dll-injection | 易学教程

EnumProcessModulesEx and CreateToolhelp32Snapshot fails - whatever 32bit or 64bit

阅读更多关于 EnumProcessModulesEx and CreateToolhelp32Snapshot fails - whatever 32bit or 64bit

问题 Edit: The answer of this question is here: https://stackoverflow.com/a/27317947/996540 When you create a project in msvc, the option /DYNAMICBASE is default enabled now. Because of ASLR(Address space layout randomization, since Windows Vista), everytime you run an exe, it's load address is random. I am doing the DLL injection job recently, so I did some research into it on google, and have read some projects. Get the load address (base address) of an exe is important. It seems there're two

How to find the entry point(or base address) of a process - take care of ASLR

阅读更多关于 How to find the entry point(or base address) of a process - take care of ASLR

问题 Because of ASLR(Address space layout randomization, since Windows Vista), the base address of an exe is random, so it can't be found in PE file anymore. In Visual C++ now the /DYNAMICBASE option is default enabled, so the base address of an exe is random - everytime the loader loads it, it happens. After did some research on google, I am trying to use this pattern, But it doesn't work. Please have a look at this simple code sample: #include <iostream> #include <vector> #include <stdio.h>

How to get a list of used DLLs?

阅读更多关于 How to get a list of used DLLs?

问题 I would like to get a list of used DLLs from application itself. My goal is to compare the list with hardcoded one to see if any DLL is injected. I can not find any examples in Google. 回答1: You can use PSAPI for this. The function you need is EnumProcessModules. There's some sample code on MSDN. The main alternative is the Tool Help library. It goes like this: Call CreateToolhelp32Snapshot . Start enumeration with Module32First . Repeatedly call Module32Next . When you are done call

CreateRemoteThread on LoadLibrary and get the HMODULE back

阅读更多关于 CreateRemoteThread on LoadLibrary and get the HMODULE back

I am doing the DLL injection job recently, so I have did some research into it on google. Now I know use CreateRemoteThread is a good way. The ASLR(Address space layout randomization, since Windows Vista) makes the address of kernel32.dll is random, but this does not affect the whole, because in a session the base address of kernel32.dll in all processes is just the same - until the Operating System reset. So this code may be safe normally: void launchAndInject(const char* app, const char* dll) { STARTUPINFOA si = {0}; si.cb = sizeof(si); PROCESS_INFORMATION pi = {0}; if (CreateProcessA(app,

Unloading an Injected DLL

阅读更多关于 Unloading an Injected DLL

I have a DLL I inject into other processes using SetWindowsHookEx . Inside the DLL I increment the module's reference counter by calling GetModuleHandleEx so I can control when the module is unloaded. At this point the module reference count "should be" 2 from both of those API calls. When the calling process shuts down, it calls UnhookWindowsHookEx , decrementing the reference count to 1. The DLL has a thread that waits on a few things, one of them being the handle of the process that called SetWindowsHookEx . When the process goes away the DLL does some cleanup, terminates all threads,

CreateRemoteThread on LoadLibrary and get the HMODULE back

阅读更多关于 CreateRemoteThread on LoadLibrary and get the HMODULE back

问题 I am doing the DLL injection job recently, so I have did some research into it on google. Now I know use CreateRemoteThread is a good way. The ASLR(Address space layout randomization, since Windows Vista) makes the address of kernel32.dll is random, but this does not affect the whole, because in a session the base address of kernel32.dll in all processes is just the same - until the Operating System reset. So this code may be safe normally: void launchAndInject(const char* app, const char*

How to Modify Import Address Table for Run time Loaded DLL

阅读更多关于 How to Modify Import Address Table for Run time Loaded DLL

问题 I want to hook functions that are called from a loaded DLL on Run time, i used the class CAPIHook from the book "Windows Via C/C++" (the DLL Injecting done by Install System Wide hook and The hooking by Modify IAT) but this code work only if the DLL name/symbols exist in the IAT in the executable file. (i.e. for Implicit DLL Linking) this is DLL code: CAPIHook::CAPIHook(PSTR pszCalleeModName, PSTR pszFuncName, PROC pfnHook) { // Note: the function can be hooked only if the exporting module //

Ejecting after injecting DLL from running process

阅读更多关于 Ejecting after injecting DLL from running process

问题 I wrote this function to inject DLL into running process: DLL_Results CDLL_Loader::InjectDll() { DWORD ThreadTeminationStatus; LPVOID VirtualMem; HANDLE hProcess, hRemoteThread; HMODULE hModule; if (!isInit()) return NOT_INIT; if (isInjected()) return DLL_ALREADY_HOOKED; hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessID); if (hProcess == NULL) return PROCESS_ERROR_OPEN; VirtualMem = VirtualAllocEx (hProcess, NULL, strlen(DllFilePath), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); if

Function ReadProcessMemory keeps returning ERROR_PARTIAL_COPY

阅读更多关于 Function ReadProcessMemory keeps returning ERROR_PARTIAL_COPY

I know that there are other people that have asked this question but it seems as though none of them reached a satisfying or understandable conclusion. I can't use what isn't answered. I am not quite sure what the problem is and I have tried various different solutions with no success so here is my code: #include <windows.h> #include <iostream> using namespace std; int main() { HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS | PROCESS_QUERY_INFORMATION, FALSE, (DWORD)7312); if(hProc == NULL) { cout << "Error: " << GetLastError() << endl; } HANDLE token; OpenProcessToken(hProc, TOKEN_ALL_ACCESS,

How to hide C# application from taskmanager processtab? [duplicate]

阅读更多关于 How to hide C# application from taskmanager processtab? [duplicate]

This question already has an answer here: How do I hide a process in Task Manager in C#? 16 answers I need to hide my C# application from process tab of Taskmanager using this.ShowInTaskbar = false; I have hide it from application tab. Now I need to hide it from process tab. Is this possible?. Jeremy Thompson You could inject a DLL into the svchost process, that would camouflage it from Task Manager but not from ProcessExplorer. Here's how: How To Inject a Managed .NET Assembly (DLL) Into Another Process Here's some more background info on this technique: Three Ways to Inject Your Code into