Thread: DLL Injection

Hi people!

First of all, I'd like to say thank you for a wonderful site and forum! It has helped me a lot in my progress in C. Big kudos to you all!

Now on to my question, I'm currently writing an application that injects a DLL in a process of choice, but having some minor problems...

All my code builds fine, and runs, AND it injects the DLL. But as soon as either the DLL has finnished executing or the application (Don't know which) the process I injected into chrashes... And I can't seem to figure out why.

Anyways, here's my code:

run.c

Code:

#include <windows.h>
#include <stdio.h>
#include <psapi.h>
#include <tchar.h>

#define WIN32_LEAN_MEAN

int Inject(DWORD, LPCSTR);

DWORD GetProcessByFileName(char* name)
{
    DWORD process_id_array[1024];
    DWORD bytes_returned;
    DWORD num_processes;
    HANDLE hProcess;
    char image_name[256];
    char buffer[256];
	int i;
    DWORD exitcode;
    EnumProcesses(process_id_array, 256*sizeof(DWORD), &bytes_returned);
    num_processes = (bytes_returned/sizeof(DWORD));
    for (i = 0; i < num_processes; i++) {
        hProcess=OpenProcess(PROCESS_ALL_ACCESS,TRUE,process_id_array[i]);
        if(GetModuleBaseName(hProcess,0,image_name,256)){
            if(!stricmp(image_name,name))
            {
                CloseHandle(hProcess);
                return process_id_array[i];
            }
        }
        CloseHandle(hProcess);
    }
    return 0;
}

int main()
{
	DWORD dwPID;
		dwPID = GetProcessByFileName("explorer.exe");
	if(dwPID == 0)
	{
		STARTUPINFO si = {sizeof(STARTUPINFO)};
		PROCESS_INFORMATION pi;
		CreateProcess(NULL, "C:\\WINDOWS\\explorer.exe", NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi);
		Sleep(1500);
		dwPID = GetProcessByFileName("explorer.exe");
	}

	if(dwPID != 0)
		Inject(dwPID, "C:\\testdll.dll");
	return;
}

int Inject(DWORD ProcID, LPCSTR szDllPath)
{
	LPVOID	lpRemoteMemory;
	HANDLE	hRemoteThread;
	HWND	hOpenProcess;
	SIZE_T	nSize = strlen(szDllPath);
	unsigned long IDProcess = ProcID;
	HMODULE hKernel;

// OpenProcess() - retrieve a HANDLE to the remote process

	hOpenProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, IDProcess);
	if(hOpenProcess == NULL)
	{
		printf("OpenProcess is NULL");
		printf("Error: &#37;d\n", GetLastError());
	}
	printf("OpenProcess: %d\n", hOpenProcess);

// VirtualAllocEx() - Allocate memory in remote process addres-space

	lpRemoteMemory = VirtualAllocEx(hOpenProcess, 0, strlen(szDllPath), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if(!lpRemoteMemory)
	{
		printf("VirtualAlloc() Error: %d\n", GetLastError());
		return -1;
	}
	printf("VirtualAlloc(): 0x%x\n", lpRemoteMemory);

// WriteProcessMemory() - Copy initialised injection data strucuture to allocated memory

	if(!WriteProcessMemory(hOpenProcess, lpRemoteMemory, (LPVOID)szDllPath, strlen(szDllPath), NULL))
	{
		printf("WriteProcessMemory() error: %d\n", GetLastError());
	}
	printf("WriteProcessMemory()  Succeeded :)\n\n");
	printf("Size of DLL: %d\n", nSize);

// GetModuleHandle() - kernel32.dll API CALL

	hKernel = GetModuleHandle("KERNEL32.DLL");
	if(!hKernel)
	{
		printf("KernelModule Error: %d\n", GetLastError());
	}
	printf("KernelModule loaded KERNEL32.DLL!\n");

// CreateRemoteThread() - Start the remote copy

	hRemoteThread = CreateRemoteThread(hOpenProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary(szDllPath), lpRemoteMemory, 0, &IDProcess);
	hRemoteThread = CreateRemoteThread(hOpenProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel, "LoadLibraryA"), lpRemoteMemory, 0, NULL);
	if(!hRemoteThread)
	{
		printf("CreateRemoteThread Error: %d\n", GetLastError());
		return -1;
	}
	printf("CreateRemoteThread(): %d\n", hRemoteThread);

// No luxury poop, have to clean up
// 1. Close Handle
	if(!CloseHandle(hRemoteThread) && !CloseHandle(hOpenProcess))
	{
		printf("Handle NOT closed!\n");
		printf("Error Closeing: %d\n", GetLastError());
	}
	printf("CloseHandle() finished\n");

// 2. Wait for the thread to complete
	if(!WaitForSingleObject(hRemoteThread, INFINITE))
	{
		printf("WaitThreadObject Failed!\n");
		printf("Error Code: %d\n", GetLastError());
	}
	printf("WaitThreadObject Complete!\n");

// 3. Free memory in remote process
	if(!VirtualFreeEx(hOpenProcess, lpRemoteMemory, 0, MEM_RELEASE))
	{
		printf("VirtualFreeMemory Failed!");
		printf("Error Code: %d\n", GetLastError());
	}
	printf("VirtualFreeMemory Complete!\n");

	return 0;
}

And here's my DLL:

Code:

#include <windows.h>
#include <winsock2.h>
#include <stdio.h>

BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
printf("Lol\n");
}

run.c is compiled like this: i586-mingw32msvc-gcc run.c -o run.exe -lpsapi -s
under linux, since I'm crosscompiling and used to the linux system...

I compile my DLL with Dev-C++ under windows

Do you guys see any error in my code? Have I forgotten something? Also, please come with constructive critics - as this is my first "major" piece of code...

Free hugs to those who answers!
n1mda

EDIT: This is the ouput when I run "run.exe"

Code:

L:\home\n1mda\programming\testdll>run.exe
OpenProcess: 2036
VirtualAlloc(): 0x16f0000
WriteProcessMemory()  Succeeded :)

Size of DLL: 14
KernelModule loaded KERNEL32.DLL!
Lol
CreateRemoteThread(): 2012
CloseHandle() finished
WaitThreadObject Complete!
VirtualFreeMemory Complete!
Lol