inject dll in external program in order to execute a MessageBox

[iceberg]

Hi folks,
I hope you're doing well
I made a simple dll injector in .net which appears to work just fine, tested using megadumper, when I dump process I find the injected dll in the folder called Dumps.

this is the code that I used :

   Public Function inject() As Integer
        Dim targetProcess As Process
        For Each pro As Process In Process.GetProcesses
            If pro.MainWindowTitle = "test" Then
                targetProcess = pro
                Exit For
            End If
        Next
        Dim procHandle As IntPtr = OpenProcess(PROCESS_CREATE_THREAD Or PROCESS_QUERY_INFORMATION Or PROCESS_VM_OPERATION Or PROCESS_VM_WRITE Or PROCESS_VM_READ, False, targetProcess.Id)
        Dim loadLibraryAddr As IntPtr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA")
        Dim dllName As String = "injectme.dll"
        Dim allocMemAddress As IntPtr = VirtualAllocEx(procHandle, IntPtr.Zero, CUInt(((dllName.Length + 1) * Marshal.SizeOf(GetType(Char)))), MEM_COMMIT Or MEM_RESERVE, PAGE_READWRITE)
        Dim bytesWritten As UIntPtr
        WriteProcessMemory(procHandle, allocMemAddress, Encoding.[Default].GetBytes(dllName), CUInt(((dllName.Length + 1) * Marshal.SizeOf(GetType(Char)))), bytesWritten)
        CreateRemoteThread(procHandle, IntPtr.Zero, 0, loadLibraryAddr, allocMemAddress, 0, IntPtr.Zero)
        Return 1
    End Function

I also wrote a simple dll which pops up a messagebox with no exported functions
this is the code :

   Public Const DLL_PROCESS_DETACH = 0
    Public Const DLL_PROCESS_ATTACH = 1
    Public Const DLL_THREAD_ATTACH = 2
    Public Const DLL_THREAD_DETACH = 3

    Public Function DllMain(ByVal hInst As Long, ByVal fdwReason As Long, ByVal lpvReserved As Long) As Boolean
        Select Case fdwReason
            Case DLL_PROCESS_DETACH
            Case DLL_PROCESS_ATTACH
                MsgBox("Injected !")
                DllMain = True
            Case DLL_THREAD_ATTACH
            Case DLL_THREAD_DETACH
        End Select
        Return True
    End Function

 

 

 

 But the problem is when I inject this dll, messagebox doesn't appear.
After searching the forum for answers I found a great tutorial and it was exactly what I was looking for :
injecting a dll into a running process

I tried to run Compiled Program.exe but I got an error , checked dependencies and found 2 DLL missing , but when I installed Visual C++ 2008 the executable worked fine It says Injection Successful! But when I hit the Hotkey (F2) as mentioned in the  tutorial I don't get any messagebox from notepad. maybe because am using Windows 10 , 64 bit ?
I Checked Tutorial.dll and it didn't have any exported functions, I tried to compile the code by myself, but this time I get Injection failed each time I run the injector .

 

I spent the whole night trying to get this code to work...
If someone could reproduce this code in C sharp or VB.net that will be great. 
I don't want to use hotkeys, I want to make an injector which injects a dll directly to get executed in the external process memory.
There's a couple of things I couldn't understand, how MessageBox got executed without being defined in Exported functions (in the tutorial)?
Why the executable didn't work at the first time but when I installed Visual C++ 2008 It worked even though dependencies are still missing ?

by the way if anyone still has some tutorials from AstaCrackingTeam please share it with me.

Thanks in advance.

IB . Greetz

[Kurapica]

So many possibilities but as a first step, open your target in a debugger, x64db for example and check what the injection has changed.

Check the IAT for MessageboxA and MessageBoxW before and after injection to see if it has even patched those addresses or not.

[aIjundi]

I have not tried it, but the injector code seems fine. I think the issue is that you can't inject .net dlls the same way you inject native dlls.

[iceberg]

5 hours ago, Kurapica said:

So many possibilities but as a first step, open your target in a debugger, x64db for example and check what the injection has changed.

Check the IAT for MessageboxA and MessageBoxW before and after injection to see if it has even patched those addresses or not.

Hi kurapica , 

Am not sure what you mean , am not talking about memory patching so I guess there is no need to check IAT .

Also the injector (Compiled program.exe) is a managed assembly which can't be loaded in x64dbg , If you're talking about the target (Notepad.exe) I guess there is no need to check IAT because the injector doesn't patch MessageBoxW function but Instead it displays its own messagebox which It located in the dll itself (using F2 hotkey to trigger it ).
 

1 hour ago, aIjundi said:

I have not tried it, but the injector code seems fine. I think the issue is that you can't inject .net dlls the same way you inject native dlls.

Hello Aljundi ,

For your information (tutorial.dll) is a native dll.

 

 

[Kurapica]

My bad, I didn't follow the tutorial you mentioned, I remember I tried doing that long time ago, somehow CreateRemoteThread failed and there was a long discussion about the fix

on BlackStorm Forums but unfortunately it's closed now.

anyway, since you are injecting the DLL into Notepad, make sure to load Notepad.exe inside a debugger "BEFORE INJECTION" and set a BP on DllLoad or ThreadEntry in the debugger options.

once the DLL is loaded, the debugger should break somehow, that's where you should start tracing your bug.

[atom0s]

Couple of things to keep in mind:

• You mentioned the target is 64bit, you need to make sure you are compiling your stuff for 64bit as well then. (Unless you understand how to inject in mixed modes properly and bypass any limitations attempted by the OS/system etc. But in this example you're just doing basic injection so be sure its compiled for 64bit.)
• Keep in mind, .NET string objects are not char arrays and the 'Default' encoding type is not going to get you the kind of bytes you need for injection usually. Instead, specifically use the Encoding.UTF8 encoder and try again.
• The example DLL code you showed is Vb.NET. Vb.NET does not create native binaries. You cannot inject a .NET binary the same way as you are doing here, you need to do other steps to load the .NET framework and create an instance of your desired object and invoke that etc.

 

 

[iceberg]

13 hours ago, atom0s said:

Couple of things to keep in mind:

• You mentioned the target is 64bit, you need to make sure you are compiling your stuff for 64bit as well then. (Unless you understand how to inject in mixed modes properly and bypass any limitations attempted by the OS/system etc. But in this example you're just doing basic injection so be sure its compiled for 64bit.)
• Keep in mind, .NET string objects are not char arrays and the 'Default' encoding type is not going to get you the kind of bytes you need for injection usually. Instead, specifically use the Encoding.UTF8 encoder and try again.
• The example DLL code you showed is Vb.NET. Vb.NET does not create native binaries. You cannot inject a .NET binary the same way as you are doing here, you need to do other steps to load the .NET framework and create an instance of your desired object and invoke that etc.

 

 

 

Hi atom0s , thanks for your reply 

I used a Dll Injector and the same dll in the tutorial (Tutorial.dll) and I compiled a simple Winform application (32bit) and it worked (When pressing F2).
But as I mentioned earlier I don't want a native dll so I compiled my dll messagebox (32bit)  and I tried to inject it and it didn't work.
 if you can help with a code snippet that will be awesome.

thanks in advance.

[atom0s]

8 hours ago, iceberg said:

But as I mentioned earlier I don't want a native dll

Then you need to read up on how to properly inject a non-native DLL. It is not the same as just loading it into the remote process via LoadLibraryA/W. It is then up to you to load the .NET framework (as needed by your unmanaged DLL if you are compiling it with Vb.NET as you were in the first post) and specifically create an instance of the DLLs main class and invoke a method within it.

Vb.NET and C# modules do not have a normal DllMain that is invoked that is exposed to you to code yourself.

 

[Inception]

On 8/5/2021 at 10:27 PM, iceberg said:

 

Hi atom0s , thanks for your reply 

I used a Dll Injector and the same dll in the tutorial (Tutorial.dll) and I compiled a simple Winform application (32bit) and it worked (When pressing F2).
But as I mentioned earlier I don't want a native dll so I compiled my dll messagebox (32bit)  and I tried to inject it and it didn't work.
 if you can help with a code snippet that will be awesome.

thanks in advance.

https://github.com/HoLLy-HaCKeR/ManagedInjector Try this injector, it works flawlessly for me (note you will need to follow what the github page says)