Injecting C++ DLL

Question

I know there are various questions and books on this but I can\'t seem to get my C++ DLL injected into any processes.

The code to inject the DLL:

#in         


        

Answer 1

The problem you're likely running into is that the address of LoadLibraryA() in your application might not be the same in the target process, due to ASLR - a technology designed specifically to thwart the activity you're attempting. Modern versions of Windows (Vista+) have this enabled by default for system DLLs

In order to do what you want, you'll need to implement a proper ThreadProc in your application that loads your DLL, allocate some executable memory (PAGE_EXECUTE) memory in your target process, copy it there, and use this address as your thread start point.

Answer 2

Don't do MessageBox from DllMain. Why? See:

• DLL_PROCESS_ATTACH failing to execute on Windows 7 C++
• Some reasons not to do anything scary in your DllMain
• Don’t use standard library/CRT functions in static initializers/DllMain!

Your message box might just deadlock before showing up there. To ensure you reach the code line of interest, use OutputDebugString instead. As you indicated you are familiar with Process Explorer, you might notice created thread there (you can obtain its identifier in your launcher by providing last argument in your CreateRemoteThread) and its locked state with execution inside kernel libraries.

This is where you need to put OutputDebugString:

BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, VOID* pvReserved)
{
    pvReserved;
    TCHAR pszMessage[1024] = { 0 };
    _stprintf_s(pszMessage, _T("GetCurrentProcessId() %d, hModule 0x%p, nReason %d\r\n"), GetCurrentProcessId(), hModule, nReason);
    OutputDebugString(pszMessage);
    /*switch(nReason)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }*/
    return TRUE;
}

Another thing to make sure is that you are loading DLL of correct bitness. Win32 DLL into Win32 process, or x64 DLL into x64 process.

UPDATE. I am putting this up from comment: here is the source code for the Visual Studio 2010 project that does the thing: SVN or Trac.

• You put process identifier into source code
• The executable creates remote thread and loads library
• The library starts from DllMain and generates debug output
• DebugView shows you the output
• ProcessExplorer shows you the thread created, and you also have its identifier printed

Answer 3

I would start with someone else's working example and go from there. The example projects, tutorials, and explanations on CodeProject are really solid.

Here is one on Hooking and DLLs.

And another. And a google search for you.

For certain kinds of hooks, there are permission limitations that you have to overcome, or you have to accept the fact that you can't hook every process.

Setting the UI-Access to true, and having your executable in C:/Program Files/, and having your dll digitally signed helps to access some of the secure windows in Windows. Here is an article that discusses some of these things.

Hope that helps.

Answer 4

SetWindowsHookEx can also inject your DLL into another process.

Answer 5

Admin account does not need to implicitly own SE_DEBUG privilege. If you run under Vista/Win7, make sure that UAC is disabled. Use this code to enable it before you try to open process memory:

BOOL EnableDebugPrivilege()
{
    HANDLE hToken;
    LUID luid;
    TOKEN_PRIVILEGES tkp;

    if(!OpenProcessToken( GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken ))
    {
        return FALSE;
    }

    if(!LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &luid ))
    {
        return FALSE;
    }

    tkp.PrivilegeCount = 1;
    tkp.Privileges[0].Luid = luid;
    tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

    if(!AdjustTokenPrivileges( hToken, false, &tkp, sizeof( tkp ), NULL, NULL ))
    {
        return FALSE;
    }

    if(!CloseHandle( hToken ))
    {
        return FALSE;
    }

    return TRUE;
}