Valhalla Legends Forums Archive | C/C++ Programming | DLL Injection

AuthorMessageTime
HdxBmx27
Does anyone have any suggestions on how I can make a 'persistent' dll?
What I mean is a situation like this:
I inject my dll into ProcessA
ProcessA creates ProcessB
My DLL Auto-Injects into ProcessB

Right now I'm simply using the CreateProcess(target, start_stopped)
CreateRemoteThread(my dll)
ResumeThread(target thread) Mehtod.

On a slightly unrelated note, Anyone happen to know how to get the size of a process in memory? [exa: I want to search only X Process's memory space]
April 5, 2008, 5:12 AM
BreW
[quote author=Hdx link=topic=17426.msg177457#msg177457 date=1207372350]
Does anyone have any suggestions on how I can make a 'persistent' dll?
What I mean is a situation like this:
I inject my dll into ProcessA
ProcessA creates ProcessB
My DLL Auto-Injects into ProcessB

Right now I'm simply using the CreateProcess(target, start_stopped)
CreateRemoteThread(my dll)
ResumeThread(target thread) Mehtod.
[/quote]
No, not really, i've never tried to make a trojan or anything of that sort, but i would say you're on the right track with the dll injection. Why are you creating the process suspended, just wondering? And are you resuming your dll's thread or your process's thread? I would assume the original process's thread. But then again, i have no clue how you're creating the remote thread (suspended or not). What is this process you're creating going to be anyway?

[quote]
On a slightly unrelated note, Anyone happen to know how to get the size of a process in memory? [exa: I want to search only X Process's memory space]
[/quote]
I would add up the sizes of all the images that createtoolhelp32snapshot/module32first/next gives me back... :)?
April 5, 2008, 1:20 PM
St0rm.iD
[quote author=Hdx link=topic=17426.msg177457#msg177457 date=1207372350]
Does anyone have any suggestions on how I can make a 'persistent' dll?
What I mean is a situation like this:
I inject my dll into ProcessA
ProcessA creates ProcessB
My DLL Auto-Injects into ProcessB

Right now I'm simply using the CreateProcess(target, start_stopped)
CreateRemoteThread(my dll)
ResumeThread(target thread) Mehtod.

On a slightly unrelated note, Anyone happen to know how to get the size of a process in memory? [exa: I want to search only X Process's memory space]

[/quote]

You could try hooking into the process and trampoline CreateProcess() to do the CreateProcess() and then the injection on the new process.
April 5, 2008, 11:08 PM
HdxBmx27
Thats what i'm trying to do right now.
[code]
    if(!memcmp((void*)(gwStart + x), CreateWSearch,  6))
      WriteMemory((void*)(gwStart+ x + 2), &CreateProcessWHook, 4);

void WriteMemory(void *Dest, void *Src, int size){
  DWORD oldProt;
  VirtualProtect(Dest, size, PAGE_READWRITE, &oldProt);
  memcpy(Dest, Src, size);
  VirtualProtect(Dest, size, oldProt, 0);
}
BOOL WINAPI CreateProcessWHook(LPCWSTR lpApplicationName, LPWSTR lpCommandLine, LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes, BOOL bInheritHandles, DWORD dwCreationFlags, LPVOID lpEnvironment, LPCWSTR
lpCurrentDirectory, LPSTARTUPINFOW lpStartupInfo, LPPROCESS_INFORMATION lpProcessInformation){
  MessageBoxW(NULL, lpApplicationName, lpCommandLine, MB_OK | MB_ICONSTOP);
  return CreateProcessW(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes,
bInheritHandles, dwCreationFlags, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
}[/code]

I would prefer nt to have to traverse the IAT and hook it there, [yes i already have the code written for another project, but its ugly and i dun wana use it]
Plus this is easy to shove into my main search function.

I'm searching for "\xFF\x15\x64\x62\x89\x00" which is call    ds:CreateProcessW
The code executes and writes the patch, but then the parent process errors with a can not read error [when it gets to calling the func]




Anyways, I got it to write everything correctly, but it isn't liking it...
I'm doing my testing using guild wars as it has a good error reporting system.
[code]*--> Crash <--*
Exception: c000001d
App: Gw.exe
ProgramId: 1
Build: 25526
When: 4/5/2008 20:17:19
Flags: 0

*--> System <--*
Name: GOLIATH
IpAddr: 192.168.0.4
Processors: 1 [GenuineIntel:15:3:3]
OSVersion: 5.1

*--> Thread 0xfffffffe <--*
eax=017af62f ebx=031b0020 ecx=017af11c edx=017af674 esi=017af8a0 edi=00000000
eip=005d65e8 esp=017aecd4 ebp=017af684
cs=10203 ss=001b ds=0023 es=0023 fs=0023 gs=003b efl=00000000

eax-32 017AF60C  00000000 00000000 00000000 00000000
eax-16 017AF61C  00000001 021a003c 002620a0 002620a0
eax +0 017AF62C  00040000 00000000 00000000 00000000
eax+16 017AF63C  00000000 00000000 00000000 00000000
eax+32 017AF64C  00000000 00000000 00000000 00000000
eax+48 017AF65C  00000000 00000000 00000000 00000000
ebx-32 031B0000  00150050 00150050 00000000 00000000
ebx-16 031B0010  007b3000 007b3000 00000d50 00000b00
ebx +0 031B0020  00905a4d 00000003 00000004 0000ffff
ebx+16 031B0030  000000b8 00000000 00000040 00000000
ebx+32 031B0040  00000000 00000000 00000000 00000000
ebx+48 031B0050  00000000 00000000 00000000 000000f8
ecx-32 017AF0FC  017af60c 00000000 00000000 00000000
ecx-16 017AF10C  00000000 00000000 00000000 00000000
ecx +0 017AF11C  00460022 005c003a 00610047 0065006d
ecx+16 017AF12C  005c0073 00750047 006c0069 00200064
ecx+32 017AF13C  00610057 00730072 0047005c 002e0077
ecx+48 017AF14C  006d0074 00220070 00000000 00000000
edx-32 017AF654  00000000 00000000 00000000 00000000
edx-16 017AF664  00000000 00000000 00000000 00000000
edx +0 017AF674  00000000 00000000 00000000 00000000
edx+16 017AF684  017afab4 0059d74e 029f004c 0018910c
edx+32 017AF694  00000003 00000003 00000004 00000003
edx+48 017AF6A4  00000004 00000003 00000004 00770047
esi-32 017AF880  00000104 017afab0 0058cfea 00000000
esi-16 017AF890  00d3dd24 009d17dc 00000000 029f004c
esi +0 017AF8A0  003a0046 0047005c 006d0061 00730065
esi+16 017AF8B0  0047005c 00690075 0064006c 00570020
esi+32 017AF8C0  00720061 005c0073 00770047 0074002e
esi+48 017AF8D0  0070006d 00000000 00000000 7c90d37c

*--> Code <--*
005D65C8  038b0d38 6da200c1 e2058d44 02e08945 ...8m......D...E
005D65D8  fc890841 890d386d a2008bce c74004ff ...A..8m.....@..
005D65E8  ffffffe8 e045fbff 8b4dfc8b f883c10c .....E...M......
005D65F8  478b4104 3bf8760b 8d510c52 5057e885 G.A.;.v..Q.RPW..
005D6608  62fbff6a 00508b45 fc8d480c e8072de5 b..j.P.E..H...-.
005D6618  ff8b4dfc 8d410c8b 490c894d f48d1479 ..M..A..I..M...y

*--> Trace <--*
Pc:005d65e8 Fr:017af684 Rt:0059d74e Arg:029f004c 0018910c 00000003 00000003
Pc:0059d74e Fr:017afab4 Rt:007d705c Arg:017afacc 00000000 00000000 00000002
Pc:007d705c Fr:017afcf0 Rt:007d6e5b Arg:00000000 00000000 0018b4e8 00000000
Pc:007d6e5b Fr:017afd34 Rt:007d396b Arg:00000000 00000000 00000000 00000000
Pc:007d396b Fr:017afd4c Rt:00404066 Arg:00000000 00000000 017afda0 0018b4b4
Pc:00404066 Fr:017afd6c Rt:005ee174 Arg:00000004 00179850 0018b4e8 00000002
Pc:005ee174 Fr:017afdac Rt:005e8666 Arg:0017989c 0018b4a8 0000044c 0018b4e8
Pc:005e8666 Fr:017afde8 Rt:005e86ff Arg:0000044c 00000000 00000000 00000001
Pc:005e86ff Fr:017afe2c Rt:005e8385 Arg:00000001 00179850 8000005d 00000001
Pc:005e8385 Fr:017afe64 Rt:005e7e61 Arg:017aff20 017aff1c ffffffff 00000001
Pc:005e7e61 Fr:017aff14 Rt:005a3582 Arg:005e7ce0 00000001 00000001 ffffffff
Pc:005a3582 Fr:017aff34 Rt:005a71db Arg:7c913f50 0015ffc0 00177d38 00369e99
Pc:005a71db Fr:017aff68 Rt:005a1156 Arg:00000001 7c913f50 00177d38 00177d38
Pc:005a1156 Fr:017aff80 Rt:0080cf0e Arg:0015ffc0 7c913f50 ffffffff 00177d38
Pc:0080cf0e Fr:017affb4 Rt:7c80b713 Arg:00177d38 7c913f50 ffffffff 00177d38
Pc:7c80b713 Fr:017affec Rt:00000000 Arg:0080ceaf 00177d38 00000000 027af690

*--> Stack <--*
017AECD4  0059d8fd 017af8a0 017af11c 00000000 ..Y...z...z.....
017AECE4  00000000 00000000 00000000 00000000 ................
017AECF4  00000000 017af630 017af674 007b22b0 ....0.z.t.z.."{.
017AED04  00000000 031b0020 00460022 005c003a .... ...".F.:.\.
017AED14  00610047 0065006d 005c0073 00750047 G.a.m.e.s.\.G.u.
017AED24  006c0069 00200064 00610057 00730072 i.l.d. .W.a.r.s.
017AED34  0047005c 002e0077 006d0074 00220070 \.G.w...t.m.p.".
017AED44  00000000 00000008 017aed80 00260000 ..........z...&.
017AED54  7c910202 00000045 00261378 00260000 ...|E...x.&...&.
017AED64  002620a0 017aed58 00000040 017aef9c . &.X.z.@.....z.
017AED74  7c90e900 7c910208 ffffffff 7c910202 ...|...|.......|
017AED84  7c91017b 7c9101bb 00000000 017af2d0 {..|...|......z.
017AED94  017af2a8 00000008 00000039 00000008 ..z.....9.......
017AEDA4  00000038 00000008 00000037 00000008 8.......7.......
017AEDB4  00000036 00000008 00000035 00000008 6.......5.......
017AEDC4  00000034 00000008 00000033 00000008 4.......3.......
017AEDD4  00000032 00000008 00000031 00000008 2.......1.......
017AEDE4  00000030 00000008 0000002f 00000008 0......./.......
017AEDF4  0000002e 00000008 0000002d 00000008 ........-.......
017AEE04  0000002c 00000008 0000002b 00000008 ,.......+.......
017AEE14  0000002a 00000008 00000029 00000008 *.......).......
017AEE24  00000028 00000008 00000027 00000008 (.......'.......
017AEE34  00000025 00000008 00000024 00000008 %.......$.......
017AEE44  00000023 00000008 00000022 00000008 #.......".......
017AEE54  00000021 00000008 00000020 00000008 !....... .......
017AEE64  0000001f 00000008 0000001e 00000008 ................
017AEE74  0000001d 00000008 0000001c 00000008 ................
017AEE84  0000001b 00000008 0000001a 00000008 ................
017AEE94  00000019 00000008 00000018 00000008 ................
017AEEA4  00000017 00000008 00000016 00000008 ................
017AEEB4  00000014 7c910415 7c91041e 017af22c .......|...|,.z.
017AEEC4  00020024 017af018 00000002 017aeef0 $.....z.......z.
017AEED4  7ffdf000 7c901000 017aeec0 00000000 .......|..z.....
017AEEE4  017aef90 7c90e900 7c910440 7c97d600 ..z....|@..|...|
017AEEF4  7c914029 7c91401c 00000208 017af2d0 )@.|.@.|......z.
017AEF04  017af2a8 00000034 00000009 00000008 ..z.4...........
017AEF14  00000008 00000008 017af022 00000008 ........".z.....
017AEF24  0000001a 00000002 00360034 017af8a0 ........4.6...z.
017AEF34  00000000 00000008 017af8a0 00000000 ..........z.....
017AEF44  02080034 00000045 46000001 00000034 4...E......F4...
017AEF54  00000000 00000003 017af058 00000000 ........X.z.....
017AEF64  01000100 017af024 43000100 00000000 ....$.z....C....
017AEF74  00000000 017af8d4 7c910415 7c91041e ......z....|...|
017AEF84  00007c9e 017aeefc 017af2a8 017af23c .|....z...z.<.z.
017AEF94  7c90e900 017af2d0 00000008 017af24c ...|..z.....L.z.
017AEFA4  7c914202 002620a8 017af024 7c910440 .B.|. &.$.z.@..|
017AEFB4  7c97d600 7c9142c7 7c91428f 00000000 ...|.B.|.B.|....
017AEFC4  017af8a0 017af8a0 00000002 0000001e ..z...z.........
017AEFD4  ffffffff 7c910202 00000000 000a0008 .......|........
017AEFE4  7c91405c 0000021a 00000000 7c910202 \@.|...........|
017AEFF4  7c91017b 7c9101bb 00000034 00000000 {..|...|4.......
017AF004  017af53c ffffffff 00360034 017af8a0 <.z.....4.6...z.
017AF014  017af024 00000002 002620a0 01000058 $.z...... &.X...
017AF024  003a0046 0047005c 006d0061 00730065 F.:.\.G.a.m.e.s.
017AF034  0047005c 00690075 0064006c 00570020 \.G.u.i.l.d. .W.
017AF044  00720061 005c0073 00770047 0074002e a.r.s.\.G.w...t.
017AF054  0070006d 00000000 00000000 00000000 m.p.............
017AF064  00000000 00000000 00000000 00000000 ................
017AF074  00000000 00000000 00000000 00000000 ................
017AF084  00000000 00000000 00000000 00000000 ................
017AF094  00000000 00000000 00000000 00000000 ................
017AF0A4  00000000 00000000 00000000 00000000 ................
017AF0B4  017af0e8 00260000 7c910202 00000045 ..z...&....|E...
017AF0C4  00261378 00260000 002620a0 017af0c0 x.&...&.. &...z.

*--> LogQueue <--*[/code]
April 5, 2008, 11:22 PM
Kp
That call instruction in the error log looks broken.  I suggest you attach a debugger and disassemble the code you've patched in.

Your C patcher looks wrong too.  It looks like you have the wrong level of indirection.
April 6, 2008, 6:07 AM
l2k-Shadow
im just curious as to what are you trying to do with guild wars? if you can explain...
April 6, 2008, 6:44 AM
HdxBmx27
Its just a generic thing, just tryin to figure out how to do it.
Main thing i'm trying to do is figure out how to have a 'persistant' dll.
And I am epicly failing at that.
Anyways, I cleaned up my class that muddels with the IAT, and it's working fine.
Now I jsut need to figure out why the heck my [read iago's] injection isn't working.
[code]  CreateProcessAType OldFn = (CreateProcessWType)KERHook.Functions[KER_CreateProcessW].OrigFn;
  BOOL ret = OldFn(lpApplicationName, lpCommandLine, lpProcessAttributes, lpThreadAttributes, bInheritHandles,
    dwCreationFlags | CREATE_SUSPENDED, lpEnvironment, lpCurrentDirectory, lpStartupInfo, lpProcessInformation);
  InjectLibrary(lpProcessInformation->hProcess, "Test.dll");
  ResumeThread(lpProcessInformation->hThread);
  return ret;[/code]

[code]BOOL InjectLibrary(HANDLE hProcess, char *fnDll){
BOOL success = FALSE;
HANDLE hThread = NULL;
char *fnRemote = NULL;
FARPROC procLoadLibraryA = NULL;

size_t lenFilename = strlen(fnDll) + 1;

/* Allocate space in the remote process */
fnRemote = (char *) VirtualAllocEx(hProcess, NULL, lenFilename, MEM_COMMIT, PAGE_READWRITE);

if(fnRemote){
/* Write the filename to the remote process. */
if(WriteProcessMemory(hProcess, fnRemote, fnDll, lenFilename, NULL)){
/* Get the address of the LoadLibraryA function */
procLoadLibraryA = GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryA");
hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE) procLoadLibraryA, fnRemote, 0, NULL);
if(hThread){
WaitForSingleObject(hThread, INFINITE);
success = TRUE;
}
}
VirtualFreeEx(hProcess, fnRemote, 0, MEM_RELEASE);
}

return success;
}[/code]That's iago's code btw, It works perfectly for the initial load, but not if an instance of the DLL is already loaded.
*ponders how to attach an already loaded dll*...
April 6, 2008, 7:35 AM
iago
To be fair, it isn't my code either, it's a stripped down version of some code I lifted from a book by Jeffrey Richter.
April 6, 2008, 1:54 PM
HdxBmx27
*removes his foot from his mouth*
I am an idiot. All is good and well.
It sucessfully injects itself into any process it's current process creates.
Now, to figure out why the hell it crashed my computer when I tried to terminate the last process....
April 6, 2008, 6:56 PM
UserLoser
[quote author=Hdx link=topic=17426.msg177471#msg177471 date=1207508190]
Now, to figure out why the hell it crashed my computer when I tried to terminate the last process....
[/quote]

that's always fun
April 7, 2008, 4:21 AM

Search