DLL Injection

This is a discussion on DLL Injection within the Windows Programming forums, part of the Platform Specific Boards category; i tried to inject a dll into another process,but CreateRemoteThread() fails Code: const char szDLL[] = "somedll.dll"; void RemoteLoadDll(HANDLE,const char ...

  1. #1
    Registered User
    Join Date
    Mar 2005
    Posts
    69

    DLL Injection

    i tried to inject a dll into another process,but CreateRemoteThread() fails


    Code:
    const char szDLL[] = "somedll.dll";
    
    void RemoteLoadDll(HANDLE,const char *);
    
    
    int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,INT){
     RemoteLoadDll(GetCurrentProcess(),szDLL);  // i also tried with handles to different processes
     return 0;
    }
    
    
    void RemoteLoadDll(HANDLE hProcess,const char *szDll){
    
     char    szLibPath[_MAX_PATH]; 
                                   
     void*   pLibRemote;   // The address (in the remote process) where 
                          // szLibPath will be copied to;
     DWORD   hLibModule;   // Base address of loaded module (==HMODULE);
     HMODULE hKernel32 = ::GetModuleHandle("Kernel32");
    
    // initialize szLibPath
     strcpy(szLibPath,szDll);
    
    // 1. Allocate memory in the remote process for szLibPath
    // 2. Write szLibPath to the allocated memory
     pLibRemote = ::VirtualAllocEx( hProcess, NULL, sizeof(szLibPath),
                                   MEM_COMMIT, PAGE_READWRITE );
     ::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
                          sizeof(szLibPath), NULL );
    
     MessageBox(NULL,"before createremotethread()","remoteloaddll()",MB_OK);
    
    // Load DLL into the remote process
    // (via CreateRemoteThread & LoadLibrary)
    
    // THIS WILL RAISE A MEMORY ACCESS EXCEPTION...WHY??
    
     hThread = ::CreateRemoteThread( hProcess, NULL, 0,
                 (LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32,
                                            "LoadLibraryA" ),
                  pLibRemote, 0, NULL ); 
    
     MessageBox(NULL,"after createremotethread()","remoteloaddll()",MB_OK);
    
     ::WaitForSingleObject( hThread, INFINITE );
    
    // Get handle of the loaded module
     ::GetExitCodeThread( hThread, &hLibModule );
    
    // Clean up
     ::CloseHandle( hThread );
     ::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );
    
    }

    help

  2. #2
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,246
    You need to check the return values of all those API functions you are calling.

  3. #3
    Registered User
    Join Date
    Mar 2005
    Posts
    69
    Quote Originally Posted by bithub
    You need to check the return values of all those API functions you are calling.

    ok,code is this now,i print a message if an error value has been returned from API calls prior to CreateRemoteThread(),and i replaced sizeof(szLibPath) with strlen(szLibPath) + 1

    but the problem persists,can you try it , please? perhaps it's a bug in kernel32.dll...i also had a buggy psapi.dll,it was the version included in WinXP installation,so kernel32 also could be buggy...

    i think that if this program works on someone else' machine,the problem could be a bug in kernel32,so please someone try it

    p.s. LoadLibrary is a valid pointer in the remote process,because kernel32.dll is loaded in all Win32 processes,on the same address,and so it is LoadLibraryA


    Code:
    
    const char szDLL[] = "somedll.dll";
    
    void RemoteLoadDll(HANDLE,const char *);
    
    
    int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,INT){
     RemoteLoadDll(GetCurrentProcess(),szDLL);  // i also tried with handles to different processes
     return 0;
    }
    
    
    void RemoteLoadDll(HANDLE hProcess,const char *szDll){
    
     char    szLibPath[_MAX_PATH]; 
                                   
     void*   pLibRemote;   // The address (in the remote process) where 
                          // szLibPath will be copied to;
     DWORD   hLibModule;   // Base address of loaded module (==HMODULE);
     HMODULE hKernel32 = ::GetModuleHandle("Kernel32");
    
    // initialize szLibPath
     strcpy(szLibPath,szDll);
    
    // 1. Allocate memory in the remote process for szLibPath
    // 2. Write szLibPath to the allocated memory
     pLibRemote = ::VirtualAllocEx( hProcess, NULL, strlen(szLibPath) + 1,
                                   MEM_COMMIT, PAGE_READWRITE );
    
    if(!pLibRemote){
     MessageBox(NULL,"pLibRemote=NULL","",MB_OK);
     return ;
    }
    
    if(!::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
                          strlen(szLibPath) + 1, NULL )){
     MessageBox(NULL,"WriteProcessMemory failed","",MB_OK);
     return ;
    }
    
     MessageBox(NULL,"before createremotethread()","remoteloaddll()",MB_OK);
    
    // Load DLL into the remote process
    // (via CreateRemoteThread & LoadLibrary)
    
    // THIS WILL RAISE A MEMORY ACCESS EXCEPTION...WHY??
    
     hThread = ::CreateRemoteThread( hProcess, NULL, 0,
                 (LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32,
                                            "LoadLibraryA" ),
                  pLibRemote, 0, NULL ); 
    
     MessageBox(NULL,"after createremotethread()","remoteloaddll()",MB_OK);
    
     ::WaitForSingleObject( hThread, INFINITE );
    
    // Get handle of the loaded module
     ::GetExitCodeThread( hThread, &hLibModule );
    
    // Clean up
     ::CloseHandle( hThread );
     ::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );
    
    }

  4. #4
    Registered User
    Join Date
    Mar 2005
    Posts
    69
    Quote Originally Posted by pengch
    The MEMORY ACCESS EXCEPTION is raised in your application? or the remote process?
    in the local process,not the remote one

  5. #5
    Registered User
    Join Date
    Sep 2004
    Location
    California
    Posts
    3,246
    I can't stress enough how important it is to check return values of ALL API functions, even if you are sure they will never fail.
    Code:
    hThread = ::CreateRemoteThread( hProcess, NULL, 0,
                 (LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32,
                                            "LoadLibraryA" ),
                  pLibRemote, 0, NULL );
    change this code to:
    Code:
    FARPROC lpfn = ::GetProcAddress( hKernel32, "LoadLibraryA" );
    if(!lpfn) return;
    hThread = ::CreateRemoteThread( hProcess, NULL, 0,
                 (LPTHREAD_START_ROUTINE) lpfn,
                  pLibRemote, 0, NULL );
    Also, make sure you are passing a valid process handle to CreateRemoteThread.

  6. #6
    Yes, my avatar is stolen anonytmouse's Avatar
    Join Date
    Dec 2002
    Posts
    2,544
    It runs fine for me. There are a couple of possibilities:
    1. There is an error in your dll. Try a known good DLL such as "user32".
    2. There is an error in your actual code. You don't seem to have posted your exact code as hThread is not declared.

    A couple of observations, although not causing the exception:
    Code:
     ::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );
    should be:
    Code:
     ::VirtualFreeEx( hProcess, pLibRemote, 0, MEM_RELEASE );
    Also, you will probably have to use an absolute path to your dll.

  7. #7
    Registered User
    Join Date
    Mar 2005
    Posts
    69

    Thumbs up

    Quote Originally Posted by anonytmouse
    It runs fine for me. There are a couple of possibilities:
    1. There is an error in your dll. Try a known good DLL such as "user32".
    2. There is an error in your actual code. You don't seem to have posted your exact code as hThread is not declared.

    A couple of observations, although not causing the exception:
    Code:
     ::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );
    should be:
    Code:
     ::VirtualFreeEx( hProcess, pLibRemote, 0, MEM_RELEASE );
    Also, you will probably have to use an absolute path to your dll.
    i solved the problem,it's all ok

    thanks!

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. Dll Injection Question
    By zenox in forum C Programming
    Replies: 13
    Last Post: 03-15-2008, 11:54 AM
  2. problem- injection dll thru remotethread
    By Brij in forum Windows Programming
    Replies: 11
    Last Post: 10-30-2006, 01:45 AM
  3. dll communicating between each other
    By cloudy in forum C++ Programming
    Replies: 5
    Last Post: 06-17-2005, 03:20 AM
  4. DLL and std::string woes!
    By Magos in forum C++ Programming
    Replies: 7
    Last Post: 09-08-2004, 01:34 PM
  5. dll injection - 99% CPU Usage
    By Andrew_5342 in forum Windows Programming
    Replies: 2
    Last Post: 05-21-2003, 12:27 AM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21