PDA

Click to See Complete Forum and Search --> : DLL Injection

GordonFreeman
September 24th, 2005, 03:05 PM
i tried to inject a dll into another process,but CreateRemoteThread() fails :(




const char szDLL[] = "somedll.dll";

void RemoteLoadDll(HANDLE,const char *);


int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,INT){
RemoteLoadDll(GetCurrentProcess(),szDLL); // i also tried with handles to different processes
return 0;
}


void RemoteLoadDll(HANDLE hProcess,const char *szDll){

char szLibPath[_MAX_PATH];

void* pLibRemote; // The address (in the remote process) where
// szLibPath will be copied to;
DWORD hLibModule; // Base address of loaded module (==HMODULE);
HMODULE hKernel32 = ::GetModuleHandle("Kernel32");

// initialize szLibPath
strcpy(szLibPath,szDll);

// 1. Allocate memory in the remote process for szLibPath
// 2. Write szLibPath to the allocated memory
pLibRemote = ::VirtualAllocEx( hProcess, NULL, sizeof(szLibPath),
MEM_COMMIT, PAGE_READWRITE );
::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
sizeof(szLibPath), NULL );

MessageBox(NULL,"before createremotethread()","remoteloaddll()",MB_OK);

// Load DLL into the remote process
// (via CreateRemoteThread & LoadLibrary)

// THIS WILL RAISE A MEMORY ACCESS EXCEPTION...WHY??

hThread = ::CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32,
"LoadLibraryA" ),
pLibRemote, 0, NULL );

MessageBox(NULL,"after createremotethread()","remoteloaddll()",MB_OK);

::WaitForSingleObject( hThread, INFINITE );

// Get handle of the loaded module
::GetExitCodeThread( hThread, &hLibModule );

// Clean up
::CloseHandle( hThread );
::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );

}




help
Calculator
September 24th, 2005, 03:54 PM
You're a bit trigger-happy to cross-post multiple forums:

>> You need to check the return values of all those API functions you are calling.

He's right you know. What you are trying to do is simply awkward in of itself too. You're passing LoadLibrary as you're threaded function, with memory allocated with VirtualAllocEx as a parameter. In you're WriteProcessMemory, sizeof(szLibPath) will be the sizeof a pointer, which is probably not the intent.
GordonFreeman
September 24th, 2005, 06:02 PM
You're a bit trigger-happy to cross-post multiple forums:

>> You need to check the return values of all those API functions you are calling.

He's right you know. What you are trying to do is simply awkward in of itself too. You're passing LoadLibrary as you're threaded function, with memory allocated with VirtualAllocEx as a parameter. In you're WriteProcessMemory, sizeof(szLibPath) will be the sizeof a pointer, which is probably not the intent.


ok,code is this now,i print a message if an error value has been returned from API calls prior to CreateRemoteThread(),and i replaced sizeof(szLibPath) with strlen(szLibPath) + 1

but the problem persists,can you try it , please? perhaps it's a bug in kernel32.dll...i also had a buggy psapi.dll,it was the version included in WinXP installation,so kernel32 also could be buggy...

i think that if this program works on someone else' machine,the problem could be a bug in kernel32,so please someone try it

p.s. LoadLibrary is a valid pointer in the remote process,because kernel32.dll is loaded in all Win32 processes,on the same address,and so it is LoadLibraryA





const char szDLL[] = "somedll.dll";

void RemoteLoadDll(HANDLE,const char *);


int WINAPI WinMain(HINSTANCE,HINSTANCE,LPSTR,INT){
RemoteLoadDll(GetCurrentProcess(),szDLL); // i also tried with handles to different processes
return 0;
}


void RemoteLoadDll(HANDLE hProcess,const char *szDll){

char szLibPath[_MAX_PATH];

void* pLibRemote; // The address (in the remote process) where
// szLibPath will be copied to;
DWORD hLibModule; // Base address of loaded module (==HMODULE);
HMODULE hKernel32 = ::GetModuleHandle("Kernel32");

// initialize szLibPath
strcpy(szLibPath,szDll);

// 1. Allocate memory in the remote process for szLibPath
// 2. Write szLibPath to the allocated memory
pLibRemote = ::VirtualAllocEx( hProcess, NULL, strlen(szLibPath) + 1,
MEM_COMMIT, PAGE_READWRITE );

if(!pLibRemote){
MessageBox(NULL,"pLibRemote=NULL","",MB_OK);
return ;
}

if(!::WriteProcessMemory( hProcess, pLibRemote, (void*)szLibPath,
strlen(szLibPath) + 1, NULL )){
MessageBox(NULL,"WriteProcessMemory failed","",MB_OK);
return ;
}

MessageBox(NULL,"before createremotethread()","remoteloaddll()",MB_OK);

// Load DLL into the remote process
// (via CreateRemoteThread & LoadLibrary)

// THIS WILL RAISE A MEMORY ACCESS EXCEPTION...WHY??

hThread = ::CreateRemoteThread( hProcess, NULL, 0,
(LPTHREAD_START_ROUTINE) ::GetProcAddress( hKernel32,
"LoadLibraryA" ),
pLibRemote, 0, NULL );

MessageBox(NULL,"after createremotethread()","remoteloaddll()",MB_OK);

::WaitForSingleObject( hThread, INFINITE );

// Get handle of the loaded module
::GetExitCodeThread( hThread, &hLibModule );

// Clean up
::CloseHandle( hThread );
::VirtualFreeEx( hProcess, pLibRemote, sizeof(szLibPath), MEM_RELEASE );

}
pengch
September 24th, 2005, 06:13 PM
The MEMORY ACCESS EXCEPTION is raised in your application? or the remote process?
GordonFreeman
September 24th, 2005, 06:17 PM
The MEMORY ACCESS EXCEPTION is raised in your application? or the remote process?

in the local process,not the remote one
packetvb
September 25th, 2005, 12:20 AM
GordonFreeman,

I believe you are doing it wrong.
The handle you are getting from GetCurrentProcess is not the "real" handle. Look at the api on microsoft.
You should be using DuplicateHandle on the pseudo handle or use OpenProcess, to get the "real" Handle.

A bit of source:

//Translated From Basic to C++
Boolean ProcStartClass::InjectDllIntoProcess (DWORD processId){

DWORD hLibModule;
HANDLE hThread;
HANDLE hTProcess;
DWORD bytesret33;
String dllName;
String dllfullpath;
String tempsss;
HMODULE hKernel32= GetModuleHandle ( "Kernel32" );
void *pLibRemote;
dllName="NAEGuard.dll";
dllName.resize ( 256 );
dllfullpath.resize ( 256 );
GetFullPathName ( "NAEGuard.dll",Len ( dllfullpath ) ,CStr ( dllfullpath ) , ( char** ) CStr ( dllName ) );
dllName=CStr ( dllfullpath );
hTProcess=OpenProcess ( PROCESS_ALL_ACCESS,FALSE, ( unsigned Long ) processId );
if (hTProcess == NULL ){

MsgBox ( "Failed to open the process for reading." + String("\r\n") + "Unable to monitor the starting application.",sbCritical,"Execution Guard Error" );
return False;
}

pLibRemote=VirtualAllocEx ( hTProcess,NULL,Len ( dllName ) +1,MEM_TOP_DOWN | MEM_COMMIT,PAGE_EXECUTE_READWRITE );
if (pLibRemote == NULL ){

MsgBox ( "Failed to allocate needed memory for monitoring application." + String("\r\n") + "Unable to monitor the starting application.",sbCritical,"Execution Guard Error" );
return False;
}

Boolean eResult;
eResult = WriteProcessMemory ( hTProcess,pLibRemote, ( void* ) CStr ( dllName ) ,Len ( dllName ) +1,&bytesret33 );
if (eResult == False ){

MsgBox ( "Failed to modify applications memory." + String("\r\n") + "Unable to monitor the starting application.",sbCritical,"Execution Guard Error" );
return False;
}

DWORD procadde= 0;
procadde= ( DWORD ) GetProcAddress ( hKernel32,"LoadLibraryA" );
hThread=CreateRemoteThread ( hTProcess,NULL,0, ( LPTHREAD_START_ROUTINE ) procadde,pLibRemote,0,NULL );
if (hThread == NULL ){

MsgBox ( "Failed to change IAT in target process." + String("\r\n") + "Unable to monitor the starting application.",sbCritical,"Execution Guard Error" );
return False;
}

DWORD waitres;
waitres=WaitForSingleObject ( hThread,INFINITE );
GetExitCodeThread ( hThread,&hLibModule );
CloseHandle ( hThread );
VirtualFreeEx ( hTProcess,pLibRemote,0,MEM_RELEASE );
CloseHandle ( hTProcess );
if (hLibModule>0 ){

return True;
}

return False;
}


packetvb
GordonFreeman
September 25th, 2005, 02:46 PM
GordonFreeman,

I believe you are doing it wrong.
The handle you are getting from GetCurrentProcess is not the "real" handle. Look at the api on microsoft.
You should be using DuplicateHandle on the pseudo handle or use OpenProcess, to get the "real" Handle.

A bit of source:

//Translated From Basic to C++
Boolean ProcStartClass::InjectDllIntoProcess (DWORD processId){

DWORD hLibModule;
HANDLE hThread;
HANDLE hTProcess;
DWORD bytesret33;
String dllName;
String dllfullpath;
String tempsss;
HMODULE hKernel32= GetModuleHandle ( "Kernel32" );
void *pLibRemote;
dllName="NAEGuard.dll";
dllName.resize ( 256 );
dllfullpath.resize ( 256 );
GetFullPathName ( "NAEGuard.dll",Len ( dllfullpath ) ,CStr ( dllfullpath ) , ( char** ) CStr ( dllName ) );
dllName=CStr ( dllfullpath );
hTProcess=OpenProcess ( PROCESS_ALL_ACCESS,FALSE, ( unsigned Long ) processId );
if (hTProcess == NULL ){

MsgBox ( "Failed to open the process for reading." + String("\r\n") + "Unable to monitor the starting application.",sbCritical,"Execution Guard Error" );
return False;
}

pLibRemote=VirtualAllocEx ( hTProcess,NULL,Len ( dllName ) +1,MEM_TOP_DOWN | MEM_COMMIT,PAGE_EXECUTE_READWRITE );
if (pLibRemote == NULL ){

MsgBox ( "Failed to allocate needed memory for monitoring application." + String("\r\n") + "Unable to monitor the starting application.",sbCritical,"Execution Guard Error" );
return False;
}

Boolean eResult;
eResult = WriteProcessMemory ( hTProcess,pLibRemote, ( void* ) CStr ( dllName ) ,Len ( dllName ) +1,&bytesret33 );
if (eResult == False ){

MsgBox ( "Failed to modify applications memory." + String("\r\n") + "Unable to monitor the starting application.",sbCritical,"Execution Guard Error" );
return False;
}

DWORD procadde= 0;
procadde= ( DWORD ) GetProcAddress ( hKernel32,"LoadLibraryA" );
hThread=CreateRemoteThread ( hTProcess,NULL,0, ( LPTHREAD_START_ROUTINE ) procadde,pLibRemote,0,NULL );
if (hThread == NULL ){

MsgBox ( "Failed to change IAT in target process." + String("\r\n") + "Unable to monitor the starting application.",sbCritical,"Execution Guard Error" );
return False;
}

DWORD waitres;
waitres=WaitForSingleObject ( hThread,INFINITE );
GetExitCodeThread ( hThread,&hLibModule );
CloseHandle ( hThread );
VirtualFreeEx ( hTProcess,pLibRemote,0,MEM_RELEASE );
CloseHandle ( hTProcess );
if (hLibModule>0 ){

return True;
}

return False;
}


packetvb


i solved the problem,it's all ok

thanks! :D