DLL Injection

DLL Injection

Post by brodeur235 on Thu Aug 14, 2008 11:37 pm
([msg=9736]see DLL Injection[/msg])

Sorry for another thread so soon but I've started a project that I have questions about. In attempting to create a simple DLL injection setup I've created these three sources and run into a few problems listed below.

inject_me.cpp
This file compiles to it's .EXE fine obviously, judging by the source and is the target process to be injected. It displays one message that indicates that it will alert the user if it is injected, and then loops infinitely.
[spoiler]
Code: Select all
//inject_me.exe

#include <iostream>
using namespace std;

int main()
{
   cout << "If I Greet You, I've Been Successfully Injected!" << endl;
   for(;;) { }
   return 0;
}

[/spoiler]

hello.dll
This is a problem as I don't know how to create DLL files. I don't even know if I have the right tools to do it. Anyways, here's the source of it as is, made to compile to an executable, which is the reason a main() function had to be included; otherwise the compiler complained.
[spoiler]
Code: Select all
//hello.dll

#include <iostream>
using namespace std;

void say_hello()
{
   cout << "HELLO!" << endl;
}

//I don't think DLLs should have mains, but it wouldn't compile to exe without this line...
int main () {}

[/spoiler]

dll_inj.cpp
This file compiles fine with my MingW and Dev-C++, but I don't know about MS VC++ because I've only just Dl'ed it and don't know how to compile/use it at all yet, but I figure it's not a big issue at the moment. Anyways, this file compiled to it's .EXE should inject "inject_me.exe" with a new thread created from the function "say_hello()" in hello.dll
[spoiler]
Code: Select all
//dll_inj.exe

//Must include windows.h for win32 API
#include <windows.h>
//Will include iostream for status/debugging purposes
#include <iostream>
using namespace std;

//Entering Ccde execution...
int main()
{
   /*
   Goal of this section is to create a new custom thread using code from our DLL file in a target process
   */
   
   //First step is to get the proccess ID...
   DWORD dwProcessId;// = 0x0;
   //Error checking
   if(!dwProcessId)
   {
      cout << "ERROR - No Process To Inject DLL Into Was Specified" << endl;
      return 1;
   }
   
   //Next we must gain a HANDLE to the target process using win32's OpenProcess
   //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/ms684320(VS.85).aspx
   HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
   //Error checking
   if(!hProcess)
   {
      cout << "ERROR - Could Not Retrieve Handle For Process: " << dwProcessId << endl;
      return 1;
   }
   
   //Second it's time to get the address of the function from the DLL file we wish to inject using win32's GetProcAddress
   //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/ms683212(VS.85).aspx
   //MSDN explains the GetModuleHandle function and it's parameter here: http://msdn.microsoft.com/en-us/library/ms683199(VS.85).aspx
   FARPROC fpInjectFunction = GetProcAddress(GetModuleHandle("hello.dll"), "say_hello");
   //Error checking
   if(!fpInjectFunction)
   {
      cout << "ERROR - Unable To Retrieve Address Of Function To Be Injected" << endl;
      return 1;
   }
   
   //Now reserve writable virtual memory in target process for the injecting function using win32'a VirtualAllocEx
   //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/aa366890(VS.85).aspx
   LPVOID lpReservedVirtualMemory = VirtualAllocEx(hProcess, NULL, sizeof(fpInjectFunction), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
   //Error checking
   if(!lpReservedVirtualMemory)
   {
      cout << "ERROR - Unable To Reserve Virtual Memory In Target Process For Injecting Function" << endl;
      return 1;
   }
   
   //At this point we must write the function from the DLL to the reserved virtual memory of the target process using win32's WriteProcessMemory
   //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspx
   SIZE_T *bytesWritten = new SIZE_T;
   WriteProcessMemory(hProcess, lpReservedVirtualMemory, (LPCVOID)fpInjectFunction, sizeof(fpInjectFunction), bytesWritten);
   //Error checking
   if(*bytesWritten < sizeof(fpInjectFunction))
   {
      cout << "ERROR - Unable To Write Injecting Function To Reserved Target Process Virtual Memory" << endl;
      return 1;
   }
   
   //Finally create the thread that will run in the virtual address space using win32's CreateRemoteThread
   //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx
   DWORD *lpThreadIdentifier = new DWORD;
   HANDLE hRemoteProcessThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)fpInjectFunction, NULL, 0, lpThreadIdentifier);
   //Error checking
   if(!*lpThreadIdentifier)
   {
      cout << "ERROR - No Thread Identifier Was Returned" << endl;
      return 1;
   }
   
   //Exiting code execution...
   return 0;
}

[/spoiler]

Problems:
1.) I don't know how to create a DLL file.
2.) I don't know how to retrieve a target process' ID (inject_me.exe in this case) - I'm okay with making the target process ID static for now.
3.) I have no clue how many bugs are already in my dll_inj.cpp file. Please point them out freely.

Brodeur235
brodeur235
New User
New User
 
Posts: 11
Joined: Fri May 23, 2008 2:54 pm
Location: United States, TX
Blog: View Blog (0)


Re: DLL Injection

Post by __ASMx86 on Sun Sep 21, 2008 3:18 pm
([msg=12196]see Re: DLL Injection[/msg])

What about, Google =)

The first Record will explain it..
__ASMx86
New User
New User
 
Posts: 38
Joined: Sun Sep 14, 2008 3:15 pm
Location: The Netherlands
Blog: View Blog (0)


Re: DLL Injection

Post by bird7727 on Sun Feb 01, 2009 2:44 am
([msg=17200]see Re: DLL Injection[/msg])

I'm assuming your using Microsoft Visual C++ Express Edition. Go to File -> New Project -> Win32 Console App -> (hit next on form) -> Application Type: DLL -> Finish.
bird7727
New User
New User
 
Posts: 48
Joined: Sun Feb 01, 2009 12:43 am
Blog: View Blog (0)


Re: DLL Injection

Post by AgentSmithers on Thu Feb 12, 2009 12:41 pm
([msg=17755]see Re: DLL Injection[/msg])

Well Instead of Pointing you to another place I can help ya out

For one, I gotta make a disclaimer ive never injected to a console before but im sure they are no different when handling DLL's

there are several Methods to DLL injection first lets start off with how to make a DLL, When you select your Application type instead of W32 Console or Application their should be a Dynamic Link Library or DLL option as well, as for .Net i net I believe you need Pro or greater im not aware of express making DLL's but I could be wrong..

Next DLL's have a DLLMain not a Main, Just like Win32 Applications uses WinMain

Now to craft a Simple DLL use this

Code: Select all
BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
    if (reason==DLL_PROCESS_ATTACH)
        Parse(GetModuleHandle(0),"User32.dll","MessageBoxA",(DWORD)FakeBox);

    return TRUE;
}


Now considering you are injecting code you don't have Variable Addresses to the Applications Internal code so you gotta call method for Windows API to get information from the executable such as GetModuleHandle() http://msdn.microsoft.com/en-us/library/ms683199(VS.85).aspx which gets the handle to the current process when you pass Zero or NULL to it, from there you can definetly convert that handle to a PID and so ON!

Now when it comes to DLL injection like I said there are several ways and the easiest to start off is the Appinit Registry method, look up the key and put in your DLL path there.. that will make every single EXE load your DLL into its memory space. BEWARE that if you dont make the DLL check for a Condition it will make MessageBoxes go off like Fireworks :), Get the filename or something of the current running process check if its notepad then execute if not return just to test this messagebox.

Another way is CreateRemoteThread which is my Favoraite Im going to write a Paper on this methed and make it as clear as possible with pictures and such but I havent just yet! I hope this helps, if you have any questions feel free to ask here or Contact me!
Http://ControllingTheInter.Net
My General Computer Forum, From Security To Programming And Back To Troubleshooting.
AgentSmithers
New User
New User
 
Posts: 23
Joined: Thu Feb 12, 2009 12:27 pm
Location: Palm Springs
Blog: View Blog (0)


Re: DLL Injection

Post by mischief on Sun Feb 22, 2009 4:32 am
([msg=18391]see Re: DLL Injection[/msg])

you could modify an executeable with assembly to load your DLL and call a procedure from it. i did that with notepad, and it spawned a reverse shell.. :)
The whole secret of existence is to have no fear. Never fear what will become of you, depend on no one. Only the moment you reject all help are you freed.
--Buddha
User avatar
mischief
Poster
Poster
 
Posts: 355
Joined: Wed Jan 07, 2009 4:16 pm
Blog: View Blog (0)



Return to C and C++

Who is online

Users browsing this forum: No registered users and 0 guests

cron