Need Help With Dll Injection

This topic is 3385 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

Recommended Posts

So i read this tutorial, http://www.edgeofnowhere.cc/viewtopic.php?t=308049&postdays=0&postorder=asc&start=0], and decided to go with the CreateRemoteThread method. My loader seems to load the dll just fine but when my dll loads the MessageBox() doesnt come up. It also doesnt create a txt file when i want it to. Been working to fix this problem for a hour now but cant seem to figure out whats wrong. Can some one help me fix this problem.
// DLL Loader

#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <conio.h>
#include <stdio.h>

#define WIN32_LEAN_AND_MEAN
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

BOOL Inject(DWORD pID, const char * DLL_NAME);
DWORD GetTargetThreadIDFromProcName(const char * ProcName);

int main(int argc, char * argv[])
{
// Retrieve process ID

// Get the dll's full path name
char buf[MAX_PATH] = {0};
GetFullPathName("TestDll.dll", MAX_PATH, buf, NULL);
printf(buf);
printf("\n");

// Inject our main dll
if(!Inject(pID, buf))
{
}else{
}

_getch();
return 0;
}

BOOL Inject(DWORD pID, const char * DLL_NAME)
{
HANDLE Proc;
HMODULE hLib;
char buf[50] = {0};

if(!pID)
return false;

Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
if(!Proc)
{
sprintf(buf, "OpenProcess() failed: %d", GetLastError());
//MessageBox(NULL, buf, "Loader", MB_OK);
printf(buf);
return false;
}

// Allocate space in the process for our DLL
RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

// Write the string name of our DLL in the memory allocated
WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL);

// Load our DLL

CloseHandle(Proc);
return true;
}

DWORD GetTargetThreadIDFromProcName(const char * ProcName)
{
PROCESSENTRY32 pe;
HANDLE thSnapShot;
BOOL retval, ProcFound = false;

thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(thSnapShot == INVALID_HANDLE_VALUE)
{
//MessageBox(NULL, "Error: Unable to create toolhelp snapshot!", "2MLoader", MB_OK);
printf("Error: Unable to create toolhelp snapshot!");
return false;
}

pe.dwSize = sizeof(PROCESSENTRY32);

retval = Process32First(thSnapShot, &pe);
while(retval)
{
if(StrStrI(pe.szExeFile, ProcName))
{
return pe.th32ProcessID;
}
retval = Process32Next(thSnapShot, &pe);
}
return 0;
}


// DLL

#include <windows.h>
#include <stdio.h>

DWORD WINAPI Func1(LPVOID pData)
{
MessageBox(NULL, "Valuable code would execute here!", "Success", MB_OK | MB_ICONASTERISK);
return 1;
}

BOOL APIENTRY DllMain(HANDLE hModule, DWORD lpReason, LPVOID lpReserved)
{

if(lpReason == DLL_PROCESS_ATTACH)
{
//Try to create a new thread (which will run Func1())
if((hThread = CreateThread(NULL, 0, Func1, NULL, 0, &nThread)) != NULL)
{
// Close handle
}

}
return TRUE;
}


Share on other sites
C-strings are 0-terminated. You need to allocate/write strlen(DLL_NAME)+1 bytes in the external process.

There many be other problems, but that one will certainly cause you grief as LoadLibrary will attempt to load a library whose name has garbage at the end.

Share on other sites
Yep I suspect the_edd is right. It might also be worthwhile to add error checking at every step along the way to see if say WriteProcessMemory doesn't have persmissions.

If you feel like trying a more robust version of the CreateRemoteThread method, check out A More Complete DLL Injection Solution Using CreateRemoteThread. The difference is if LoadLibrary fails in the target process, a message box will pop up. You can also run exported functions in the injected DLL if that's important.

Share on other sites
Ok thnx for the help

Share on other sites
I came across this problem a little while ago. You need to pass in the absolute path to the DLL, not just TestDll.dll as notepad.exe doesn't know where to find TestDll.dll.

Regards
elFarto

Share on other sites
Quote:
 Original post by elFartoI came across this problem a little while ago. You need to pass in the absolute path to the DLL, not just TestDll.dll as notepad.exe doesn't know where to find TestDll.dll.RegardselFarto

Thats what the function GetFullPathName() is for...Tried you guys idea's but still no luck...

Share on other sites
Since you say it injects fine, then it should be calling dllmain. Since the messagebox is not being displayed I would assume it is a problem with CreateThread. This is just a shot in the wild but try not closing the handle to the thread right after you create it.

Share on other sites
Quote:
 Original post by SalvingerSince you say it injects fine, then it should be calling dllmain. Since the messagebox is not being displayed I would assume it is a problem with CreateThread. This is just a shot in the wild but try not closing the handle to the thread right after you create it.

In fact, why is another thread created in DllMain, anyway? Just show the MessageBox in DllMain's primary thread if you want a quick check to see if the injection has succeeded.

Share on other sites
Quote:
Original post by the_edd
Quote:
 Original post by SalvingerSince you say it injects fine, then it should be calling dllmain. Since the messagebox is not being displayed I would assume it is a problem with CreateThread. This is just a shot in the wild but try not closing the handle to the thread right after you create it.

In fact, why is another thread created in DllMain, anyway? Just show the MessageBox in DllMain's primary thread if you want a quick check to see if the injection has succeeded.

Yea i did that i jus wanted to see if it would create the thread but seems like it doesnt...

Share on other sites
Try changing "kernel32.dll" to "kernel32". My code which uses this method uses "kernel" (and was confirmed to work).

It could be possible that both are acceptable, but this is just something else to try.

Also, if you're on a 64-bit version of windows, such as Vista64 or Seven64, notepad.exe is a 64-bit process and you will not be able to inject a (presumably) 32-bit DLL into its process space.

Make sure you check for errors on all of the other Win32 calls in your injection function.

• 17
• 11
• 15
• 9
• 49
• Forum Statistics

• Total Topics
631393
• Total Posts
2999764
×