Sign in to follow this  
lilj2005

Need Help With Dll Injection

Recommended Posts

So i read this tutorial, http://www.edgeofnowhere.cc/viewtopic.php?t=308049&postdays=0&postorder=asc&start=0], and decided to go with the CreateRemoteThread method. My loader seems to load the dll just fine but when my dll loads the MessageBox() doesnt come up. It also doesnt create a txt file when i want it to. Been working to fix this problem for a hour now but cant seem to figure out whats wrong. Can some one help me fix this problem.
// DLL Loader

#include <windows.h>
#include <tlhelp32.h> 
#include <shlwapi.h>
#include <conio.h>
#include <stdio.h>

#define WIN32_LEAN_AND_MEAN
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

BOOL Inject(DWORD pID, const char * DLL_NAME);
DWORD GetTargetThreadIDFromProcName(const char * ProcName);

int main(int argc, char * argv[])
{
	// Retrieve process ID
	DWORD pID = GetTargetThreadIDFromProcName("notepad.exe");
	
	// Get the dll's full path name 
	char buf[MAX_PATH] = {0};
	GetFullPathName("TestDll.dll", MAX_PATH, buf, NULL);
	printf(buf); 
	printf("\n"); 
	
	// Inject our main dll
	if(!Inject(pID, buf))
	{
        printf("DLL Not Loaded!");
    }else{ 
        printf("DLL Loaded!"); 
    }

    _getch();
	return 0;
}

BOOL Inject(DWORD pID, const char * DLL_NAME) 
{
	HANDLE Proc;
	HMODULE hLib;
	char buf[50] = {0};
	LPVOID RemoteString, LoadLibAddy;

	if(!pID) 
		return false;

	Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
	if(!Proc) 
	{
		sprintf(buf, "OpenProcess() failed: %d", GetLastError());
		//MessageBox(NULL, buf, "Loader", MB_OK);
		printf(buf);
		return false;
	}
    
	LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

	// Allocate space in the process for our DLL
	RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

	// Write the string name of our DLL in the memory allocated
	WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL);

	// Load our DLL
	CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);

	CloseHandle(Proc);
	return true;
}

DWORD GetTargetThreadIDFromProcName(const char * ProcName)
{
	PROCESSENTRY32 pe;
	HANDLE thSnapShot; 
	BOOL retval, ProcFound = false;

	thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if(thSnapShot == INVALID_HANDLE_VALUE) 
	{
		//MessageBox(NULL, "Error: Unable to create toolhelp snapshot!", "2MLoader", MB_OK);
		printf("Error: Unable to create toolhelp snapshot!");
		return false;
	}

	pe.dwSize = sizeof(PROCESSENTRY32);
	
	retval = Process32First(thSnapShot, &pe);
	while(retval) 
	{
		if(StrStrI(pe.szExeFile, ProcName)) 
		{
			return pe.th32ProcessID;
		}
		retval = Process32Next(thSnapShot, &pe); 
	}
	return 0;
}

// DLL 

#include <windows.h> 
#include <stdio.h> 

DWORD WINAPI Func1(LPVOID pData) 
{ 
   MessageBox(NULL, "Valuable code would execute here!", "Success", MB_OK | MB_ICONASTERISK); 
   return 1; 
} 


BOOL APIENTRY DllMain(HANDLE hModule, DWORD lpReason, LPVOID lpReserved) 
{ 
   HANDLE hThread;         // Thread handle 
   DWORD nThread;        // Thread ID 

   if(lpReason == DLL_PROCESS_ATTACH) 
   { 
      //Try to create a new thread (which will run Func1()) 
      if((hThread = CreateThread(NULL, 0, Func1, NULL, 0, &nThread)) != NULL) 
      { 
         // Close handle 
         CloseHandle(hThread); 
      } 
       

   } 
    return TRUE; 
} 

Share this post


Link to post
Share on other sites
C-strings are 0-terminated. You need to allocate/write strlen(DLL_NAME)+1 bytes in the external process.

There many be other problems, but that one will certainly cause you grief as LoadLibrary will attempt to load a library whose name has garbage at the end.

Share this post


Link to post
Share on other sites
Yep I suspect the_edd is right. It might also be worthwhile to add error checking at every step along the way to see if say WriteProcessMemory doesn't have persmissions.

If you feel like trying a more robust version of the CreateRemoteThread method, check out A More Complete DLL Injection Solution Using CreateRemoteThread. The difference is if LoadLibrary fails in the target process, a message box will pop up. You can also run exported functions in the injected DLL if that's important.

Share this post


Link to post
Share on other sites
I came across this problem a little while ago. You need to pass in the absolute path to the DLL, not just TestDll.dll as notepad.exe doesn't know where to find TestDll.dll.

Regards
elFarto

Share this post


Link to post
Share on other sites
Quote:
Original post by elFarto
I came across this problem a little while ago. You need to pass in the absolute path to the DLL, not just TestDll.dll as notepad.exe doesn't know where to find TestDll.dll.

Regards
elFarto


Thats what the function GetFullPathName() is for...Tried you guys idea's but still no luck...

Share this post


Link to post
Share on other sites
Since you say it injects fine, then it should be calling dllmain. Since the messagebox is not being displayed I would assume it is a problem with CreateThread. This is just a shot in the wild but try not closing the handle to the thread right after you create it.

Share this post


Link to post
Share on other sites
Quote:
Original post by Salvinger
Since you say it injects fine, then it should be calling dllmain. Since the messagebox is not being displayed I would assume it is a problem with CreateThread. This is just a shot in the wild but try not closing the handle to the thread right after you create it.


In fact, why is another thread created in DllMain, anyway? Just show the MessageBox in DllMain's primary thread if you want a quick check to see if the injection has succeeded.

Share this post


Link to post
Share on other sites
Quote:
Original post by the_edd
Quote:
Original post by Salvinger
Since you say it injects fine, then it should be calling dllmain. Since the messagebox is not being displayed I would assume it is a problem with CreateThread. This is just a shot in the wild but try not closing the handle to the thread right after you create it.


In fact, why is another thread created in DllMain, anyway? Just show the MessageBox in DllMain's primary thread if you want a quick check to see if the injection has succeeded.



Yea i did that i jus wanted to see if it would create the thread but seems like it doesnt...

Share this post


Link to post
Share on other sites
Try changing "kernel32.dll" to "kernel32". My code which uses this method uses "kernel" (and was confirmed to work).

It could be possible that both are acceptable, but this is just something else to try.

Also, if you're on a 64-bit version of windows, such as Vista64 or Seven64, notepad.exe is a 64-bit process and you will not be able to inject a (presumably) 32-bit DLL into its process space.

Make sure you check for errors on all of the other Win32 calls in your injection function.

Share this post


Link to post
Share on other sites
Quote:
Original post by Nypyren
Try changing "kernel32.dll" to "kernel32". My code which uses this method uses "kernel" (and was confirmed to work).

It could be possible that both are acceptable, but this is just something else to try.

Also, if you're on a 64-bit version of windows, such as Vista64 or Seven64, notepad.exe is a 64-bit process and you will not be able to inject a (presumably) 32-bit DLL into its process space.

Make sure you check for errors on all of the other Win32 calls in your injection function.


Tried changing those around beforehand and still no luck and im running windows xp. Is there something special i need to load in the DLL for the MessageBox to work or it should run normally?

Share this post


Link to post
Share on other sites
Wow lol...So i was doing some reading on the problem, turns out its not the code its the compiler. Dev-cpp doesnt like compiling dlls, it returns before it actually hits any code. Thnx for all the help :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this