, but injection failed", "Loader", NULL);

return true;

}

BOOL InjectDLL(DWORD ProcessID, char *dllName)

{

HANDLE Proc;

char buf[50]={0};

LPVOID RemoteString, LoadLibAddy;

if(!ProcessID)

return false;

Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);

if(!Proc)

{

sprintf(buf, "OpenProcess() failed: %d", GetLastError());

MessageBox(NULL, buf, "Loader", NULL);

return false;

}

LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);

WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL);

CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);

CloseHandle(Proc);

return true;

}

unsigned long GetTargetProcessIdFromProcname(char *procName)

{

PROCESSENTRY32 pe;

HANDLE thSnapshot;

BOOL retval, ProcFound = false;

thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

if(thSnapshot == INVALID_HANDLE_VALUE)

{

MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);

return false;

}

pe.dwSize = sizeof(PROCESSENTRY32);

retval = Process32First(thSnapshot, &pe);

while(retval)

{

if(StrStrI(pe.szExeFile, procName) )

{

ProcFound = true;

break;

}

retval = Process32Next(thSnapshot,&pe);

pe.dwSize = sizeof(PROCESSENTRY32);

}

return pe.th32ProcessID;

}

Edited by ragdog
Link to comment

cheers @Deathway!

Indeed, i needed more rights when opening the process:

   Proc = OpenProcess(PROCESS_VM_WRITE|PROCESS_CREATE_THREAD|PROCESS_VM_OPERATION , FALSE, ProcessID);

Thanks anyways for the tut, ragdog! :)

It`s working now, dll successfully injected into explorer.exe!! :rule1::rolleyes:

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...