DLL Injection

i tried to inject a dll into another process,but CreateRemoteThread() fails :(

Code:

const char szDLL[] = "somedll.dll"; void RemoteLoadDll(HANDLE,const char *); int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,INT){ RemoteLoadDll(GetCurrentProcess(),szDLL); // i also tried with handles to different processes return 0; } void RemoteLoadDll(HANDLE hProcess,const char *szDll){ char szLibPath[_MAX_PATH]; void* pLibRemote; // The address (in the remote process) where // szLibPath will be copied to; DWORD hLibModule; // Base address of loaded module (==HMODULE); HMODULE hKernel32 = ::GetModuleHandle("Kernel32"); // initialize szLibPath strcpy(szLibPath,szDll); // 1. Allocate memory in the remote process for szLibPath // 2. Write szLibPath to the allocated memory pLibRemote = ::VirtualAllocEx( hProcess, NULL, sizeof(szLibPath), MEM_COMMIT, PAGE_READWRITE ); ::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath, sizeof(szLibPath), NULL ); MessageBox(NULL,"before createremotethread()","remoteloaddll()",MB_OK); // Load DLL into the remote process // (via CreateRemoteThread & LoadLibrary) // THIS WILL RAISE A MEMORY ACCESS EXCEPTION...WHY?? hThread = ::CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32, "LoadLibraryA" ), pLibRemote, 0, NULL ); MessageBox(NULL,"after createremotethread()","remoteloaddll()",MB_OK); ::WaitForSingleObject( hThread, INFINITE ); // Get handle of the loaded module ::GetExitCodeThread( hThread, &hLibModule ); // Clean up ::CloseHandle( hThread ); ::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE ); }

help

You need to check the return values of all those API functions you are calling.

Quote:

Originally Posted by bithub

You need to check the return values of all those API functions you are calling.

ok,code is this now,i print a message if an error value has been returned from API calls prior to CreateRemoteThread(),and i replaced sizeof(szLibPath) with strlen(szLibPath) + 1

but the problem persists,can you try it , please? perhaps it's a bug in kernel32.dll...i also had a buggy psapi.dll,it was the version included in WinXP installation,so kernel32 also could be buggy...

i think that if this program works on someone else' machine,the problem could be a bug in kernel32,so please someone try it

p.s. LoadLibrary is a valid pointer in the remote process,because kernel32.dll is loaded in all Win32 processes,on the same address,and so it is LoadLibraryA

Code:

const char szDLL[] = "somedll.dll"; void RemoteLoadDll(HANDLE,const char *); int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,INT){ RemoteLoadDll(GetCurrentProcess(),szDLL); // i also tried with handles to different processes return 0; } void RemoteLoadDll(HANDLE hProcess,const char *szDll){ char szLibPath[_MAX_PATH]; void* pLibRemote; // The address (in the remote process) where // szLibPath will be copied to; DWORD hLibModule; // Base address of loaded module (==HMODULE); HMODULE hKernel32 = ::GetModuleHandle("Kernel32"); // initialize szLibPath strcpy(szLibPath,szDll); // 1. Allocate memory in the remote process for szLibPath // 2. Write szLibPath to the allocated memory pLibRemote = ::VirtualAllocEx( hProcess, NULL, strlen(szLibPath) + 1, MEM_COMMIT, PAGE_READWRITE ); if(!pLibRemote){ MessageBox(NULL,"pLibRemote=NULL","",MB_OK); return ; } if(!::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath, strlen(szLibPath) + 1, NULL )){ MessageBox(NULL,"WriteProcessMemory failed","",MB_OK); return ; } MessageBox(NULL,"before createremotethread()","remoteloaddll()",MB_OK); // Load DLL into the remote process // (via CreateRemoteThread & LoadLibrary) // THIS WILL RAISE A MEMORY ACCESS EXCEPTION...WHY?? hThread = ::CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32, "LoadLibraryA" ), pLibRemote, 0, NULL ); MessageBox(NULL,"after createremotethread()","remoteloaddll()",MB_OK); ::WaitForSingleObject( hThread, INFINITE ); // Get handle of the loaded module ::GetExitCodeThread( hThread, &hLibModule ); // Clean up ::CloseHandle( hThread ); ::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE ); }

Quote:

Originally Posted by pengch

The MEMORY ACCESS EXCEPTION is raised in your application? or the remote process?

in the local process,not the remote one

I can't stress enough how important it is to check return values of ALL API functions, even if you are sure they will never fail.

Code:

hThread = ::CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32, "LoadLibraryA" ), pLibRemote, 0, NULL );

change this code to:

Code:

FARPROC lpfn = ::GetProcAddress( hKernel32, "LoadLibraryA" ); if(!lpfn) return; hThread = ::CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) lpfn, pLibRemote, 0, NULL );

Also, make sure you are passing a valid process handle to CreateRemoteThread.

It runs fine for me. There are a couple of possibilities:
1. There is an error in your dll. Try a known good DLL such as "user32".
2. There is an error in your actual code. You don't seem to have posted your exact code as hThread is not declared.

A couple of observations, although not causing the exception:

Code:

::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );

should be:

Code:

::VirtualFreeEx( hProcess, pLibRemote, 0, MEM_RELEASE );

Also, you will probably have to use an absolute path to your dll.

Quote:

Originally Posted by anonytmouse

It runs fine for me. There are a couple of possibilities:
1. There is an error in your dll. Try a known good DLL such as "user32".
2. There is an error in your actual code. You don't seem to have posted your exact code as hThread is not declared.

A couple of observations, although not causing the exception:

Code:

::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );

should be:

Code:

::VirtualFreeEx( hProcess, pLibRemote, 0, MEM_RELEASE );

Also, you will probably have to use an absolute path to your dll.

i solved the problem,it's all ok

thanks! :D