[WinAPI] Injecting a DLL into a process

Source-code only - please, don't post questions here.
Cherry
Posts: 337
Joined: Oct 23, 2007 12:06
Location: Austria
Contact:

[WinAPI] Injecting a DLL into a process

Postby Cherry » Apr 13, 2009 9:44

This code injects a dll into a process. The dll is then running in the victim's address space and is able to directly access the victim's memory, subclass its windows, and so on.

This method doesn't work with Win95/98/ME.

some_dll.bas (compile to dll)

Code: Select all

#Include "windows.bi"
MessageBox(NULL, "I am injected!!! I am now running in the victim's address space.", "some_dll", MB_OK)

Sub _foo_() Export: End Sub ' compiling a dll without an exported function fails


inject.bas (compile to exe)

Code: Select all

#Include "windows.bi"

Function InjectDLL(hProcess As HANDLE, dllpath As String) As HMODULE
   ' get module handle of kernel32.dll
   Var kernel32 = GetModuleHandle("Kernel32")

   ' allocate space for dll name in victim's address space
   Var addr = VirtualAllocEx(hProcess, NULL, Len(dllpath) + 1, MEM_COMMIT, PAGE_READWRITE)
   If addr = NULL Then Return NULL

   ' write dll name into newly allocated memory
   WriteProcessMemory(hProcess, addr, StrPtr(dllpath), Len(dllpath) + 1, NULL)

   ' call LoadLibrary in victim's address space in order to load our dll
   Var hThread = CreateRemoteThread(hProcess, NULL, 0, GetProcAddress(kernel32, "LoadLibraryA"), addr, NULL, NULL)

   ' free memory used for dll name
   VirtualFreeEx(hProcess, addr, Len(dllpath) + 1, MEM_RELEASE)
   
   ' check if CreateRemoteThread failed
   If hThread = NULL Then Return NULL
   WaitForSingleObject(hThread, INFINITE)

   ' get hModule of our dll
   Dim hDllModule As HMODULE
   GetExitCodeThread(hThread, @hDllModule)
   If hDllModule = NULL Then Return NULL
   CloseHandle(hThread)

   Return hDllModule
End Function

' *** TEST: Inject some dll into notepad ***

' check if WinNT/2000/XP/Vista is used
Var shlwapi = LoadLibrary("shlwapi")
Dim IsOS As Function(As Dword) As BOOL = GetProcAddress(shlwapi, 437)
#Define OS_NT 1
If IsOS = NULL OrElse IsOS(OS_NT) = FALSE Then
   Print "operating system not supported"
   Sleep
   FreeLibrary(shlwapi)
   End
EndIf
FreeLibrary(shlwapi)

' start notepad
Dim pi As PROCESS_INFORMATION
Dim si As STARTUPINFO
Var AppName = Environ("windir") & "\system32\calc.exe"
If CreateProcess(StrPtr(AppName), StrPtr(AppName), NULL, NULL, FALSE, NULL, NULL, NULL, @si, @pi) = FALSE Then
   Print "starting calculator failed"
   Sleep
   End
EndIf

' wait for app to be ready
WaitForInputIdle(pi.hProcess, INFINITE)

' inject the dll
Var hDllModule = InjectDLL(pi.hProcess, "some_dll.dll")
If hDllModule = NULL Then
   Print "injecting dll failed"
   Sleep
   End
EndIf
Print "successful! hModule of dll: 0x" & Hex(hDllModule)
Sleep

' close handles
CloseHandle(pi.hProcess)
CloseHandle(pi.hThread)


greetings, Cherry
Last edited by Cherry on Sep 09, 2010 19:48, edited 1 time in total.
JaDogg
Posts: 344
Joined: Apr 13, 2008 12:11
Location: Sri Lanka - Negombo
Contact:

Postby JaDogg » Feb 14, 2010 3:39

cool
agamemnus
Posts: 1842
Joined: Jun 02, 2005 4:48

Postby agamemnus » Feb 14, 2010 5:24

vic-tim?...
Pritchard
Posts: 5418
Joined: Sep 12, 2005 20:06
Location: Ohio, USA

Postby Pritchard » Feb 18, 2010 14:03

As if necro-ing isn't bad enough. A malicious post, though?
creek23
Posts: 260
Joined: Sep 09, 2007 1:57
Location: Philippines
Contact:

Postby creek23 » Feb 18, 2010 14:46

old post but good one.

malicious? that's debatable.

cheers!
Cherry
Posts: 337
Joined: Oct 23, 2007 12:06
Location: Austria
Contact:

Postby Cherry » Mar 15, 2010 13:27

Of course this can be used for something malicious too.

But this is not the only use ;)

I am using it here, because uncommon clipboard content (like the formats used by RPG Maker 2000/2003) aren't shared between different processes in Wine, so the only way to make my tool (which is operating with RPG Maker's clipboard data) work with Wine was to inject it into RPG Maker.

Thanks for pushing then.
JaDogg
Posts: 344
Joined: Apr 13, 2008 12:11
Location: Sri Lanka - Negombo
Contact:

Postby JaDogg » Mar 22, 2010 5:11

also there are more uses for example creating a app which shows behind ********* like passwords

and also to add functions to already compiled apps without reversing them
Pritchard
Posts: 5418
Joined: Sep 12, 2005 20:06
Location: Ohio, USA

Postby Pritchard » Mar 22, 2010 22:29

Cheers. I saw "victim" and reacted.

Occasionally someone thinks programming is "w4y h4xx0r k0o1" and decides to post "awsum h4x code!!!"
Cherry
Posts: 337
Joined: Oct 23, 2007 12:06
Location: Austria
Contact:

Postby Cherry » Mar 23, 2010 9:43

7415 (0|)3 VV45|\|7 |V|34|\|7 70 |33 |_|53|) |=02 |-|4XX1|\|6 |°|_|2|°0535!

I didn't realize that the usage of "victim" has this effect^^
Pritchard
Posts: 5418
Joined: Sep 12, 2005 20:06
Location: Ohio, USA

Postby Pritchard » Mar 23, 2010 13:55

Oh my God. I can read that.

Return to “Tips and Tricks”

Who is online

Users browsing this forum: No registered users and 2 guests