Hello,
Full source present below.
I am Sri Krishna. I have already posted this tutorial long back in Hackforums. I thought it would be nice to share it here.
Here is a quick explanation of how DLL injection works. The concept is very simple. This encompasses a lot of very useful functions. Very good knowledge.
DLL injection is not really injecting the DLL but to load the DLL inside the targeted process. The function that is used to load a DLL is [a href="http://msdn.microsoft.com/en-us/library/ms684175(v=vs.85).aspx"]LoadLibrary[/a]. LoadLibrary takes one argument which is the path of the DLL. We pretty much know how to load a DLL. Now, we need to understand how to make the targeted process load our DLL.
Let's look at it in this perspective: If you want to load a DLL in general, you would call LoadLibrary(DLL_PATH);, however, if you want to LoadLibrary(DLL_NAME); inside a process, you would have to execute that function inside the targeted process, correct? Well, Windows has provided us with useful functions that can help us perform this task. The functions we will be using are
OpenProcess,
VirtualAllocEx,
WriteProcessMemory, and
CreateRemoteThread.
We'll be using OpenProcess to open the target process. The information required to open the process is the Process ID(or PID). I suggest you look at the MSDN documentation for more information.
Here is what OpenProcess is asking:
OpenProcess(HowToOpen, InheritEverything(BOOL), Process ID);
Here is the actual code:
int ProcessID;
std::cin >> ProcessID;
HANDLE hProcess; //This will contain the handle to the process.
hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessID);
Now, hProcess contains the handle to the process, if OpenProcess doesn't return NULL. If OpenProcess returned NULL, then it failed. You can use [url=http://msdn.microsoft.com/en-us/library/ms679360(v=VS.85).aspx]GetLastError()[/url] function to get details of the failure.
if(hProcess == NULL)
std::cout << "OpenProcess: " << GetLastError();
else
//continue
Now, we need to allocate some memory in the targeted process for DLL path so we can pass it to LoadLibrary. We can do this by using VirtualAllocEx.
VirtualAllocEx might sound complicated but the arguments it takes are easy to understand and is perfect for this task. It's similar to malloc or new in C and C++, respectively. malloc/new only works in the process you are working with but with VirtualAllocEx you can "malloc" inside a target process!
What VirtualAllocEx is asking for:
VirtualAllocEx(HandleToTheProcess, WhereDoYouWantToAllocate, HowMuchDoYouWantToAllocate, AllocationType, ProtectionType);
That's essentially what it is asking us for. Now, lets follow along and legitimately fill in the arguments. Please, look up the MSDN Documention for MEM_RESERVE, MEM_COMMIT and PAGE_READWRITE for more information.
LPVOID vAlloc; //Stores our base address where the allocation occured.
vAlloc = VirtualAllocEx(hProcess, NULL, strlen(DLL_PATH) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
/*NULL in the second parameter lets the function choose where to allocate memory. We want to allocate
the string length of DLL path, so we can write to it. It's strlen(DLL_PATH) +1 because of the null-terminator. Thanks to PoZHx for reminding me! :)*/
If the function suceeded, vAlloc will contain the base address where the allocation occured. If it failed, it will return NULL. Of course, you can use GetLastError to get more information about why the function failed.
Now, we will write the DLL path in the allocated memory. Now, where in memory region was the memory allocated? Well, vAlloc contains the base address of our memory, so we'll just use that to write our DLL path to. We can do this by using WriteProcessMemory.
This is what WriteProcessMemory is asking:
WriteProcessMemory(WhichProcess, WhereInMemory, WhatToWrite, HowLongIsTheData, HowMuchDidIWrite); //the last parameter is not really needed
Now, lets write the actual code for the task:
WriteProcessMemory(hProcess, vAlloc, DLL_PATH, strlen(DLL_PATH), NULL); //this will pretty much write the DLL path to the process.
If the function suceeded, it will return a non-zero integer. Of course, you can use GetLastError if it returned NULL.
Now, that we have everything up and ready for us to execute our LoadLibrary function inside the process, lets execute it!
We'll need CreateRemoteThread function to create a seperate thread for our LoadLibrary while not pausing the main process thread. CreateRemoteThread is similar to CreateThread except CreateRemoteThread takes one extra parameter which is the handle to the process(I'm sure you guessed it!). We'll pass in our hProcess for that parameter.
What CreateRemoteThread is asking:
CreateRemoteThread(HandleToProcess, ThreadAttributes, StackSize, FunctionToExecute, ParametersToFunction, Flags, ThreadID);
/*For this task, we'll only worry about HandleToProcess, FunctionToExecute, and ParametersToFunction because that's all we need
to execute our thread in the targeted process*/
Now, lets write the actual code for this task:
CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryA, vAlloc, NULL, NULL);
If the function failed, it will return NULL. Of course, you can check GetLastError() ;).
However, there are times, rarely, when this function will fail. It's probably because the kernel32.dll is not loaded in the process. This is a problem because kernel32.dll is DLL that provides us the function LoadLibrary. There is a way to fix this problem. You can use [url=http://msdn.microsoft.com/en-us/library/ms683212%28v=VS.85%29.aspx]GetProcAddress[/url] to get the address of LoadLibrary inside kernel32.dll and we can just call the address.
Here is what GetProcAddress is asking for:
GetProcAddress(HandleToTheModuleWhereTheFunctionIsLocated, FunctionName);
Now, lets write the actual code:
LPVOID pAddr; //This will contain the address of LoadLibrary, if suceeded.
pAddr = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
If suceeded, pAddr will contain the address to LoadLibraryA. If it didn't suceed, it will return NULL and we can use GetLastError ;) Now, lets use this address and pass it to CreateRemoteThread.
CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pAddr, vAlloc, NULL, NULL);
After you finish creating the remote thread. Make sure to free the memory we have allocated using [url=http://msdn.microsoft.com/en-us/library/aa366894(v=vs.85).aspx]VirtualFreeEx[/url] and make sure to close the handle we have opened using OpenProcess using [url=http://msdn.microsoft.com/en-us/library/ms724211(v=VS.85).aspx]CloseHandle[/url].
Please check the MSDN documentation for more information. VirtualFreeEx is similar to free and delete in C and C++, respectively.
VirtualFreeEx(hProcess, vAlloc, NULL, MEM_RELEASE); //Must call this before closing handle.
CloseHandle(hProcess);
That's basically it! Now, you should, unless you don't speak English, understand how DLL injection works.
Here is the entire source of what we discussed; I added some error checking to help us out:
[url=http://pastebin.com/7AgCZAfx]DLL Injecton[/url]
Here is a source of a DLL to test if the Injector is working:
#include <windows.h>
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
{
if(dwReason == DLL_PROCESS_ATTACH)
MessageBox(NULL, "Injected to process!", "Injected!", MB_OK);
return true;
}
Here is an advanced version of DLL Injector. It opens up a file dialog box and it also lists the process with process IDs:
http://pastebin.com/pC8JDVvV
Hope you learned something... Sri Krishna. Please, give me some feedback.
![[Image: 4040867.bmp]](https://lh3.googleusercontent.com/blogger_img_proxy/AEn0k_u33o6NTQe3TexWBNvI33y2eF0-6J6IGiwhd4iPWQB5uSbjvR4O1phl4EuKCTqxmbrzN4Q-nJasVjTETyzE3Gq8dWF8v4MDtuVaGhY8tR94U4N9IirszF0aenBlIO8=s0-d)