Jump to content

DLL Injection?


dnsi
 Share

Recommended Posts

Outshynd's updated UDF:

#include-once

Func _InjectDll($a, $dllpath, $hWnd_or_pid=0)
    ;make sure the user passed valid parameters
    If $a <= 0 Then
        SetError(-1)
        Return False
    ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
        SetError(-2)
        Return False
    EndIf
    
    Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread
    
    ;open dll that we'll be using
    Local $kernel32 = DllOpen("kernel32.dll")
    
    If $hWnd_or_pid = 0 Then
        ;get the pid from the window provided
        $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $a, "int_ptr", 0)
        If IsArray($pid) Then
            $pid = $pid[2]
        Else
            SetError(-3)
            Return False
        EndIf
    Else
        $pid = $a
    EndIf
    
    ;open the process for writing
    $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid)
    If IsArray($pHandle) And $pHandle[0] > 0 Then
        $pHandle = $pHandle[0]
    Else
        SetError(-4)
        Return False
    EndIf
    
    $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4)
    If IsArray($pLibRemote) Then
        If $pLibRemote[0] > 0 Then
            ;debug
            ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR)
            $pLibRemote = $pLibRemote[0]
        Else
            SetError(-5)
            Return False
        EndIf
    Else
        SetError(-6)
        Return False
    EndIf
    
    For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
    Next
    
    $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll")
    If IsArray($modHandle) Then
        If $modHandle[0] > 0 Then
            $modHandle = $modHandle[0]
            ConsoleWrite($modHandle & @CRLF)
        Else
            SetError(-9)
            Return False
        EndIf
    Else
        SetError(-10)
        Return False
    EndIf
    
    $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA")
    If IsArray($LoadLibraryA) Then
        If $LoadLibraryA[0] > 0 Then
            $LoadLibraryA = $LoadLibraryA[0]
            ConsoleWrite($LoadLibraryA & @CRLF)
        Else
            SetError(-11)
            Return False
        EndIf
    Else
        SetError (-12)
        Return False
    EndIf
    
    $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0)
    If IsArray($hThread) Then
        ConsoleWrite($hThread[0] & @CR)
        If $hThread[0] > 0 Then
            $hThread = $hThread[0]
        Else
            SetError(-13)
            Return False
        EndIf
    Else
        SetError(-14)
        Return False
    EndIf
    
    DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000)
    DllCall($kernel32, "int", "CloseHandle", "int", $hThread)
    DllCall($kernel32, "int", "CloseHandle", "int", $pHandle)
    
    DllClose($kernel32)
    
    Return True
EndFunc

[font="Verdana"]Valik:Get it straight - I'm not here to say please, I'm here to help - if my help's not appreciated then lotsa luck, gentlemen.[/font]

Link to comment
Share on other sites

  • 7 months later...

Outshynd's updated UDF:

#include-once

Func _InjectDll($a, $dllpath, $hWnd_or_pid=0)
    ;make sure the user passed valid parameters
    If $a <= 0 Then
        SetError(-1)
        Return False
    ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
        SetError(-2)
        Return False
    EndIf
    
    Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread
    
    ;open dll that we'll be using
    Local $kernel32 = DllOpen("kernel32.dll")
    
    If $hWnd_or_pid = 0 Then
        ;get the pid from the window provided
        $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $a, "int_ptr", 0)
        If IsArray($pid) Then
            $pid = $pid[2]
        Else
            SetError(-3)
            Return False
        EndIf
    Else
        $pid = $a
    EndIf
    
    ;open the process for writing
    $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid)
    If IsArray($pHandle) And $pHandle[0] > 0 Then
        $pHandle = $pHandle[0]
    Else
        SetError(-4)
        Return False
    EndIf
    
    $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4)
    If IsArray($pLibRemote) Then
        If $pLibRemote[0] > 0 Then
            ;debug
            ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR)
            $pLibRemote = $pLibRemote[0]
        Else
            SetError(-5)
            Return False
        EndIf
    Else
        SetError(-6)
        Return False
    EndIf
    
    For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
    Next
    
    $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll")
    If IsArray($modHandle) Then
        If $modHandle[0] > 0 Then
            $modHandle = $modHandle[0]
            ConsoleWrite($modHandle & @CRLF)
        Else
            SetError(-9)
            Return False
        EndIf
    Else
        SetError(-10)
        Return False
    EndIf
    
    $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA")
    If IsArray($LoadLibraryA) Then
        If $LoadLibraryA[0] > 0 Then
            $LoadLibraryA = $LoadLibraryA[0]
            ConsoleWrite($LoadLibraryA & @CRLF)
        Else
            SetError(-11)
            Return False
        EndIf
    Else
        SetError (-12)
        Return False
    EndIf
    
    $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0)
    If IsArray($hThread) Then
        ConsoleWrite($hThread[0] & @CR)
        If $hThread[0] > 0 Then
            $hThread = $hThread[0]
        Else
            SetError(-13)
            Return False
        EndIf
    Else
        SetError(-14)
        Return False
    EndIf
    
    DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000)
    DllCall($kernel32, "int", "CloseHandle", "int", $hThread)
    DllCall($kernel32, "int", "CloseHandle", "int", $pHandle)
    
    DllClose($kernel32)
    
    Return True
EndFunc

DE-INJECTION?

I messed around adding new features to Explorer.exe and other apps.

BUT, sometimes when i make a mistake i have to restart the app to make it good again.

I wonder how i can de-inject the dll properly (remove any trace of the dll)

Would this be enough?

(i mean adding it in to the code above?)

For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", 0x00, "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
Next

I mean just by overwriting the DLL with 0x00's?

Edited by Caption
Link to comment
Share on other sites

DE-INJECTION?

I messed around adding new features to Explorer.exe and other apps.

BUT, sometimes when i make a mistake i have to restart the app to make it good again.

I wonder how i can de-inject the dll properly (remove any trace of the dll)

Would this be enough?

(i mean adding it in to the code above?)

For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", 0x00, "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
Next

I mean just by overwriting the DLL with 0x00's?

I noticed that they are not 0x00 but 0x??

But how do i write that? I mean turn it to "nodata"?

Link to comment
Share on other sites

@Sardith

Func _InjectDll($a, $dllpath, $hWnd_or_pid=0)

What's the $a variable's value here? I didn't get that. Is that the PID or what?

[font="Courier New"][size="3"]CyRius Developments[/size][/font][list][*]CO Proxy[*]CO Assembly tool[*]CO PacketSniffer[*]Larkinor proxy[*]BoIM Messenger[*]Encrypt/Decrypt[*]Hashtables[*]Slowest, but greatest skins ever xD[/list]

Link to comment
Share on other sites

  • 1 month later...

$hWnd_or_pid should be the pid in my opinion,i thought $a is the name of the dll that i want to inject,but it gives me error -1 ,so my theory is not going to work out.

Please help!

Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):

Link to comment
Share on other sites

Func _InjectDllByPid($pid, $dllpath)
    ;make sure the user passed valid parameters
    If $pid = 0 Then
        SetError(-1)
        Return False
    ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then
        SetError(-2)
        Return False
    EndIf
   
    Local $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread
   
    ;open dll that we'll be using
    Local $kernel32 = DllOpen("kernel32.dll")
   
    ;open the process for writing
    $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid)
    If IsArray($pHandle) And $pHandle[0] > 0 Then
        $pHandle = $pHandle[0]
    Else
        SetError(-4)
        Return False
    EndIf
   
    $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4)
    If IsArray($pLibRemote) Then
        If $pLibRemote[0] > 0 Then
            ;debug
            ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR)
            $pLibRemote = $pLibRemote[0]
        Else
            SetError(-5)
            Return False
        EndIf
    Else
        SetError(-6)
        Return False
    EndIf
   
    For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
    Next
   
    $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll")
    If IsArray($modHandle) Then
        If $modHandle[0] > 0 Then
            $modHandle = $modHandle[0]
        Else
            SetError(-9)
            Return False
        EndIf
    Else
        SetError(-10)
        Return False
    EndIf
   
    $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA")
    If IsArray($LoadLibraryA) Then
        If $LoadLibraryA[0] > 0 Then
            $LoadLibraryA = $LoadLibraryA[0]
        Else
            SetError(-11)
            Return False
        EndIf
    Else
        SetError (-12)
        Return False
    EndIf
   
    $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0)
    If IsArray($hThread) Then
        ConsoleWrite($hThread[0] & @CR)
        If $hThread[0] > 0 Then
            $hThread = $hThread[0]
        Else
            SetError(-13)
            Return False
        EndIf
    Else
        SetError(-14)
        Return False
    EndIf
   
    DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000)
    DllCall($kernel32, "int", "CloseHandle", "int", $hThread)
    DllCall($kernel32, "int", "CloseHandle", "int", $pHandle)
   
    DllClose($kernel32)
   
    Return True
EndFunc

I used to inject it by PID ,but It gives me -7 error no matter what process/dll I use to inject :)

Edited by H5O20H

Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):

Link to comment
Share on other sites

  • Moderators

bump :)

bump again within the next 24 hours and you'll lose posting privileges for that 24 hours. Let's show a little respect to your fellow forum members that are also trying to receive support. Every time you post, you knock their support question down from its rightful position.

Your question can not be answered (well, not without taking a hell of a lot of guesses). You have your error code, spend some time on MSDN and see what that specific function that is giving it to you would be causing it the way you are trying to use it.

http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspx

That is what is throwing your error, time to do some homework.

Edit:

Also, look at the SciTe console, it might tell you that "int_ptr" could be throwing the exception. Try just using "ptr" there.

Edited by SmOke_N

Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.

Link to comment
Share on other sites

Smoke is right. You have to update the UDF a bit with the 'recent' changes to AutoIt.

Func _InjectDll($a, $dllpath, $hWnd_or_pid=0)

$A = Process ID variable name or Window Handle name.

$dllpath = Path to your .dll (IE. "C:\Test.dll")

$hWnd or pid = Inject dll by default excepts a window handle. In the UDF, later you'll see

$pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $a, "int_ptr", 0)

It calls user32 to retrieve a PID for the handle you passed to the function. In the end it will end up as a PID.

You can set $hWnd or pid = 1, then pass a PID. Other wise you need to pass a Window Handle to the function, which it will later end up as a PID.

Some programs you may also need to set Debug privileges

Edited by Sardith

[font="Verdana"]Valik:Get it straight - I'm not here to say please, I'm here to help - if my help's not appreciated then lotsa luck, gentlemen.[/font]

Link to comment
Share on other sites

I've got that working,problem is -7 error :)

That code needs to be updated,why don't you update your post muttley

For $i = 0 To StringLen($dllpath)
        $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
        If IsArray($ret) Then
            If $ret[0] = 0 Then
                SetError(-7)
                Return False
            EndIf
        Else
            SetError(-8)
            Return False
        EndIf
    Next

I tried everything I could do :(

Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):

Link to comment
Share on other sites

In this string

$ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0)
change the int_ptr to int*

Edited by rasim
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...