Thread: DLL Injection

Allright, sorry for inconvenience...

So heres exactly what my code does:

OpenProcess(PROCESS_ALL_ACCESS, FALSE, IDProcess);
where IDProcess is my own variable. It has the return vale of "hOpenProcess"

VirtualAllocEx(hOpenProcess, 0, strlen(szDllPath), MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
hOpenProcess is the opened process, szDllPath is my absolute path to DLL. MEM_RESERVE|MEM_COMMIT is to reserve a range of the virtual address space and to allocate physical storage in memory. PAGE_EXECUTE_READWRITE - enables these permissions for the region of pages...
Returnvalue is "lpRemoteMemory"

GetModuleHandle("KERNEL32.DLL");
Retrieve a module handle... Kernel32 obviously which handles memory management, IO and interrupts...

WriteProcessMemory(hOpenProcess, lpRemoteMemory, (LPVOID)szDllPath, strlen(szDllPath), NULL);
Writes data to the area in memory. Data in this case is (LPVOID)szDllPath - my DLL.

hRemoteThread = CreateRemoteThread(hOpenProcess, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLibrary(szDllPath), lpRemoteMemory, 0, &IDProcess);
hRemoteThread = CreateRemoteThread(hOpenProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel, "LoadLibraryA"), lpRemoteMemory, 0, NULL);
Creates the thread that runs in the virtual address space.
LPTHREAD_START_ROUTINE - Represents the starting address of the thread in the process.
LoadLibraryA - Uncertain about this, is it right?

WaitForSingleObject(hRemoteThread, INFINITE);
Waits until hRemoteThread is finnished... Does mean only the init of my DLL, because I want my DLL to run all the time without having my injectionprocess running.

GetExitCodeThread(hRemoteThread, &hLibModule);
Gets termination status of hRemoteThread

CreateRemoteThread(hOpenProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel, "FreeLibraryA"), lpRemoteMemory, 0, NULL);
FreeLibrary....

VirtualFreeEx(hOpenProcess, lpRemoteMemory, 0, MEM_RELEASE);
releases the region of memory lpRemoteMemory in hOpenProcess

CloseHandle(hRemoteThread) && !CloseHandle(hOpenProcess);
Closes the object handle hRemoteThread and hOpenProcess

Now as I see it, I'm not using the thread after I've closed it, or free'd the memory. Is GetExitCodeThread wrong?

I'm glad for your answers, and that you don't spoil anything, make me work... Keep it coming, thats how I learn!

I changed my code yes, and it is in that order I wrote...

This thread is getting way out of hand with long code-snippets...

So here is a pastebin:
http://pastebin.ca/902337

I've been messing around a bit with using GetExitCodeThread() and the second WaitForSingleObject() and without them and vice versa.

So after FreeLibrary I added a second WaitForSingleObject() - it returns WAIT_OBJECT_0

but next comes VirtualFreeEx() wich fails:

Code:

	if(!VirtualFreeEx(hOpenProcess, lpRemoteMemory, 0, MEM_RELEASE))
	{
		printf("[-] VirtualFreeEx() Failed: %d\n", GetLastError());
		return -1;
	}

I'd say this project is a bit much for your current skill set. Why do you need DLL injection anyways?

Code:

#include <windows.h>
#include <stdio.h>
#include <psapi.h>
#include <tchar.h>
 
#define WIN32_LEAN_MEAN  <------- ???

This drives me CRAZY! Why do people do this? First off, its WIN32_LEAN_AND_MEAN, and second, it isn't going to do anything for you if you define it AFTER you've already included windows.h.....

Originally Posted by n1mda

So after FreeLibrary I added a second WaitForSingleObject() - it returns WAIT_OBJECT_0

but next comes VirtualFreeEx() wich fails:

Code:

	if(!VirtualFreeEx(hOpenProcess, lpRemoteMemory, 0, MEM_RELEASE))
	{
		printf("[-] VirtualFreeEx() Failed: %d\n", GetLastError());
		return -1;
	}

Had to "touch up" your code a little bit to fix the above error....

Code:

int Inject(DWORD ProcID, LPCSTR szDllPath)
{
    LPVOID  lpRemoteMemory;
    HANDLE  hRemoteThread;
    HANDLE  hOpenProcess;
    SIZE_T  nSize = strlen(szDllPath);
    unsigned long IDProcess = ProcID;
    HMODULE hKernel;
    DWORD hLibModule;
    DWORD ret;
    FARPROC hLocLoadLibrary;

    //1. OpenProcess() - retrieve a HANDLE to the remote process

    hOpenProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, IDProcess);
    if(hOpenProcess == NULL)
    {
        printf("OpenProcess is NULL: %d\n", GetLastError());
        return -1;
    }
    printf("[+] OpenProcess: %d\n\n", hOpenProcess);

    //2. VirtualAllocEx() - Allocate memory in remote process addres-space

    lpRemoteMemory = VirtualAllocEx(hOpenProcess, NULL, strlen(szDllPath), MEM_COMMIT, PAGE_READWRITE);
    if(!lpRemoteMemory)
    {
        printf("[-] VirtualAlloc() Error: %d\n", GetLastError());
        return -1;
    }
    printf("[+] VirtualAlloc(): 0x%x\n\n", lpRemoteMemory);

    // GetModuleHandle() - kernel32.dll API CALL

    hKernel = GetModuleHandle("KERNEL32.DLL");
    if(!hKernel)
    {
        printf("[-] KernelModule Error: %d\n", GetLastError());
        return -1;
    }
    printf("[+] KernelModule loaded KERNEL32.DLL!\n\n");


    //3. WriteProcessMemory() - Copy initialised injection data strucuture to allocated memory

    if(!WriteProcessMemory(hOpenProcess, lpRemoteMemory, (LPVOID)szDllPath, strlen(szDllPath), NULL))
    {
        printf("[-] WriteProcessMemory() error: %d\n", GetLastError());
        return -1;
    }
    printf("[+] WriteProcessMemory()  Succeeded :)\n");
    printf("[*] Size of DLL: %d\n\n", nSize);

    hLocLoadLibrary  = GetProcAddress(hKernel, "LoadLibraryA");    
    // CreateRemoteThread() - Start the remote copy
    hRemoteThread = CreateRemoteThread(hOpenProcess, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, lpRemoteMemory, 0, NULL);    
    if(!hRemoteThread)
    {
        printf("[-] CreateRemoteThread Error: %d\n", GetLastError());
        return -1;
    }
    printf("[+]CreateRemoteThread(): %d\n\n", hRemoteThread);

    // No luxury poop, have to clean up
    // 1. Wait for the thread to complete

    if(hRemoteThread)
        ret = WaitForSingleObject(hRemoteThread, INFINITE);
    switch(ret)
    {
        case WAIT_ABANDONED: /* should not occure with thread handle */
            break;
        case WAIT_OBJECT_0:
            /* wait successful */
            printf("[+] WaitThreadObject Complete: 0x%x\n\n", ret);
            break;
        case WAIT_TIMEOUT:
            /* should not occure with waiting INFINITE */
            break;
        case WAIT_FAILED:
            /* wait failed */
            ret = GetLastError();
            printf("[-] WaitForSingleObject failed with error 0x%x\n", ret);
            return -1;
            break;
    }

      if(!GetExitCodeThread(hRemoteThread, &hLibModule))
      {
          printf("[-] GetExitCodeThread() Error: %d\n", GetLastError());
          return -1;
      }
      printf("[+] GetExitCodeThread() Complete\n\n");

    if(!VirtualFreeEx(hOpenProcess, lpRemoteMemory, 0, MEM_RELEASE))
    {
        printf("[-] VirtualFreeEx() Failed: %d\n", GetLastError());
        return -1;
    }
    printf("[+] VirtualFreeEx() Complete!\n");

    if(!CloseHandle(hRemoteThread) && !CloseHandle(hOpenProcess))
    {
        printf("[-] Handle NOT closed: %d\n", GetLastError());
        return -1;
    }
    printf("[+] CloseHandle() finished\n");

    return 0;
}