Dll Injection Question

Hey All,
I'm writing some dll injection code using windows hooks. I'm understanding the code pretty well, Its just more of the theory that I don't quite get. First I will post my code for the dll injecting:

Code:

BOOL InjectDll ( LPCWSTR dllName ); int _tmain(int argc, _TCHAR* argv[]) { // Inject our dll InjectDll ( L"C:\\Code\\APIHookingRevisited_src\\ThreadSpy.dll" ); while ( true ) Sleep ( 1 ); return 0; } BOOL InjectDll ( LPCWSTR dllName ) { HMODULE hDll; FARPROC cbtProcAddr; // Load our library hDll = LoadLibrary ( dllName ); // Get our process cbtProcAddr = GetProcAddress ( hDll, "CBTProc" ); HWND hWnd = FindWindow ( 0, L"Form1" ); // Set our hooks SetWindowsHookEx(WH_CBT, (HOOKPROC)cbtProcAddr, hDll, (DWORD) hWnd); return TRUE; }

Now this is what I understand should be happening with the DllMain:
It should get called once from being loaded (vis LoadLibrary), which happens.
Because I'm setting a callback dll, the process that im hooking should also have to load the dll into it's memory. This is not happening. So am I understanding wrong? Here is my dll code:

Code:

__declspec( dllexport ) LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam) { return CallNextHookEx(0, nCode, wParam, lParam); }; BOOL APIENTRY DllMain( HANDLE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: MessageBox(NULL, "DLL attached", "None", 0); break; case DLL_PROCESS_DETACH: MessageBox(NULL, "DLL detached", "None", 0); break; } return TRUE; }

So again... From my understanding, this should be working fine. I'm obviously misunderstanding something. Could someone point me in the right direction?

Whats this for?

Quote:

Originally Posted by Bubba

Whats this for?

We're so paranoid around here... (but I feel your concern)

Heh, its actually for the exact opposite of what you think :P
Its for anti-spyware. Trying to inject code so that I can scramble screenshots.

Im trying to invoke my code, which modify's the GetDesktopWindow call to return 0.

Well, for starters, the following statement is incorrect

Code:

SetWindowsHookEx(WH_CBT, (HOOKPROC)cbtProcAddr, hDll, (DWORD) hWnd);

The fourth parm should be a thread id not a handle to a window.

It should look like this:

Code:

SetWindowsHookEx(WH_CBT, (HOOKPROC)cbtProcAddr, hDll, GetThreadIDFromWindow("Form1"));

Code:

// FS:[0x18] points to a thread’s Thread Environment Block (or TEB). //Offset 36 points to the thread id unsigned long GetThreadIDFromWindow(char *pWindowName) { HWND hWnd; HANDLE hProcess; unsigned long ulProcess, ulTid, ulThreadID; hWnd = FindWindow(0, pWindowName); GetWindowThreadProcessId(hWnd, &ulProcess); _asm { mov eax, fs:[0x18] add eax, 36 mov [ulTid], eax } hProcess = OpenProcess(PROCESS_VM_READ, false, ulProcess); ReadProcessMemory(hProcess, (const void *)ulTid, &ulThreadID, 4, NULL); CloseHandle(hProcess); return ulThreadID; }

Quote:

We're so paranoid around here... (but I feel your concern)

I think it's because we were naive in the past.

I do not recommend casting a function pointer. 99% of the times, it will be wrong. Pass a correct function address to a function that is expected by the function and it will pass without any casting.

Hey All,
Thanks for the help! I have gotten this working.

The first issue I had was what BobS0327 had stated where I was grabbing the handle to the window and not a thread inside of the window. The second issue was with my dll. It seemed that my callback was not being exported properly. I ended up adding a .dec file with my exporting information and everything worked from their. Now to build the ultimate spyware. Just joking :) Seriously though, thanks for the help.

Quote:

Now to build the ultimate spyware. Just joking

IMHO, SetWindowsHookEx is the most popular method for writing spyware such as keyloggers in userland (Ring 3). Thus, all the commercial AV software will generate an alert if you use this method for spyware.

Bottom-line, you have to be a lot more creative if you're going to write spyware. SetWindowsHookex is just a quaint spyware method that is extremely detectable.

Quote:

Originally Posted by zenox

Hey All,
Thanks for the help! I have gotten this working.

The first issue I had was what BobS0327 had stated where I was grabbing the handle to the window and not a thread inside of the window. The second issue was with my dll. It seemed that my callback was not being exported properly. I ended up adding a .dec file with my exporting information and everything worked from their. Now to build the ultimate spyware. Just joking :) Seriously though, thanks for the help.

Just to point out: Using a thread ID of 0 will hook all threads/processes in your userspace.

Also, regarding the attitude that people get when they post about stuff like this; I think it's ridiculous. I've read quite a few threads where the poster automatically gets stamped as some kind of a malicious cracker. Whether you like it or not, keyloggers are still software, and some people have even coded keyloggers and sold them to whoever wanted. They could, for example, be used by a boss that thinks his employees are doing x when they should be doing y in their computers. Whether or not that is ethical is a irrelevant - the fact is that not all people have intentions to take over the globe.

I've coded a keylogger myself. Using the exact same function, actually. Was it to spy on my girlfriend or get cc numbers? No, it was to understand how windows hooks work - sure, there are other types of hook than the keyboard hooks, but what if I find keyboard hooks interesting?

Meh.

[/end of 'justice for all' rant]

Quote:

Also, regarding the attitude that people get when they post about stuff like this; I think it's ridiculous. I've read quite a few threads where the poster automatically gets stamped as some kind of a malicious cracker. Whether you like it or not, keyloggers are still software, and some people have even coded keyloggers and sold them to whoever wanted. They could, for example, be used by a boss that thinks his employees are doing x when they should be doing y in their computers. Whether or not that is ethical is a irrelevant - the fact is that not all people have intentions to take over the globe.

It is against forum rules regardless of the intent. That fact remains which is why many of these get closed.

Quote:

Originally Posted by Bubba

It is against forum rules regardless of the intent. That fact remains which is why many of these get closed.

Let's pretend that my rant was directed at the outdated rules, then.

I wonder how software to counter rootkits, dll injections and viruses were to be developed without properly researching and trying out the techniques used by the malicious developers.

Whether or not the rules state this or that is irrelevant - I will comply and abide by them, of course - but the fact remains that the rules are ridiculous, or at best not specific enough, as it clearly depends on the person and post in question whether or not the intent is malicious or not.

Quote:

Originally Posted by zenox

Its for anti-spyware. Trying to inject code so that I can scramble screenshots.

I can just picture this type of odd description being used on a cheat website for anti-PB SS tools.

Quote:

Whether or not the rules state this or that is irrelevant - I will comply and abide by them, of course - but the fact remains that the rules are ridiculous, or at best not specific enough, as it clearly depends on the person and post in question whether or not the intent is malicious or not.

All of this is your opinion and you are entitled to it. My duty as a mod is to enforce the rules we do have and keep the boards nice and tidy. All of the mods try very hard to be understanding and lenient and I know none of us that are pure hard liners. However we do have rules and we must or the boards will deteriorate into a mess. In my opinion the success of this forum through the years has been due to the fact that these boards are heavily moderated and monitored. I've seen other boards come and go or get off on the wrong track and yet this one remains.

This is not the place for this type of discussion. Back to the topic.