Thread: Dll Injection Question

  1. #1
    Registered User
    Join Date
    Mar 2008
    Posts
    3

    Unhappy Dll Injection Question

    Hey All,
    I'm writing some dll injection code using windows hooks. I'm understanding the code pretty well, Its just more of the theory that I don't quite get. First I will post my code for the dll injecting:

    Code:
    BOOL InjectDll ( LPCWSTR dllName );
    
    int _tmain(int argc, _TCHAR* argv[])
    {
    	// Inject our dll
    	InjectDll ( L"C:\\Code\\APIHookingRevisited_src\\ThreadSpy.dll" );
    
    	while ( true ) Sleep ( 1 );
    	return 0;
    }
    
    BOOL InjectDll ( LPCWSTR dllName )
    {
        HMODULE hDll;
        FARPROC cbtProcAddr;
    
    	// Load our library
        hDll        = LoadLibrary ( dllName );
    	// Get our process
        cbtProcAddr = GetProcAddress ( hDll, "CBTProc" );
    
    	HWND hWnd = FindWindow ( 0, L"Form1" );
    	// Set our hooks
        SetWindowsHookEx(WH_CBT, (HOOKPROC)cbtProcAddr, hDll, (DWORD) hWnd);
       
        return TRUE;
    }
    Now this is what I understand should be happening with the DllMain:
    It should get called once from being loaded (vis LoadLibrary), which happens.
    Because I'm setting a callback dll, the process that im hooking should also have to load the dll into it's memory. This is not happening. So am I understanding wrong? Here is my dll code:

    Code:
    __declspec( dllexport ) LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam)
    {
        return CallNextHookEx(0, nCode, wParam, lParam);
    }; 
    
    BOOL APIENTRY DllMain( HANDLE hModule, 
                           DWORD  ul_reason_for_call, 
                           LPVOID lpReserved
    					 )
    {
        switch (ul_reason_for_call)
    	{
    		case DLL_PROCESS_ATTACH:
    			MessageBox(NULL, "DLL attached", "None", 0);
    			break;
    		case DLL_PROCESS_DETACH:
    			MessageBox(NULL, "DLL detached", "None", 0);
    			break;
        }
        return TRUE;
    }
    So again... From my understanding, this should be working fine. I'm obviously misunderstanding something. Could someone point me in the right direction?

  2. #2
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    Whats this for?

  3. #3
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    Quote Originally Posted by Bubba View Post
    Whats this for?
    We're so paranoid around here... (but I feel your concern)

  4. #4
    Registered User
    Join Date
    Mar 2008
    Posts
    3
    Heh, its actually for the exact opposite of what you think :P
    Its for anti-spyware. Trying to inject code so that I can scramble screenshots.

    Im trying to invoke my code, which modify's the GetDesktopWindow call to return 0.

  5. #5
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    Well, for starters, the following statement is incorrect

    Code:
     SetWindowsHookEx(WH_CBT, (HOOKPROC)cbtProcAddr, hDll, (DWORD) hWnd);
    The fourth parm should be a thread id not a handle to a window.

    It should look like this:
    Code:
    	SetWindowsHookEx(WH_CBT, (HOOKPROC)cbtProcAddr, hDll, GetThreadIDFromWindow("Form1"));

    Code:
    // FS:[0x18] points to a thread’s Thread Environment Block (or TEB).
    //Offset 36 points to the thread id
    
    unsigned long GetThreadIDFromWindow(char *pWindowName) 
    { 
    	HWND hWnd; 
    	HANDLE hProcess; 
    	unsigned long ulProcess, ulTid, ulThreadID; 
    
    	hWnd = FindWindow(0, pWindowName); 
    	GetWindowThreadProcessId(hWnd, &ulProcess); 
    	_asm { 
    		mov eax, fs:[0x18] 
    			add eax, 36 
    			mov [ulTid], eax 
    	} 
    	hProcess = OpenProcess(PROCESS_VM_READ, false, ulProcess); 
    	ReadProcessMemory(hProcess, (const void *)ulTid, &ulThreadID, 4, NULL); 
    	CloseHandle(hProcess); 
    	return ulThreadID; 
    }

  6. #6
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    We're so paranoid around here... (but I feel your concern)
    I think it's because we were naive in the past.

  7. #7
    C++まいる!Cをこわせ!
    Join Date
    Oct 2007
    Location
    Inside my computer
    Posts
    24,654
    I do not recommend casting a function pointer. 99% of the times, it will be wrong. Pass a correct function address to a function that is expected by the function and it will pass without any casting.
    Quote Originally Posted by Adak View Post
    io.h certainly IS included in some modern compilers. It is no longer part of the standard for C, but it is nevertheless, included in the very latest Pelles C versions.
    Quote Originally Posted by Salem View Post
    You mean it's included as a crutch to help ancient programmers limp along without them having to relearn too much.

    Outside of your DOS world, your header file is meaningless.

  8. #8
    Registered User
    Join Date
    Mar 2008
    Posts
    3
    Hey All,
    Thanks for the help! I have gotten this working.

    The first issue I had was what BobS0327 had stated where I was grabbing the handle to the window and not a thread inside of the window. The second issue was with my dll. It seemed that my callback was not being exported properly. I ended up adding a .dec file with my exporting information and everything worked from their. Now to build the ultimate spyware. Just joking Seriously though, thanks for the help.

  9. #9
    Registered User
    Join Date
    Mar 2005
    Location
    Mountaintop, Pa
    Posts
    1,058
    Now to build the ultimate spyware. Just joking
    IMHO, SetWindowsHookEx is the most popular method for writing spyware such as keyloggers in userland (Ring 3). Thus, all the commercial AV software will generate an alert if you use this method for spyware.

    Bottom-line, you have to be a lot more creative if you're going to write spyware. SetWindowsHookex is just a quaint spyware method that is extremely detectable.

  10. #10
    Ex scientia vera
    Join Date
    Sep 2007
    Posts
    477
    Quote Originally Posted by zenox View Post
    Hey All,
    Thanks for the help! I have gotten this working.

    The first issue I had was what BobS0327 had stated where I was grabbing the handle to the window and not a thread inside of the window. The second issue was with my dll. It seemed that my callback was not being exported properly. I ended up adding a .dec file with my exporting information and everything worked from their. Now to build the ultimate spyware. Just joking Seriously though, thanks for the help.
    Just to point out: Using a thread ID of 0 will hook all threads/processes in your userspace.

    Also, regarding the attitude that people get when they post about stuff like this; I think it's ridiculous. I've read quite a few threads where the poster automatically gets stamped as some kind of a malicious cracker. Whether you like it or not, keyloggers are still software, and some people have even coded keyloggers and sold them to whoever wanted. They could, for example, be used by a boss that thinks his employees are doing x when they should be doing y in their computers. Whether or not that is ethical is a irrelevant - the fact is that not all people have intentions to take over the globe.

    I've coded a keylogger myself. Using the exact same function, actually. Was it to spy on my girlfriend or get cc numbers? No, it was to understand how windows hooks work - sure, there are other types of hook than the keyboard hooks, but what if I find keyboard hooks interesting?

    Meh.

    [/end of 'justice for all' rant]

  11. #11
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    Also, regarding the attitude that people get when they post about stuff like this; I think it's ridiculous. I've read quite a few threads where the poster automatically gets stamped as some kind of a malicious cracker. Whether you like it or not, keyloggers are still software, and some people have even coded keyloggers and sold them to whoever wanted. They could, for example, be used by a boss that thinks his employees are doing x when they should be doing y in their computers. Whether or not that is ethical is a irrelevant - the fact is that not all people have intentions to take over the globe.
    It is against forum rules regardless of the intent. That fact remains which is why many of these get closed.

  12. #12
    Ex scientia vera
    Join Date
    Sep 2007
    Posts
    477
    Quote Originally Posted by Bubba View Post
    It is against forum rules regardless of the intent. That fact remains which is why many of these get closed.
    Let's pretend that my rant was directed at the outdated rules, then.

    I wonder how software to counter rootkits, dll injections and viruses were to be developed without properly researching and trying out the techniques used by the malicious developers.

    Whether or not the rules state this or that is irrelevant - I will comply and abide by them, of course - but the fact remains that the rules are ridiculous, or at best not specific enough, as it clearly depends on the person and post in question whether or not the intent is malicious or not.

  13. #13
    Deathray Engineer MacGyver's Avatar
    Join Date
    Mar 2007
    Posts
    3,210
    Quote Originally Posted by zenox View Post
    Its for anti-spyware. Trying to inject code so that I can scramble screenshots.
    I can just picture this type of odd description being used on a cheat website for anti-PB SS tools.

  14. #14
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    Whether or not the rules state this or that is irrelevant - I will comply and abide by them, of course - but the fact remains that the rules are ridiculous, or at best not specific enough, as it clearly depends on the person and post in question whether or not the intent is malicious or not.
    All of this is your opinion and you are entitled to it. My duty as a mod is to enforce the rules we do have and keep the boards nice and tidy. All of the mods try very hard to be understanding and lenient and I know none of us that are pure hard liners. However we do have rules and we must or the boards will deteriorate into a mess. In my opinion the success of this forum through the years has been due to the fact that these boards are heavily moderated and monitored. I've seen other boards come and go or get off on the wrong track and yet this one remains.

    This is not the place for this type of discussion. Back to the topic.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. DLL Injection
    By n1mda in forum C Programming
    Replies: 25
    Last Post: 02-13-2008, 10:11 PM
  2. dll and classes question
    By Rune Hunter in forum C++ Programming
    Replies: 2
    Last Post: 12-17-2005, 09:26 PM
  3. DLL Injection
    By Lionel in forum Windows Programming
    Replies: 1
    Last Post: 07-24-2005, 05:18 PM
  4. .lib vs .h vs .dll
    By Shadow12345 in forum C++ Programming
    Replies: 13
    Last Post: 01-01-2003, 05:29 AM
  5. Passing parameters from VB to C++ through ActiveX DLL
    By torbjorn in forum Windows Programming
    Replies: 0
    Last Post: 12-10-2002, 03:13 AM