DaniWeb Forum Index > Software Development > C++

C++ RSS

DLL Injection - Coding the DLL C++

•

Join Date: Feb 2009

Posts: 7

Reputation: PoZHx is an unknown quantity at this point

Solved Threads: 0

PoZHx

Offline

Newbie Poster

DLL Injection - Coding the DLL C++

Mar 16th, 2009

Ok i've created basic DLL and DLL Injector/Loader which the DLL calls on a function called CreateRemoteThread inside the target process i was wondering how
to code DLL to read/write to memory

so e.g. lets say my target process is:

 Help with Code Tags 
 C++ Syntax (Toggle Plain Text) 
int main() 
{ 
    int mytest = 2; 
 
    system("PAUSE"); 
    return EXIT_SUCCESS; 
}
int main() 
{ 
    int mytest = 2; 
    
    system("PAUSE"); 
    return EXIT_SUCCESS; 
}

How would i code a DLL to read ''mytest'' variable and display it and also write to it e.g. changing it to lets say 10

Thanks for taking your time reading
Any tips/help would be much appreciated

/PoZ

•

Join Date: Aug 2005

Posts: 15,151

Reputation: Ancient Dragon has a reputation beyond repute

Solved Threads: 1435

Ancient Dragon Ancient Dragon is offline

Offline

Most Valuable Poster

Re: DLL Injection - Coding the DLL C++

Mar 17th, 2009

Read this article

Last edited by Ancient Dragon; Mar 17th, 2009 at 1:33 am.

Don't PM me with questions -- you might get a nasty PM in response. If you have a question then post it in one of the forums.

•

Join Date: Feb 2009

Posts: 7

Reputation: PoZHx is an unknown quantity at this point

Solved Threads: 0

PoZHx

Offline

Newbie Poster

Re: DLL Injection - Coding the DLL C++

Mar 17th, 2009

•

Originally Posted by Ancient Dragon

Read this article

Thanks for reply but didnt quite understand 1/2 of it >.<

I've injected the process with the DLL which works fine...
I would like to read/write variables in the injected process (so il be needing to code the DLL to read/write) any chance you could show me abit of code on how it would be done?

Thanks,
PoZ

•

Join Date: Aug 2005

Posts: 15,151

Reputation: Ancient Dragon has a reputation beyond repute

Solved Threads: 1435

Ancient Dragon Ancient Dragon is offline

Offline

Most Valuable Poster

Re: DLL Injection - Coding the DLL C++

Mar 17th, 2009

>>any chance you could show me abit of code on how it would be done?

Nope --but possibly the windows debug api might be useful

Last edited by Ancient Dragon; Mar 17th, 2009 at 11:17 am.

Don't PM me with questions -- you might get a nasty PM in response. If you have a question then post it in one of the forums.

•

Join Date: Feb 2009

Posts: 7

Reputation: PoZHx is an unknown quantity at this point

Solved Threads: 0

PoZHx

Offline

Newbie Poster

Re: DLL Injection - Coding the DLL C++

Mar 17th, 2009

•

Originally Posted by Ancient Dragon

>>any chance you could show me abit of code on how it would be done?

Nope --but possibly the windows debug api might be useful

DLL Injector/Loader Code (Coded in C):

 Help with Code Tags 
 C++ Syntax (Toggle Plain Text) 
#include <windows.h> 
#include <tlhelp32.h> 
#include <shlwapi.h> 
#include <conio.h> 
#include <stdio.h> 
 
#define WIN32_LEAN_AND_MEAN 
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) 
 
BOOL Inject(DWORD pID, const char * DLL_NAME); 
DWORD GetTargetThreadIDFromProcName(const char * ProcName); 
 
int main(int argc, char * argv[]) 
{ 
   // Retrieve process ID 
   DWORD pID = GetTargetThreadIDFromProcName("notepad.exe"); 
 
   // Get the dll's full path name 
   char buf[MAX_PATH] = {0}; 
   GetFullPathName("Project1.dll", MAX_PATH, buf, NULL); 
   printf(buf); 
   printf("\n"); 
 
   // Inject our main dll 
   if(!Inject(pID, buf)) 
   { 
        printf("DLL Not Loaded!"); 
    }else{ 
        printf("DLL Loaded!"); 
    } 
 
    _getch(); 
   return 0; 
} 
 
BOOL Inject(DWORD pID, const char * DLL_NAME) 
{ 
   HANDLE Proc; 
   HMODULE hLib; 
   char buf[50] = {0}; 
   LPVOID RemoteString, LoadLibAddy; 
 
   if(!pID) 
      return false; 
 
   Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); 
   if(!Proc) 
   { 
      sprintf(buf, "OpenProcess() failed: %d", GetLastError()); 
      //MessageBox(NULL, buf, "Loader", MB_OK); 
      printf(buf); 
      return false; 
   } 
 
   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 
 
   // Allocate space in the process for our DLL 
   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 
 
   // Write the string name of our DLL in the memory allocated 
   WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL); 
 
   // Load our DLL 
   CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); 
 
   CloseHandle(Proc); 
   return true; 
} 
 
DWORD GetTargetThreadIDFromProcName(const char * ProcName) 
{ 
   PROCESSENTRY32 pe; 
   HANDLE thSnapShot; 
   BOOL retval, ProcFound = false; 
 
   thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
   if(thSnapShot == INVALID_HANDLE_VALUE) 
   { 
      //MessageBox(NULL, "Error: Unable to create toolhelp snapshot!", "2MLoader", MB_OK); 
      printf("Error: Unable to create toolhelp snapshot!"); 
      return false; 
   } 
 
   pe.dwSize = sizeof(PROCESSENTRY32); 
 
   retval = Process32First(thSnapShot, &pe); 
   while(retval) 
   { 
      if(StrStrI(pe.szExeFile, ProcName)) 
      { 
         return pe.th32ProcessID; 
      } 
      retval = Process32Next(thSnapShot, &pe); 
   } 
   return 0; 
}
#include <windows.h> 
#include <tlhelp32.h> 
#include <shlwapi.h> 
#include <conio.h> 
#include <stdio.h> 

#define WIN32_LEAN_AND_MEAN 
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) 

BOOL Inject(DWORD pID, const char * DLL_NAME); 
DWORD GetTargetThreadIDFromProcName(const char * ProcName); 

int main(int argc, char * argv[]) 
{ 
   // Retrieve process ID 
   DWORD pID = GetTargetThreadIDFromProcName("notepad.exe"); 
    
   // Get the dll's full path name 
   char buf[MAX_PATH] = {0}; 
   GetFullPathName("Project1.dll", MAX_PATH, buf, NULL); 
   printf(buf); 
   printf("\n"); 
    
   // Inject our main dll 
   if(!Inject(pID, buf)) 
   { 
        printf("DLL Not Loaded!"); 
    }else{ 
        printf("DLL Loaded!"); 
    } 

    _getch(); 
   return 0; 
} 

BOOL Inject(DWORD pID, const char * DLL_NAME) 
{ 
   HANDLE Proc; 
   HMODULE hLib; 
   char buf[50] = {0}; 
   LPVOID RemoteString, LoadLibAddy; 

   if(!pID) 
      return false; 

   Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); 
   if(!Proc) 
   { 
      sprintf(buf, "OpenProcess() failed: %d", GetLastError()); 
      //MessageBox(NULL, buf, "Loader", MB_OK); 
      printf(buf); 
      return false; 
   } 
    
   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 

   // Allocate space in the process for our DLL 
   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 

   // Write the string name of our DLL in the memory allocated 
   WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL); 

   // Load our DLL 
   CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); 

   CloseHandle(Proc); 
   return true; 
} 

DWORD GetTargetThreadIDFromProcName(const char * ProcName) 
{ 
   PROCESSENTRY32 pe; 
   HANDLE thSnapShot; 
   BOOL retval, ProcFound = false; 

   thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 
   if(thSnapShot == INVALID_HANDLE_VALUE) 
   { 
      //MessageBox(NULL, "Error: Unable to create toolhelp snapshot!", "2MLoader", MB_OK); 
      printf("Error: Unable to create toolhelp snapshot!"); 
      return false; 
   } 

   pe.dwSize = sizeof(PROCESSENTRY32); 
    
   retval = Process32First(thSnapShot, &pe); 
   while(retval) 
   { 
      if(StrStrI(pe.szExeFile, ProcName)) 
      { 
         return pe.th32ProcessID; 
      } 
      retval = Process32Next(thSnapShot, &pe); 
   } 
   return 0; 
}

DLL code (Coded in C++): its at home im currently at college >.< il post that later basically what it does it CreateRemoteThread in the process and produces a messagebox saying that remotethread is sucessfull

Going to read that link you send me ^.^ thank you for your help again

/PoZ

Last edited by PoZHx; Mar 17th, 2009 at 11:27 am.

•

Join Date: Feb 2009

Posts: 7

Reputation: PoZHx is an unknown quantity at this point

Solved Threads: 0

PoZHx

Offline

Newbie Poster

Re: DLL Injection - Coding the DLL C++

Mar 17th, 2009

Also read that link you send me Ancient Dragon ... it didn't cover what i was needing (well i don't think) >.< but thanks alot for trying mate

DLL Code:

Dllmain.cpp:

 Help with Code Tags 
 C++ Syntax (Toggle Plain Text) 
/* Replace "dll.h" with the name of your header */
#include "dll.h"
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
 
DWORD WINAPI MyFunction1(LPVOID pData) 
{ 
 
int temp = 10, *test;
 
 
	MessageBox(NULL,"Remote Thread was created!", "Successful Injection" ,NULL);
 
 
  return 1; 
} 
 
 
BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
switch (reason)
    {
      case DLL_PROCESS_ATTACH:
 
      HANDLE hThread;         // Thread handle 
	  DWORD nThread;        // Thread ID 
 
 
      //Try to create a new thread (which will run my function()) 
      if((hThread = CreateThread(NULL, 0, MyFunction1, NULL, 0, &nThread)) != NULL) 
      { 
 
         // Close handle 
         CloseHandle(hThread); 
      } 
 
	 break;
 
 
 
      case DLL_PROCESS_DETACH:
  MessageBox(NULL,"Project1.dll detached to Process!", "Successful Injection" ,NULL);
        break;
 
      case DLL_THREAD_ATTACH:
        break;
 
      case DLL_THREAD_DETACH:
        break;
    }  
 
    /* Returns TRUE on success, FALSE on failure */
    return TRUE;
}
/* Replace "dll.h" with the name of your header */
#include "dll.h"
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>

DWORD WINAPI MyFunction1(LPVOID pData) 
{ 

int temp = 10, *test;

	
	MessageBox(NULL,"Remote Thread was created!", "Successful Injection" ,NULL);


  return 1; 
} 


BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,
                       DWORD reason        /* Reason this function is being called. */ ,
                       LPVOID reserved     /* Not used. */ )
{
switch (reason)
    {
      case DLL_PROCESS_ATTACH:
    
      HANDLE hThread;         // Thread handle 
	  DWORD nThread;        // Thread ID 


      //Try to create a new thread (which will run my function()) 
      if((hThread = CreateThread(NULL, 0, MyFunction1, NULL, 0, &nThread)) != NULL) 
      { 

         // Close handle 
         CloseHandle(hThread); 
      } 
        
	 break;



      case DLL_PROCESS_DETACH:
  MessageBox(NULL,"Project1.dll detached to Process!", "Successful Injection" ,NULL);
        break;

      case DLL_THREAD_ATTACH:
        break;

      case DLL_THREAD_DETACH:
        break;
    }  

    /* Returns TRUE on success, FALSE on failure */
    return TRUE;
}

All these code work fine... just wanting to read/write process memory from injected process so e.g.

DLL Loader: Injector.exe
DLL: Project1.dll
Target: Test.exe

i want the Project1.dll to able to read variables from Test.exe so lets say Test.exe has variable such as int tcode = 10;

i want the DLL to be able to read/write to the variable "tcode".

Quick Reply to Thread

Show Printable Version

Other Threads in the C++ Forum

Previous Thread: Help auto adjust command
Next Thread: Resizing created screen shot

Thread Tools	Search this Thread
Show Printable Version Email this Page

DaniWeb Message

Cancel Changes