tags:

views:

63

answers:

1
Q: 

how to use dll injecting?

i was looking how to inject a dll into a program (exe, or dll, etc). i have been googleing dll injecting but i have not found anything that is very helpful :(. i have not worked with dlls very much so im not sure on what to do, i really could use some help on this.

uhh the only thing i have really found is setwindowshookex but i can't find any examples for it and i don't how to use it. any questions just ask and i'll try to help.

EDIT hey i was googling and this looks like something about dll injecting that is worth looking at but i can't get the code to run :\ (http://stackoverflow.com/questions/820804/how-to-hook-external-process-with-setwindowshookex-and-wh-keyboard)

A: 

The method I'm most familiar with was is was described by Jefferey Richter in Programming Applications for Microsoft Windows. I mention this because even if you don't get your hands on the book itself there is probably sample code floating around. I think he may have also written some journal articles. He, also mentions a couple of alternative approaches, of which I will describe only one, from memory. He also may have written some MSJ / MSDN articles that are relevant.

Anyway, the basic idea is to cause the process that you want to load your DLL to issue a call to LoadLibrary. This is done using CreateRemoteThread with the address of LoadLibary for lpStartAddress and the address of a string naming your DLL in for lpParameter. Arranging for and locating the string is done using VirtualAllocEx to allocate some memory in the remote process, and WriteProcessMemory to fill it with the string.

PSEUDO CODE:

void InjectDllIntoProcess(DWORD processId, char *dllName)
{
  HANDLE hRemoteProcess = OpenProcess(

  // Assumes that dll and function addresses are the same in different processes
  // on the same system. I think that this is true even with ASLR, only issue I
  // can think of is to make sure that the source and target process are both 32
  // or both 64 bit, not a mixture.
  // Note that it is asking for the ASCII version
  HMODULE hDll = LoadLibrary(_T("Kernel32.dll"));
  void *loadLibAddr = GetProcAddress(hDll, _T("LoadLibraryA"));


  // Inject the DLL name
  char * remoteAddr = 
        (char *)VirtualAllocEx(hRemoteProcess, NULL, strlen(dllName) + 1, ...
  WriteProcessMemory(hRemoteProcess, remoteAddr, dllName, strlen(dllName) + 1 ...

  CreateRemoteThread(hRemoteProcess, ??, 0, loadLibAddr, remoteAddr, ...
}
torak  2010-05-02 00:48:22
ok so if it loads my dll it will run my code as if it was it's own?
blood  2010-05-02 01:05:09
All it will do is load the library. That does mean that it will call the DLL's DllMain for initialisation though. From there you can make whatever other arrangements you need. The thread that you create to call LoadLibrary will die once the call to LoadLibrary returns.
torak  2010-05-02 01:12:37
Hmm nice xD also this is all in that book right?http://www.amazon.com/Programming-Applications-Microsoft-Windows-General/dp/1572319968i might buy it if it has all of this, what else does it have?
blood  2010-05-02 01:14:46
@blood - Sorry about the delay, but yes that's the book. You'll see that one of the later chapters is dedicated to the topic. The book is quite old though and the author has more recent books, might be worth looking to see if the have the same or updated content.
torak  2010-05-06 00:09:44

related questions

How to protect yourself against shell DLLs loaded into your process?
How can I use classes from VisualBasic-Express in VBA for Excel or Access projects?
Passing EXE data down to one or more DLLs
Checking version of file in Ruby on Windows
What happens to global variables declared in a DLL?
How can a C++ windows dll be merged into a C# application exe?
Is it bad to load many managed DLL's without using any types in them?
What is the best tool to find which DLL another VB6 DLL is referenced to?
Loading Assemblies from the Network
Is it possible to embed and use a portable executable in a .net DLL?
Loading different versions of the same assembly
What is the difference between dllexport and dllimport?
How to add a dll to gac in vista
In what order are locations searched to load referenced DLLs?
How to ensure that the same thread is used to execute code in IIS?
Debugging DLL Called With CeRapiInvoke
Very simple C++ DLL that can be called from .net
Exporting a C++ class from a DLL
Asp.net Reinstalling a DLL into the GAC
Overloaded functions in C++ DLL def file
Determine Loaded Assemblies
IIS 6/COM+ hangs
How to trace COM objects exceptions?
Why won't Entourage work with Exchange 2007?
Can a windows dll retrieve its own filename?