[HELP] - DLL Injection
[HELP] - DLL Injection
Hello people. I'm traying to code a dll inyector for a game. With the inyector, don't got problems. It load correctly... but the dll that I compile didn't work. Maybe you could helpme with it.
Inyector (tested and working), now only got functionally
[PHP]
//Need Psapi library linked! (-lpsapi)
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Psapi.h>
#include <tchar.h>
#include <tlhelp32.h>
#define DLLNAME "HookDll.dll"
void ExitFunc(int param)
{
if(!param) system("pause");
exit(0);
}
//argc is 1 if there are no arguments because argv[0] contains the PE-name with the full path.
int main(int argc, char *argv[])
{
Start:
//Needed at the beginning of a Label :P
if(1);
//Check if OS is Windows NT or higher
DWORD version = GetVersion();
DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));
DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));
if(version > 0x80000000)
{
MessageBox(0, "You need to use Windows NT or higher to use this.", "Error", 0);
return 0;
}
//Get Path of the DLL to inject
char DLLName[MAX_PATH+100];
LPTSTR szLastSlash;
if(!GetModuleFileName(NULL, DLLName, MAX_PATH))
{
printf("Unable to get DLL path. Error: %d\n", GetLastError());
ExitFunc(0);
}
szLastSlash = _***rchr(DLLName, TEXT('\\'));
if(szLastSlash == NULL)
{
printf("Unable to append \"\\\\\" string to the DLL path string. Now thats some unexpected error!\n");
ExitFunc(0);
}
*(szLastSlash + 1) = TEXT('\0');
_***cat(DLLName, DLLNAME);
printf("DLLName: %s!\n", DLLName);
//Create a process list to choose a process
DWORD pids[1024];
int i = 0;
PROCESSENTRY32 pe32;
HANDLE hProcessSnap;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("Can't create a process snapshot. Error: %d\n", GetLastError());
ExitFunc(0);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if(!Process32First(hProcessSnap, &pe32))
{
printf("Can't receive information about the first process. Error: %d\n", GetLastError());
CloseHandle(hProcessSnap);
ExitFunc(0);
}
printf("\n-----===== List of all Processes =====-----\n\n");
do
{
if(i > 1023)
{
printf("Too many processes to list more! Stopping reading processes!\n");
break;
}
pids[i] = pe32.th32ProcessID;
printf("Nr: %d\tPID: %d \t0x%x \t%s\n", i, pe32.th32ProcessID, pe32.th32ProcessID, pe32.szExeFile);
i++;
} while(Process32Next(hProcessSnap, &pe32));
printf("\nChoose a process to inject: ");
char buf[1024];
HANDLE hVictim;
DWORD pidVictim;
scanf("%d", &pidVictim);
pidVictim = pids[pidVictim];
//Find default Window
// HWND hVic;
// hVic = FindWindow(FINDWINDOWCLASS,FINDWINDOWNAME);
// GetWindowThreadProcessId(hVic, (DWORD*) &pidVictim);
hVictim = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pidVictim);
if(hVictim == 0)
{
printf("Couldn't find Window.\n");
ExitFunc(0);
}
else printf("Found PID:\t\t\t\t%d\nFound Window Handle:\t\t\t%d\n", pidVictim, hVictim);
//Load LoadLibrary function to let the victim load our dll
HMODULE hKernel = GetModuleHandle("kernel32.dll");
if(hKernel == 0)
{
printf("Unable to get Kernel32 handle. Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Found Kernel32 handle:\t\t\t%d\n", hKernel);
LPTHREAD_START_ROUTINE lpfLoadLibraryA = (LPTHREAD_START_ROUTINE) GetProcAddress(hKernel,"LoadLibraryA");
if(lpfLoadLibraryA == 0)
{
printf("Unable to get LoadLibrary function. Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Found LoadLibrary Function:\t\t%d\n", lpfLoadLibraryA);
//Allocate Space for the dll name
LPVOID pCodeAddress = (LPVOID) VirtualAllocEx(hVictim, NULL, strlen(DLLName), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
if(pCodeAddress == NULL)
{
printf("VirtualAllocEx() failed, Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Allocated space for DLL at address:\t%d 0x%x\n", pCodeAddress, pCodeAddress);
//Inject dll name into victim
if(!WriteProcessMemory(hVictim, (LPVOID)pCodeAddress, DLLName, strlen(DLLName), NULL))
{
printf("WriteProcessMemory() failed, Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Injected code into victim.\n");
//Create thread in victim with our dll code
HANDLE hInject;
hInject = CreateRemoteThread(hVictim, NULL, 0, (LPTHREAD_START_ROUTINE) lpfLoadLibraryA, (LPVOID) pCodeAddress, 0, NULL);
if(hInject == NULL)
{
printf("CreateRemoteThread() failed, Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Created thread in victim process.\nHandle of new thread:\t\t\t%d\n", hInject);
//Wait for the thread to complete, then free allocated space and shut down the thread we created
WaitForSingleObject(hInject, INFINITE);
VirtualFreeEx(hVictim, pCodeAddress, 0, MEM_RELEASE);
CloseHandle(hInject);
printf("Code has been run.\n\nPress \'r\' to restart, anything else to quit.\n");
scanf("%1s", &buf);
if(buf[0] == 'r') goto Start;
return 0;
}
[/PHP]
HookDll.dll
[PHP]
#include "main.h"
#define LogFile "c:\\LOG.txt"
HANDLE OpenLog(char *Filename);
bool IsLogging = false;
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
OpenLog(LogFile);
// attach to process
// return FALSE to fail DLL load
break;
case DLL_PROCESS_DETACH:
// detach from process
break;
case DLL_THREAD_ATTACH:
// attach to thread
break;
case DLL_THREAD_DETACH:
// detach from thread
break;
}
return TRUE; // succesful
}
HANDLE OpenLog(char *Filename)
{
HANDLE hLogFile;
hLogFile = CreateFile( Filename, GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_ALWAYS,0,0);
if(hLogFile!=INVALID_HANDLE_VALUE)
IsLogging = true;//SetFilePointer(hLogFile, 0,0, FILE_END);//*/
return hLogFile;
}
[/PHP]
It is supossed to create a "log" file (C:\\Log.txt). I tested the loader with other dll and works fine. And used PE and the dll got inyected... So i don't know what could be the problem...
I'm testing with CodeBlocks and Dev-C++, both with MinGW compiler, and didn't get any solution.
Here the compiler line. Could be a problem with the compiling options?
Thanks in advance.
Inyector (tested and working), now only got functionally
[PHP]
//Need Psapi library linked! (-lpsapi)
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <Psapi.h>
#include <tchar.h>
#include <tlhelp32.h>
#define DLLNAME "HookDll.dll"
void ExitFunc(int param)
{
if(!param) system("pause");
exit(0);
}
//argc is 1 if there are no arguments because argv[0] contains the PE-name with the full path.
int main(int argc, char *argv[])
{
Start:
//Needed at the beginning of a Label :P
if(1);
//Check if OS is Windows NT or higher
DWORD version = GetVersion();
DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));
DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));
if(version > 0x80000000)
{
MessageBox(0, "You need to use Windows NT or higher to use this.", "Error", 0);
return 0;
}
//Get Path of the DLL to inject
char DLLName[MAX_PATH+100];
LPTSTR szLastSlash;
if(!GetModuleFileName(NULL, DLLName, MAX_PATH))
{
printf("Unable to get DLL path. Error: %d\n", GetLastError());
ExitFunc(0);
}
szLastSlash = _***rchr(DLLName, TEXT('\\'));
if(szLastSlash == NULL)
{
printf("Unable to append \"\\\\\" string to the DLL path string. Now thats some unexpected error!\n");
ExitFunc(0);
}
*(szLastSlash + 1) = TEXT('\0');
_***cat(DLLName, DLLNAME);
printf("DLLName: %s!\n", DLLName);
//Create a process list to choose a process
DWORD pids[1024];
int i = 0;
PROCESSENTRY32 pe32;
HANDLE hProcessSnap;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE)
{
printf("Can't create a process snapshot. Error: %d\n", GetLastError());
ExitFunc(0);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if(!Process32First(hProcessSnap, &pe32))
{
printf("Can't receive information about the first process. Error: %d\n", GetLastError());
CloseHandle(hProcessSnap);
ExitFunc(0);
}
printf("\n-----===== List of all Processes =====-----\n\n");
do
{
if(i > 1023)
{
printf("Too many processes to list more! Stopping reading processes!\n");
break;
}
pids[i] = pe32.th32ProcessID;
printf("Nr: %d\tPID: %d \t0x%x \t%s\n", i, pe32.th32ProcessID, pe32.th32ProcessID, pe32.szExeFile);
i++;
} while(Process32Next(hProcessSnap, &pe32));
printf("\nChoose a process to inject: ");
char buf[1024];
HANDLE hVictim;
DWORD pidVictim;
scanf("%d", &pidVictim);
pidVictim = pids[pidVictim];
//Find default Window
// HWND hVic;
// hVic = FindWindow(FINDWINDOWCLASS,FINDWINDOWNAME);
// GetWindowThreadProcessId(hVic, (DWORD*) &pidVictim);
hVictim = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pidVictim);
if(hVictim == 0)
{
printf("Couldn't find Window.\n");
ExitFunc(0);
}
else printf("Found PID:\t\t\t\t%d\nFound Window Handle:\t\t\t%d\n", pidVictim, hVictim);
//Load LoadLibrary function to let the victim load our dll
HMODULE hKernel = GetModuleHandle("kernel32.dll");
if(hKernel == 0)
{
printf("Unable to get Kernel32 handle. Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Found Kernel32 handle:\t\t\t%d\n", hKernel);
LPTHREAD_START_ROUTINE lpfLoadLibraryA = (LPTHREAD_START_ROUTINE) GetProcAddress(hKernel,"LoadLibraryA");
if(lpfLoadLibraryA == 0)
{
printf("Unable to get LoadLibrary function. Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Found LoadLibrary Function:\t\t%d\n", lpfLoadLibraryA);
//Allocate Space for the dll name
LPVOID pCodeAddress = (LPVOID) VirtualAllocEx(hVictim, NULL, strlen(DLLName), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
if(pCodeAddress == NULL)
{
printf("VirtualAllocEx() failed, Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Allocated space for DLL at address:\t%d 0x%x\n", pCodeAddress, pCodeAddress);
//Inject dll name into victim
if(!WriteProcessMemory(hVictim, (LPVOID)pCodeAddress, DLLName, strlen(DLLName), NULL))
{
printf("WriteProcessMemory() failed, Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Injected code into victim.\n");
//Create thread in victim with our dll code
HANDLE hInject;
hInject = CreateRemoteThread(hVictim, NULL, 0, (LPTHREAD_START_ROUTINE) lpfLoadLibraryA, (LPVOID) pCodeAddress, 0, NULL);
if(hInject == NULL)
{
printf("CreateRemoteThread() failed, Error: %d\n", GetLastError());
ExitFunc(0);
}
else printf("Created thread in victim process.\nHandle of new thread:\t\t\t%d\n", hInject);
//Wait for the thread to complete, then free allocated space and shut down the thread we created
WaitForSingleObject(hInject, INFINITE);
VirtualFreeEx(hVictim, pCodeAddress, 0, MEM_RELEASE);
CloseHandle(hInject);
printf("Code has been run.\n\nPress \'r\' to restart, anything else to quit.\n");
scanf("%1s", &buf);
if(buf[0] == 'r') goto Start;
return 0;
}
[/PHP]
HookDll.dll
[PHP]
#include "main.h"
#define LogFile "c:\\LOG.txt"
HANDLE OpenLog(char *Filename);
bool IsLogging = false;
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
OpenLog(LogFile);
// attach to process
// return FALSE to fail DLL load
break;
case DLL_PROCESS_DETACH:
// detach from process
break;
case DLL_THREAD_ATTACH:
// attach to thread
break;
case DLL_THREAD_DETACH:
// detach from thread
break;
}
return TRUE; // succesful
}
HANDLE OpenLog(char *Filename)
{
HANDLE hLogFile;
hLogFile = CreateFile( Filename, GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_ALWAYS,0,0);
if(hLogFile!=INVALID_HANDLE_VALUE)
IsLogging = true;//SetFilePointer(hLogFile, 0,0, FILE_END);//*/
return hLogFile;
}
[/PHP]
It is supossed to create a "log" file (C:\\Log.txt). I tested the loader with other dll and works fine. And used PE and the dll got inyected... So i don't know what could be the problem...
I'm testing with CodeBlocks and Dev-C++, both with MinGW compiler, and didn't get any solution.
Here the compiler line. Could be a problem with the compiling options?
Code:
mingw32-g++.exe -Wall -DBUILD_DLL -g -c [MYPATH]\main.cpp -o obj\Debug\main.o mingw32-g++.exe -shared -Wl,--output-def=bin\Debug\libHookDll.def -Wl,--out-implib=bin\Debug\libHookDll.a -Wl,--dll obj\Debug\main.o -o bin\Debug\HookDll.dll -luser32
Solved. Need an extern "C" before the DllMain Entry. Now looks like:
[php]
#ifdef BUILD_DLL
// the dll exports
#define EXPORT __declspec(dllexport)
#else
// the exe imports
#define EXPORT __declspec(dllimport)
#endif
#include <windows.h>
#include <stdio.h>
#define LogFile "c:LOG.txt"
HANDLE OpenLog(char *Filename);
bool IsLogging = false;
extern "C"
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
OpenLog(LogFile);
// attach to process
// return FALSE to fail DLL load
break;
case DLL_PROCESS_DETACH:
// detach from process
break;
case DLL_THREAD_ATTACH:
// attach to thread
break;
case DLL_THREAD_DETACH:
// detach from thread
break;
}
return TRUE; // succesful
}
HANDLE OpenLog(char *Filename)
{
HANDLE hLogFile;
hLogFile = CreateFile( Filename, GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_ALWAYS,0,0);
if(hLogFile!=INVALID_HANDLE_VALUE)
IsLogging = true;//SetFilePointer(hLogFile, 0,0, FILE_END);//*/
return hLogFile;
}
[/php]
[php]
#ifdef BUILD_DLL
// the dll exports
#define EXPORT __declspec(dllexport)
#else
// the exe imports
#define EXPORT __declspec(dllimport)
#endif
#include <windows.h>
#include <stdio.h>
#define LogFile "c:LOG.txt"
HANDLE OpenLog(char *Filename);
bool IsLogging = false;
extern "C"
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
OpenLog(LogFile);
// attach to process
// return FALSE to fail DLL load
break;
case DLL_PROCESS_DETACH:
// detach from process
break;
case DLL_THREAD_ATTACH:
// attach to thread
break;
case DLL_THREAD_DETACH:
// detach from thread
break;
}
return TRUE; // succesful
}
HANDLE OpenLog(char *Filename)
{
HANDLE hLogFile;
hLogFile = CreateFile( Filename, GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_ALWAYS,0,0);
if(hLogFile!=INVALID_HANDLE_VALUE)
IsLogging = true;//SetFilePointer(hLogFile, 0,0, FILE_END);//*/
return hLogFile;
}
[/php]
Similar Threads
- 1Last post
- 9Last post
- 5Last post
- 1Last post
- 1Last post