A DLL INJECTION TUTORIAL [C]
Dll Injection is the process in which a dll is loaded into the memory space of a running process.
This injected dll then can either hook or run or change memory values.
It can do this because it is running in that processes memory space.
Now the first thing to do is find the processes.
Ok !! to find a certain process there a few ways but this is the easiest.
To do this we need the help of some windows functions.
HANDLE WINAPI CreateToolhelp32Snapshot(
__in DWORD dwFlags,
__in DWORD th32ProcessID
);
BOOL WINAPI Process32First(
__in HANDLE hSnapshot,
__inout LPPROCESSENTRY32 lppe
);
BOOL WINAPI Process32Next(
__in HANDLE hSnapshot,
__out LPPROCESSENTRY32 lppe
);
Ok all of these functions are found in
Tlhelp32.h
Ok now these functions take structures that will be used to walk through a snapshot or
list of the running processes on the computer at the time.
Ok to explain what you have to do to get these to work for u is this.
if you notice that CreateToolHelp32Snapshot returns a handle.
This handle points to the snapshot(list) of the processes.
The flags just needs to be set to
TH32CS_SNAPPROCESS
and the th32ProcessID to 0
example code:
HANDLE snapshot =CreateToolhelp32Snapshot( TH32_SNAPPROCESS,0);
Ok now to put this snapshot to use you need to use the Process32First and Process32Next functions.
Now these contain another structure.
PPROCESSENTRY32
This structure holds the process info most notably the exe that was used to create this process.
Theres other things this can beuse for but there not in this TUT.
Ok now to get the first process you call Process32First
PROCESSENTRY32 sentry;
Process32First( snapshot,&sentry );
Ok this could use some error checking but what ever.
Ok this will return the first process in the list.
Now to check if this is the exe you need to compare the exe name with the one you want to find.
strcmp( sentry.szExeFile, exe );
Now if this returns 0 then you found the process and you can get the processID like this.
sentry.th32ProcessID;
Ok if the first one is not the right one then you will have to loop through the list.
To do this you can use any kind of loop you want, but a while is the best.
Now to loop through the list you use Process32Next (it returns true or false)
while(Process32Next( snapshot,&sentry )
{
if( strcmp( sentry.szExeFile, exe )==0)
break;
}
Ok this puts the process ID in the sentry structure and you get it like before.
Ok thats all the info you need to be able to write a function to find a process based on a name.
Now for the actual injection method.
Ok the method that will be used is done with CreateRemoteThread
HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);
Ok this needs alittle explanation. To get this too work it helps to understand whats needed to
get this to get the process to load and run our dll.
hProcess is the process that the dll will be injected into.
lpThreadAttributes isnot need can be set to NULL
dwStackSize isnot needed also thisis0
lpStartAddress is the address of the function that this thread will call when its created
lpParameter is the paramete to be passed to the function on thread creation
dwCreationFlags isnot need as the thread should run as soon as its create so setthis to 0
lpThreadId thisisnot needed unless error checking is needed.
Ok theres really only 3 parametes in that function that are important.
They are
hProcess, lpStartAddress, lpParameter
Ok a few things needs to be said about this. This will allow us to create a thread ( after the process is opened )
and this thread will be use to load our dll. Now the only way a program can dynamically load a dll into itself is with the
HANDLE LoadLibraryA(constchar*lib )
Ok this is the ascii version of the function and it will be used.
Ok this function will load a dll into a process's memory space and run the DllMain in the dll.
Now to make this usefull we need to call it in the other process and not in ours.
To do this we need one other bit of information. Mainly the Address of this function.
This address is what will be passed to the CreateRemoteThread function.
Now you can probley guess what the lpParameter is gonna be. But before that lets figure out how to get the address of the function.
Ok this needs another windows function
FARPROC GetProcAdress( HMODULE mod,constchar*func )
Ok this is the function it need to take a HMODULE(HANDLE) to the module you want to find the address of the function.
The func is the name of the function (LoadLibraryA) and then you need to get the address.
Now the best way to store this address is in a LPVOID so this is whats gonna happen.
So to get the handle to the module that contains the function were looking for (LoadLibraryA) we need to get this.
Another name for module is a DLL so we can use the LoadLibrary function to get a HANDLE to the module (dll) like so:
HANDLE kernel =LoadLibrary("kernel32.dll");
Ok then you can use the GetProAddress and get the LoadLibraryA address.
LPVOID loadlib =(LPVOID)GetProcAddress( kernel,"LoadLibraryA");
Ok now that we have the address of the function we need to inject(load) our dll into another process.
Now One more thing is needed. Notice the parameter for LoadLibrary takes a string. This string needs to be passed to it or it won't work
To do this though we can't just have the string in our process and try passing it to the function as this will cause a error.
We need to get the string into the other process.
Now to do this we have to use some more windows functions.
HANDLE WINAPI OpenProcess(
__in DWORD dwDesiredAccess,
__in BOOL bInheritHandle,
__in DWORD dwProcessId
);
LPVOID WINAPI VirtualAllocEx(
__in HANDLE hProcess,
__in_opt LPVOID lpAddress,
__in SIZE_T dwSize,
__in DWORD flAllocationType,
__in DWORD flProtect
);
BOOL WINAPI WriteProcessMemory(
__in HANDLE hProcess,
__in LPVOID lpBaseAddress,
__in LPCVOID lpBuffer,
__in SIZE_T nSize,
__out SIZE_T* lpNumberOfBytesWritten
);
Ok the first gets a handle to the process with the passed ID, it also specifies what access you want.
The next one allocates memory in the opened process. The last writes to this allocated memory.
Ok this is kind of the point where all the tut starts to come together.
Ok first use the function to get a process ID from the exe name and pass it to openprocess like so.
HANDLE proc =OpenProcess((PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION |
PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ),
FALSE,GetProcIDfromName(SomeEXE));
Ok now have a handle to this process you want to inject the dll into. Now you need to allocate space for the dll path (this needs to be the complete full path).
To do this call VirtualAllocEx and store the return value in a LPVOID.
LPVOID tempmem =VirtualAllocEx( proc, NULL, strlen( fulldllpath ), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE );
Ok now that memory has been allocated for the dll path we can write it to this memory.
This will be done with WriteProcessMemory we will pass the LPVOID that was return from VirtualAllocEx as the address of the memory block.
WriteProcessMemory( proc,(LPVOID)tempmem, fulldllpath, strlen( fulldllpath ), NULL );
ok that was easy. Finally the injection can happen. Now we go back to the CreateRemoteThread function and pass in all the info we just spent getting.
CreateRemoteThread( proc, NULL,0,(LPTHREAD_START_ROUTINE)loadlibaddr,(LPVOID)tempmem,0, NULL );
If everything went as planned the dll will be loaded into the remote process or inject. With this the dll can set hooks, edit memory, extend or mess with the process.
Ok with CreateRemoteThread we passed the process ID that was found with our helper function. The address of the LoadLibraryA function from the kernel32.dll.
And the address of the memory we wrote the path of the dll to be injected.
Well that's really it. :)