// DLL Loader

#include <windows.h>
#include <tlhelp32.h> 
#include <shlwapi.h>
#include <conio.h>
#include <stdio.h>

#define WIN32_LEAN_AND_MEAN
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)

BOOL Inject(DWORD pID, const char * DLL_NAME);
DWORD GetTargetThreadIDFromProcName(const char * ProcName);

int main(int argc, char * argv[])
{
	// Retrieve process ID
	DWORD pID = GetTargetThreadIDFromProcName("notepad.exe");
	
	// Get the dll's full path name 
	char buf[MAX_PATH] = {0};
	GetFullPathName("TestDll.dll", MAX_PATH, buf, NULL);
	printf(buf); 
	printf("\n"); 
	
	// Inject our main dll
	if(!Inject(pID, buf))
	{
        printf("DLL Not Loaded!");
    }else{ 
        printf("DLL Loaded!"); 
    }

    _getch();
	return 0;
}

BOOL Inject(DWORD pID, const char * DLL_NAME) 
{
	HANDLE Proc;
	HMODULE hLib;
	char buf[50] = {0};
	LPVOID RemoteString, LoadLibAddy;

	if(!pID) 
		return false;

	Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
	if(!Proc) 
	{
		sprintf(buf, "OpenProcess() failed: %d", GetLastError());
		//MessageBox(NULL, buf, "Loader", MB_OK);
		printf(buf);
		return false;
	}
    
	LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

	// Allocate space in the process for our DLL
	RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

	// Write the string name of our DLL in the memory allocated
	WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL);

	// Load our DLL
	CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);

	CloseHandle(Proc);
	return true;
}

DWORD GetTargetThreadIDFromProcName(const char * ProcName)
{
	PROCESSENTRY32 pe;
	HANDLE thSnapShot; 
	BOOL retval, ProcFound = false;

	thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if(thSnapShot == INVALID_HANDLE_VALUE) 
	{
		//MessageBox(NULL, "Error: Unable to create toolhelp snapshot!", "2MLoader", MB_OK);
		printf("Error: Unable to create toolhelp snapshot!");
		return false;
	}

	pe.dwSize = sizeof(PROCESSENTRY32);
	
	retval = Process32First(thSnapShot, &pe);
	while(retval) 
	{
		if(StrStrI(pe.szExeFile, ProcName)) 
		{
			return pe.th32ProcessID;
		}
		retval = Process32Next(thSnapShot, &pe); 
	}
	return 0;
}

// DLL 

#include <windows.h> 
#include <stdio.h> 

DWORD WINAPI Func1(LPVOID pData) 
{ 
   MessageBox(NULL, "Valuable code would execute here!", "Success", MB_OK | MB_ICONASTERISK); 
   return 1; 
} 


BOOL APIENTRY DllMain(HANDLE hModule, DWORD lpReason, LPVOID lpReserved) 
{ 
   HANDLE hThread;         // Thread handle 
   DWORD nThread;        // Thread ID 

   if(lpReason == DLL_PROCESS_ATTACH) 
   { 
      //Try to create a new thread (which will run Func1()) 
      if((hThread = CreateThread(NULL, 0, Func1, NULL, 0, &nThread)) != NULL) 
      { 
         // Close handle 
         CloseHandle(hThread); 
      } 
       

   } 
    return TRUE; 
} 

Quote:Original post by elFarto
I came across this problem a little while ago. You need to pass in the absolute path to the DLL, not just TestDll.dll as notepad.exe doesn't know where to find TestDll.dll.

Regards
elFarto

Quote:Original post by the_edd

Quote:Original post by Salvinger
Since you say it injects fine, then it should be calling dllmain. Since the messagebox is not being displayed I would assume it is a problem with CreateThread. This is just a shot in the wild but try not closing the handle to the thread right after you create it.

In fact, why is another thread created in DllMain, anyway? Just show the MessageBox in DllMain's primary thread if you want a quick check to see if the injection has succeeded.