Hey guys im just wondering if any guys have any clue on building a DLL Injector/Loader
As in, in a folder you have Blah.exe and Blah.dll when Blah.exe is run it injects the dll into a specified process (via blah.ini)

Now i know i need to use LoadLibrary or CreateRemote Thread but i dont know where to start.
Just wondering if you guys could get me started or point me in the direction of some examples.
I've been searching on google for a while now and havnt come up with anything that is remotely helpful.

Kind Regards
FTProtocol

You mean you want to write a program that injects a DLL into another already running program? As far as I know that can't be done because when the operating system loads a dll it adds the code in the dll to the address space of the program that uses it. Unless you write your own operating system that behavior won't be (easily) possible for you to duplicate.

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <shlwapi.h>

#define PROCESS_NAME "target.exe"
#define DLL_NAME "injected.dll"


//I could just use PROCESS_ALL_ACCESS but it's always best to use the absolute bare minimum of priveleges, so that your code works in as
//many circumstances as possible.
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
 
BOOL WriteProcessBYTES(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize);

BOOL LoadDll(char *procName, char *dllName);
BOOL InjectDLL(DWORD ProcessID, char *dllName);
unsigned long GetTargetProcessIdFromProcname(char *procName);

bool IsWindowsNT()
{
   // check current version of Windows
   DWORD version = GetVersion();
   // parse return
   DWORD majorVersion = (DWORD)(LOBYTE(LOWORD(version)));
   DWORD minorVersion = (DWORD)(HIBYTE(LOWORD(version)));
   return (version < 0x80000000);
}

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow)
{
    if(IsWindowsNT())
       LoadDll(PROCESS_NAME, DLL_NAME);
    else
   MessageBox(0, "Your system does not support this method", "Error!", 0);

    return 0;
}


BOOL LoadDll(char *procName, char *dllName)
{
   DWORD ProcID = 0;

   ProcID = GetTargetProcessIdFromProcname(procName);

   if(!(InjectDLL(ProcID, dllName)))
      MessageBox(NULL, "Process located, but injection failed", "Loader", NULL);
   
   return true;
}

BOOL InjectDLL(DWORD ProcessID, char *dllName)
{
   HANDLE Proc;
   char buf[50]={0};
   LPVOID RemoteString, LoadLibAddy;

   if(!ProcessID)
      return false;

   Proc = OpenProcess(CREATE_THREAD_ACCESS, FALSE, ProcessID);

   if(!Proc)
   {
      sprintf(buf, "OpenProcess() failed: %d", GetLastError());
      MessageBox(NULL, buf, "Loader", NULL);
      return false;
   }

   LoadLibAddy = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

   RemoteString = (LPVOID)VirtualAllocEx(Proc, NULL, strlen(DLL_NAME), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
   WriteProcessMemory(Proc, (LPVOID)RemoteString, dllName, strlen(dllName), NULL);
        CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, (LPVOID)RemoteString, NULL, NULL);   
   
   CloseHandle(Proc);

   return true;
}

unsigned long GetTargetProcessIdFromProcname(char *procName)
{
   PROCESSENTRY32 pe;
   HANDLE thSnapshot;
   BOOL retval, ProcFound = false;

   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

   if(thSnapshot == INVALID_HANDLE_VALUE)
   {
      MessageBox(NULL, "Error: unable to create toolhelp snapshot", "Loader", NULL);
      return false;
   }

   pe.dwSize = sizeof(PROCESSENTRY32);

   retval = Process32First(thSnapshot, &pe);

   while(retval)
   {
      if(StrStrI(pe.szExeFile, procName) )
      {
         ProcFound = true;
         break;
      }

      retval    = Process32Next(thSnapshot,&pe);
      pe.dwSize = sizeof(PROCESSENTRY32);
   }

   return pe.th32ProcessID;
}

Someone gave me this yesterday but it doesnt seem to work? i changed the dll name and process name but it doesnt inject.

I dont really want to try and pull apart an example that doesnt work as well it may be all wrong and theres no point in learning something that is wrong.

Someone gave me this yesterday but it doesnt seem to work?
I dont really want to try and pull apart an example that doesnt work as well it may be all wrong and theres no point in learning something that is wrong.

What does it fail to do? What code do you have in the .DLL?

I gave the code you've tried a test ride and it worked. The code for the .DLL that I injected is below ...

BOOL APIENTRY DllMain( HANDLE hModule, 
                       DWORD  ul_reason_for_call, 
                       LPVOID lpReserved)
{
    if(ul_reason_for_call == DLL_PROCESS_ATTACH)
    {
        MessageBox(NULL,
                "inject.cpp -> DLL_PROCESS_ATTACH", 
                "Injected",
                MB_ICONINFORMATION);
    }

    return TRUE;
}

Please note that the topic is non-trivial, so everything might not work out of the box.

my DLL is working and i know that for sure because when i use an already posted and compiled dll injector it works. but heres the code so i definately its not injection the dll correctly or something like this.

my DLL is working and i know that for sure because when i use an already posted and compiled dll injector it works.

Umm .. out of that I sort of figured that you already have a working injection (?).

If not, then again, the example code you've posted, seems to be capable of doing the injection. So, I take that your DLL along with that example code, is doing something that breaks the injection or maybe you are erroneously expecting something to happen in your DLL. Really difficult to say anything more, not knowing a bit of your DLL's code.

This article has been dead for over six months. Start a new discussion instead.