[WinAPI] Injecting a DLL into a process

Post your FreeBASIC source, examples, tips and tricks here. Please don’t post code without including an explanation.
Post Reply
Cherry
Posts: 358
Joined: Oct 23, 2007 12:06
Location: Austria
Contact:

[WinAPI] Injecting a DLL into a process

Post by Cherry »

This code injects a dll into a process. The dll is then running in the victim's address space and is able to directly access the victim's memory, subclass its windows, and so on.

This method doesn't work with Win95/98/ME.

some_dll.bas (compile to dll)

Code: Select all

#Include "windows.bi"
MessageBox(NULL, "I am injected!!! I am now running in the victim's address space.", "some_dll", MB_OK)

Sub _foo_() Export: End Sub ' compiling a dll without an exported function fails
inject.bas (compile to exe)

Code: Select all

#Include "windows.bi"

Function InjectDLL(hProcess As HANDLE, dllpath As String) As HMODULE
	' get module handle of kernel32.dll
	Var kernel32 = GetModuleHandle("Kernel32") 

	' allocate space for dll name in victim's address space
	Var addr = VirtualAllocEx(hProcess, NULL, Len(dllpath) + 1, MEM_COMMIT, PAGE_READWRITE)
	If addr = NULL Then Return NULL

	' write dll name into newly allocated memory
	WriteProcessMemory(hProcess, addr, StrPtr(dllpath), Len(dllpath) + 1, NULL)

	' call LoadLibrary in victim's address space in order to load our dll
	Var hThread = CreateRemoteThread(hProcess, NULL, 0, GetProcAddress(kernel32, "LoadLibraryA"), addr, NULL, NULL)

	' free memory used for dll name
	VirtualFreeEx(hProcess, addr, Len(dllpath) + 1, MEM_RELEASE)
	
	' check if CreateRemoteThread failed
	If hThread = NULL Then Return NULL
	WaitForSingleObject(hThread, INFINITE)

	' get hModule of our dll
	Dim hDllModule As HMODULE
	GetExitCodeThread(hThread, @hDllModule)
	If hDllModule = NULL Then Return NULL
	CloseHandle(hThread)

	Return hDllModule
End Function

' *** TEST: Inject some dll into notepad ***

' check if WinNT/2000/XP/Vista is used
Var shlwapi = LoadLibrary("shlwapi")
Dim IsOS As Function(As Dword) As BOOL = GetProcAddress(shlwapi, 437)
#Define OS_NT 1
If IsOS = NULL OrElse IsOS(OS_NT) = FALSE Then
	Print "operating system not supported"
	Sleep
	FreeLibrary(shlwapi)
	End
EndIf
FreeLibrary(shlwapi)

' start notepad
Dim pi As PROCESS_INFORMATION
Dim si As STARTUPINFO
Var AppName = Environ("windir") & "\system32\calc.exe"
If CreateProcess(StrPtr(AppName), StrPtr(AppName), NULL, NULL, FALSE, NULL, NULL, NULL, @si, @pi) = FALSE Then
	Print "starting calculator failed"
	Sleep
	End
EndIf

' wait for app to be ready
WaitForInputIdle(pi.hProcess, INFINITE)

' inject the dll
Var hDllModule = InjectDLL(pi.hProcess, "some_dll.dll")
If hDllModule = NULL Then
	Print "injecting dll failed"
	Sleep
	End
EndIf
Print "successful! hModule of dll: 0x" & Hex(hDllModule)
Sleep

' close handles
CloseHandle(pi.hProcess)
CloseHandle(pi.hThread)
greetings, Cherry
Last edited by Cherry on Sep 09, 2010 19:48, edited 1 time in total.
JaDogg
Posts: 345
Joined: Apr 13, 2008 12:11
Location: Sri Lanka - Negombo
Contact:

Post by JaDogg »

cool
agamemnus
Posts: 1842
Joined: Jun 02, 2005 4:48

Post by agamemnus »

vic-tim?...
anonymous1337
Posts: 5494
Joined: Sep 12, 2005 20:06
Location: California

Post by anonymous1337 »

As if necro-ing isn't bad enough. A malicious post, though?
creek23
Posts: 261
Joined: Sep 09, 2007 1:57
Location: Philippines
Contact:

Post by creek23 »

old post but good one.

malicious? that's debatable.

cheers!
Cherry
Posts: 358
Joined: Oct 23, 2007 12:06
Location: Austria
Contact:

Post by Cherry »

Of course this can be used for something malicious too.

But this is not the only use ;)

I am using it here, because uncommon clipboard content (like the formats used by RPG Maker 2000/2003) aren't shared between different processes in Wine, so the only way to make my tool (which is operating with RPG Maker's clipboard data) work with Wine was to inject it into RPG Maker.

Thanks for pushing then.
JaDogg
Posts: 345
Joined: Apr 13, 2008 12:11
Location: Sri Lanka - Negombo
Contact:

Post by JaDogg »

also there are more uses for example creating a app which shows behind ********* like passwords

and also to add functions to already compiled apps without reversing them
anonymous1337
Posts: 5494
Joined: Sep 12, 2005 20:06
Location: California

Post by anonymous1337 »

Cheers. I saw "victim" and reacted.

Occasionally someone thinks programming is "w4y h4xx0r k0o1" and decides to post "awsum h4x code!!!"
Cherry
Posts: 358
Joined: Oct 23, 2007 12:06
Location: Austria
Contact:

Post by Cherry »

7415 (0|)3 VV45|\|7 |V|34|\|7 70 |33 |_|53|) |=02 |-|4XX1|\|6 |°|_|2|°0535!

I didn't realize that the usage of "victim" has this effect^^
anonymous1337
Posts: 5494
Joined: Sep 12, 2005 20:06
Location: California

Post by anonymous1337 »

Oh my God. I can read that.
Post Reply