DLL Injection

Sorry for another thread so soon but I've started a project that I have questions about. In attempting to create a simple DLL injection setup I've created these three sources and run into a few problems listed below.

inject_me.cpp
This file compiles to it's .EXE fine obviously, judging by the source and is the target process to be injected. It displays one message that indicates that it will alert the user if it is injected, and then loops infinitely.
[spoiler]

Code: Select all: //inject_me.exe #include <iostream> using namespace std; int main() { cout << "If I Greet You, I've Been Successfully Injected!" << endl; for(;;) { } return 0; }

[/spoiler]

hello.dll
This is a problem as I don't know how to create DLL files. I don't even know if I have the right tools to do it. Anyways, here's the source of it as is, made to compile to an executable, which is the reason a main() function had to be included; otherwise the compiler complained.
[spoiler]

Code: Select all: //hello.dll #include <iostream> using namespace std; void say_hello() { cout << "HELLO!" << endl; } //I don't think DLLs should have mains, but it wouldn't compile to exe without this line... int main () {}

[/spoiler]

dll_inj.cpp
This file compiles fine with my MingW and Dev-C++, but I don't know about MS VC++ because I've only just Dl'ed it and don't know how to compile/use it at all yet, but I figure it's not a big issue at the moment. Anyways, this file compiled to it's .EXE should inject "inject_me.exe" with a new thread created from the function "say_hello()" in hello.dll
[spoiler]

Code: Select all: //dll_inj.exe //Must include windows.h for win32 API #include <windows.h> //Will include iostream for status/debugging purposes #include <iostream> using namespace std; //Entering Ccde execution... int main() { /* Goal of this section is to create a new custom thread using code from our DLL file in a target process */ //First step is to get the proccess ID... DWORD dwProcessId;// = 0x0; //Error checking if(!dwProcessId) { cout << "ERROR - No Process To Inject DLL Into Was Specified" << endl; return 1; } //Next we must gain a HANDLE to the target process using win32's OpenProcess //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/ms684320(VS.85).aspx HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId); //Error checking if(!hProcess) { cout << "ERROR - Could Not Retrieve Handle For Process: " << dwProcessId << endl; return 1; } //Second it's time to get the address of the function from the DLL file we wish to inject using win32's GetProcAddress //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/ms683212(VS.85).aspx //MSDN explains the GetModuleHandle function and it's parameter here: http://msdn.microsoft.com/en-us/library/ms683199(VS.85).aspx FARPROC fpInjectFunction = GetProcAddress(GetModuleHandle("hello.dll"), "say_hello"); //Error checking if(!fpInjectFunction) { cout << "ERROR - Unable To Retrieve Address Of Function To Be Injected" << endl; return 1; } //Now reserve writable virtual memory in target process for the injecting function using win32'a VirtualAllocEx //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/aa366890(VS.85).aspx LPVOID lpReservedVirtualMemory = VirtualAllocEx(hProcess, NULL, sizeof(fpInjectFunction), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); //Error checking if(!lpReservedVirtualMemory) { cout << "ERROR - Unable To Reserve Virtual Memory In Target Process For Injecting Function" << endl; return 1; } //At this point we must write the function from the DLL to the reserved virtual memory of the target process using win32's WriteProcessMemory //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspx SIZE_T *bytesWritten = new SIZE_T; WriteProcessMemory(hProcess, lpReservedVirtualMemory, (LPCVOID)fpInjectFunction, sizeof(fpInjectFunction), bytesWritten); //Error checking if(*bytesWritten < sizeof(fpInjectFunction)) { cout << "ERROR - Unable To Write Injecting Function To Reserved Target Process Virtual Memory" << endl; return 1; } //Finally create the thread that will run in the virtual address space using win32's CreateRemoteThread //MSDN explains this function and it's parameters here: http://msdn.microsoft.com/en-us/library/ms682437(VS.85).aspx DWORD *lpThreadIdentifier = new DWORD; HANDLE hRemoteProcessThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)fpInjectFunction, NULL, 0, lpThreadIdentifier); //Error checking if(!*lpThreadIdentifier) { cout << "ERROR - No Thread Identifier Was Returned" << endl; return 1; } //Exiting code execution... return 0; }

[/spoiler]

Problems:
1.) I don't know how to create a DLL file.
2.) I don't know how to retrieve a target process' ID (inject_me.exe in this case) - I'm okay with making the target process ID static for now.
3.) I have no clue how many bugs are already in my dll_inj.cpp file. Please point them out freely.

Brodeur235

What about, Google =)

The first Record will explain it..

I'm assuming your using Microsoft Visual C++ Express Edition. Go to File -> New Project -> Win32 Console App -> (hit next on form) -> Application Type: DLL -> Finish.

Well Instead of Pointing you to another place I can help ya out

For one, I gotta make a disclaimer ive never injected to a console before but im sure they are no different when handling DLL's

there are several Methods to DLL injection first lets start off with how to make a DLL, When you select your Application type instead of W32 Console or Application their should be a Dynamic Link Library or DLL option as well, as for .Net i net I believe you need Pro or greater im not aware of express making DLL's but I could be wrong..

Next DLL's have a DLLMain not a Main, Just like Win32 Applications uses WinMain

Now to craft a Simple DLL use this

Code: Select all: BOOL APIENTRY DllMain (HINSTANCE hInst /* Library instance handle. */ , DWORD reason /* Reason this function is being called. */ , LPVOID reserved /* Not used. */ ) { if (reason==DLL_PROCESS_ATTACH) Parse(GetModuleHandle(0),"User32.dll","MessageBoxA",(DWORD)FakeBox); return TRUE; }

Now considering you are injecting code you don't have Variable Addresses to the Applications Internal code so you gotta call method for Windows API to get information from the executable such as GetModuleHandle() http://msdn.microsoft.com/en-us/library/ms683199(VS.85).aspx which gets the handle to the current process when you pass Zero or NULL to it, from there you can definetly convert that handle to a PID and so ON!

Now when it comes to DLL injection like I said there are several ways and the easiest to start off is the Appinit Registry method, look up the key and put in your DLL path there.. that will make every single EXE load your DLL into its memory space. BEWARE that if you dont make the DLL check for a Condition it will make MessageBoxes go off like Fireworks

, Get the filename or something of the current running process check if its notepad then execute if not return just to test this messagebox.

Another way is CreateRemoteThread which is my Favoraite Im going to write a Paper on this methed and make it as clear as possible with pictures and such but I havent just yet! I hope this helps, if you have any questions feel free to ask here or Contact me!

you could modify an executeable with assembly to load your DLL and call a procedure from it. i did that with notepad, and it spawned a reverse shell..

DLL Injection

DLL Injection

Re: DLL Injection

Re: DLL Injection

Re: DLL Injection

Re: DLL Injection

Who is online