DLL Injection

Download source and binary: mediafire

DLL Injection is the process of making another program at runtime execute code by loading a dll in it. When the dll is loaded, it’s DLLMain function will be executed. This CLI tool will do so by opening the process with OpenProcess, allocating memory and writing the dll string in that process using VirtualAllocEx and WriteProcessMemory, and loading the DLL using CreateRemoteThread on LoadLibraryA with the argument pointing to the allocated dll string to load.

Source:

#include <windows.h>
#include <tlhelp32.h>
#include <cstdio>
#include <cctype>
#include <cstring>
#include <stdexcept>
using namespace std;

/* 
* DLL Injection function - by Jakash3
* Thanks to Sri Krishna for his injection
* tutorial.
*
* program can be a pid in string form or
* an image name (in which case the first
* process found with the matching image
* name will be selected).
* 
* Returns handle to remote executing thread
*/
HANDLE dllinject(const char* program, const char* dll) {
	int i;
	DWORD pid;
	HANDLE h, t;
	LPVOID mem;
	PROCESSENTRY32 p;
	p.dwSize = sizeof(PROCESSENTRY32);
	
	//If all characters are numeric, program is a pid
	for (i = 0; program[i]; i++)
		if (!isdigit(program[i])) break;
	//If it's an imagename, find the first matching process
	if (i < strlen(program)) {
		if ((h = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == INVALID_HANDLE_VALUE)
			throw runtime_error("Failed to query processes");
		for (
		Process32First(h, &p);
		GetLastError() != ERROR_NO_MORE_FILES;
		Process32Next(h, &p))
			if (!strcmp(p.szExeFile, program)) {
				pid = p.th32ProcessID;
				break;
			}
		CloseHandle(h);
	} else pid = atoi(program);
	
	//Open process by pid
	if ((h = OpenProcess(
	PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION |
	PROCESS_VM_WRITE | PROCESS_QUERY_INFORMATION,
	false, pid)) == NULL)
		throw runtime_error("Failed to open process");
	
	//Allocate and write dll string in it
	mem = VirtualAllocEx(h, 0, strlen(dll) + 1, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
	if (mem == NULL) { CloseHandle(h); throw runtime_error("Failed to allocate dll string"); }
	WriteProcessMemory(h, mem, dll, strlen(dll) + 1, NULL);
	
	//Load dll into process
	if ((
	t = CreateRemoteThread(h, NULL, NULL,
	(LPTHREAD_START_ROUTINE)LoadLibraryA,
	mem, NULL, NULL)) == NULL) { 
		CloseHandle(h);
		throw runtime_error("Failed to execute remote thread");
	}
	
	//Free string and close
	Sleep(100);
	VirtualFreeEx(h, mem, NULL, MEM_RELEASE);
	CloseHandle(h);
	return t;
}

int main(int argc, char ** argv) {
	if (argc != 3) {
		printf(
			"DLL Injector by Jakash3\n"
			"Usage: %s PROGRAM DLL\n"
			"   PROGRAM - Image name or PID\n"
			"   DLL - DLL to load and execute entry point code\n",
			argv[0]
		);
		return 1;
	}
	try { dllinject(argv[1], argv[2]); } catch (exception& ex) {
		printf("Error: %s\nError code: %d\n", ex.what(), GetLastError());
		return 1;
	}
	puts("Success");
	return 0;
}

One thought on “DLL Injection

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: