DLL Injection - Coding the DLL C++
 

Ok i've created basic DLL and DLL Injector/Loader which the DLL calls on a function called CreateRemoteThread inside the target process i was wondering how
to code DLL to read/write to memory

so e.g. lets say my target process is:

int main() 

{ 

    int mytest = 2; 

    

    system("PAUSE"); 

    return EXIT_SUCCESS; 

}

How would i code a DLL to read ''mytest'' variable and display it and also write to it e.g. changing it to lets say 10


Thanks for taking your time reading
Any tips/help would be much appreciated

/PoZ

Re: DLL Injection - Coding the DLL C++
 

Read this article

Re: DLL Injection - Coding the DLL C++
 

Thanks for reply but didnt quite understand 1/2 of it >.<

I've injected the process with the DLL which works fine...
I would like to read/write variables in the injected process (so il be needing to code the DLL to read/write) any chance you could show me abit of code on how it would be done?

Thanks,
PoZ

Re: DLL Injection - Coding the DLL C++
 

>>any chance you could show me abit of code on how it would be done?

Nope --but possibly the windows debug api might be useful

Re: DLL Injection - Coding the DLL C++
 

DLL Injector/Loader Code (Coded in C):

#include <windows.h> 

#include <tlhelp32.h> 

#include <shlwapi.h> 

#include <conio.h> 

#include <stdio.h> 



#define WIN32_LEAN_AND_MEAN 

#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ) 



BOOL Inject(DWORD pID, const char * DLL_NAME); 

DWORD GetTargetThreadIDFromProcName(const char * ProcName); 



int main(int argc, char * argv[]) 

{ 

   // Retrieve process ID 

   DWORD pID = GetTargetThreadIDFromProcName("notepad.exe"); 

    

   // Get the dll's full path name 

   char buf[MAX_PATH] = {0}; 

   GetFullPathName("Project1.dll", MAX_PATH, buf, NULL); 

   printf(buf); 

   printf("\n"); 

    

   // Inject our main dll 

   if(!Inject(pID, buf)) 

   { 

        printf("DLL Not Loaded!"); 

    }else{ 

        printf("DLL Loaded!"); 

    } 



    _getch(); 

   return 0; 

} 



BOOL Inject(DWORD pID, const char * DLL_NAME) 

{ 

   HANDLE Proc; 

   HMODULE hLib; 

   char buf[50] = {0}; 

   LPVOID RemoteString, LoadLibAddy; 



   if(!pID) 

      return false; 



   Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID); 

   if(!Proc) 

   { 

      sprintf(buf, "OpenProcess() failed: %d", GetLastError()); 

      //MessageBox(NULL, buf, "Loader", MB_OK); 

      printf(buf); 

      return false; 

   } 

    

   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); 



   // Allocate space in the process for our DLL 

   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); 



   // Write the string name of our DLL in the memory allocated 

   WriteProcessMemory(Proc, (LPVOID)RemoteString, DLL_NAME, strlen(DLL_NAME), NULL); 



   // Load our DLL 

   CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL); 



   CloseHandle(Proc); 

   return true; 

} 



DWORD GetTargetThreadIDFromProcName(const char * ProcName) 

{ 

   PROCESSENTRY32 pe; 

   HANDLE thSnapShot; 

   BOOL retval, ProcFound = false; 



   thSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 

   if(thSnapShot == INVALID_HANDLE_VALUE) 

   { 

      //MessageBox(NULL, "Error: Unable to create toolhelp snapshot!", "2MLoader", MB_OK); 

      printf("Error: Unable to create toolhelp snapshot!"); 

      return false; 

   } 



   pe.dwSize = sizeof(PROCESSENTRY32); 

    

   retval = Process32First(thSnapShot, &pe); 

   while(retval) 

   { 

      if(StrStrI(pe.szExeFile, ProcName)) 

      { 

         return pe.th32ProcessID; 

      } 

      retval = Process32Next(thSnapShot, &pe); 

   } 

   return 0; 

}

DLL code (Coded in C++): its at home im currently at college >.< il post that later basically what it does it CreateRemoteThread in the process and produces a messagebox saying that remotethread is sucessfull

Going to read that link you send me ^.^ thank you for your help again

/PoZ

Re: DLL Injection - Coding the DLL C++
 

Also read that link you send me Ancient Dragon ... it didn't cover what i was needing (well i don't think) >.< but thanks alot for trying mate

DLL Code:

Dllmain.cpp:

/* Replace "dll.h" with the name of your header */

#include "dll.h"

#include <windows.h>

#include <stdio.h>

#include <stdlib.h>



DWORD WINAPI MyFunction1(LPVOID pData) 

{ 



int temp = 10, *test;



        

        MessageBox(NULL,"Remote Thread was created!", "Successful Injection" ,NULL);





  return 1; 

} 





BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,

                       DWORD reason        /* Reason this function is being called. */ ,

                       LPVOID reserved     /* Not used. */ )

{

switch (reason)

    {

      case DLL_PROCESS_ATTACH:

    

      HANDLE hThread;         // Thread handle 

          DWORD nThread;        // Thread ID 





      //Try to create a new thread (which will run my function()) 

      if((hThread = CreateThread(NULL, 0, MyFunction1, NULL, 0, &nThread)) != NULL) 

      { 



         // Close handle 

         CloseHandle(hThread); 

      } 

        

         break;







      case DLL_PROCESS_DETACH:

  MessageBox(NULL,"Project1.dll detached to Process!", "Successful Injection" ,NULL);

        break;



      case DLL_THREAD_ATTACH:

        break;



      case DLL_THREAD_DETACH:

        break;

    }  



    /* Returns TRUE on success, FALSE on failure */

    return TRUE;

}

All these code work fine... just wanting to read/write process memory from injected process so e.g.

DLL Loader: Injector.exe
DLL: Project1.dll
Target: Test.exe

i want the Project1.dll to able to read variables from Test.exe so lets say Test.exe has variable such as int tcode = 10;

i want the DLL to be able to read/write to the variable "tcode".