none
Help with DLL Injection RRS feed

  • Question

  • Hi everyone!

    I can Inject a DLL inside a process! But i will like to know if someone can bring me an example on how can i createremotethread more that 1 time. it means i want to Inject and "uninject" the DLL, or just call the main DLL thread "DLL_PROCESS_ATTACH"

    I write the injector in VB NET and the DLL in C++, but i can't call the DLL more than 1 time. i need to call the DLL remotely (CreateRemoteThread) (Or something like that) when i click a button in my injector app

    Some examples? ideas?

    Thanks and Best regards,


    Yordy Corrales


    Monday, March 11, 2019 3:06 AM

All replies

  • Hi,

    I made a demo ,i hope it can help you.

    Imports System.Runtime.InteropServices
    Public Class Form1
        <DllImport("kernel32.dll")>
        Public Shared Function VirtualAllocEx(ByVal hwnd As IntPtr, ByVal lpaddress As Integer, ByVal size As Integer, ByVal type As Integer, ByVal tect As Integer) As Integer
        End Function
        <DllImport("kernel32.dll")>
        Public Shared Function WriteProcessMemory(ByVal hwnd As IntPtr, ByVal baseaddress As Integer, ByVal buffer As String, ByVal nsize As Integer, ByVal filewriten As Integer) As Integer
        End Function
        <DllImport("kernel32.dll")>
        Public Shared Function GetProcAddress(ByVal hwnd As Integer, ByVal lpname As String) As Integer
        End Function
        <DllImport("kernel32.dll")>
        Public Shared Function GetModuleHandleA(ByVal name As String) As Integer
        End Function
        <DllImport("kernel32.dll")>
        Public Shared Function CreateRemoteThread(ByVal hwnd As IntPtr, ByVal attrib As Integer, ByVal size As Integer, ByVal address As Integer, ByVal par As Integer, ByVal flags As Integer, ByVal threadid As Integer) As Integer
        End Function
    
        Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
            Dim ok1 As Integer
            Dim baseaddress As Integer
            Dim temp As Integer = 0
            Dim hack As Integer
            Dim yan As Integer
            Dim dllname As String = "D:\tset.dll"
            Dim dlllength As Integer = dllname.Length + 1
            Dim pname As Process() = Process.GetProcesses()
    
            For Each name As Process In pname
    
                If name.ProcessName.ToLower().IndexOf("notepad") <> -1 Then
                    baseaddress = VirtualAllocEx(name.Handle, 0, dlllength, 4096, 4)
    
                    If baseaddress = 0 Then
                        MessageBox.Show("Failed to apply for memory space!")
                        Application.Exit()
                    End If
    
                    ok1 = WriteProcessMemory(name.Handle, baseaddress, dllname, dlllength, temp)
    
                    If ok1 = 0 Then
                        MessageBox.Show("Writing memory failed!")
                        Application.Exit()
                    End If
    
                    hack = GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryA")
    
                    If hack = 0 Then
                        MessageBox.Show("Unable to get the entry point of the function!")
                        Application.Exit()
                    End If
    
                    yan = CreateRemoteThread(name.Handle, 0, 0, hack, baseaddress, 0, temp)
    
                    If yan = 0 Then
                        MessageBox.Show("Failed to create remote thread!")
                        Application.Exit()
                    Else
                        MessageBox.Show("Successfully injected dll!!")
                    End If
                End If
            Next
        End Sub
    End Class

    Best Regards,

    Alex


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Monday, March 11, 2019 6:14 AM
  • Hi,

    I made a demo ,i hope it can help you.

    Imports System.Runtime.InteropServices
    Public Class Form1
        <DllImport("kernel32.dll")>
        Public Shared Function VirtualAllocEx(ByVal hwnd As IntPtr, ByVal lpaddress As Integer, ByVal size As Integer, ByVal type As Integer, ByVal tect As Integer) As Integer
        End Function
        <DllImport("kernel32.dll")>
        Public Shared Function WriteProcessMemory(ByVal hwnd As IntPtr, ByVal baseaddress As Integer, ByVal buffer As String, ByVal nsize As Integer, ByVal filewriten As Integer) As Integer
        End Function
        <DllImport("kernel32.dll")>
        Public Shared Function GetProcAddress(ByVal hwnd As Integer, ByVal lpname As String) As Integer
        End Function
        <DllImport("kernel32.dll")>
        Public Shared Function GetModuleHandleA(ByVal name As String) As Integer
        End Function
        <DllImport("kernel32.dll")>
        Public Shared Function CreateRemoteThread(ByVal hwnd As IntPtr, ByVal attrib As Integer, ByVal size As Integer, ByVal address As Integer, ByVal par As Integer, ByVal flags As Integer, ByVal threadid As Integer) As Integer
        End Function
    
        Private Sub Button1_Click(sender As Object, e As EventArgs) Handles Button1.Click
            Dim ok1 As Integer
            Dim baseaddress As Integer
            Dim temp As Integer = 0
            Dim hack As Integer
            Dim yan As Integer
            Dim dllname As String = "D:\tset.dll"
            Dim dlllength As Integer = dllname.Length + 1
            Dim pname As Process() = Process.GetProcesses()
    
            For Each name As Process In pname
    
                If name.ProcessName.ToLower().IndexOf("notepad") <> -1 Then
                    baseaddress = VirtualAllocEx(name.Handle, 0, dlllength, 4096, 4)
    
                    If baseaddress = 0 Then
                        MessageBox.Show("Failed to apply for memory space!")
                        Application.Exit()
                    End If
    
                    ok1 = WriteProcessMemory(name.Handle, baseaddress, dllname, dlllength, temp)
    
                    If ok1 = 0 Then
                        MessageBox.Show("Writing memory failed!")
                        Application.Exit()
                    End If
    
                    hack = GetProcAddress(GetModuleHandleA("Kernel32"), "LoadLibraryA")
    
                    If hack = 0 Then
                        MessageBox.Show("Unable to get the entry point of the function!")
                        Application.Exit()
                    End If
    
                    yan = CreateRemoteThread(name.Handle, 0, 0, hack, baseaddress, 0, temp)
    
                    If yan = 0 Then
                        MessageBox.Show("Failed to create remote thread!")
                        Application.Exit()
                    Else
                        MessageBox.Show("Successfully injected dll!!")
                    End If
                End If
            Next
        End Sub
    End Class

    Best Regards,

    Alex


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    Hi Alex, 

    Thanks for the example. Actually my code does what you explain in the code, now the question is, how can I execute this multiple times without closing (in the example) notepad? It works the first time. (The dll just show a messagebox), but when I click the second time it doesn't work. I think that because the dll has been loaded, so, how can I call it again?


    Yordy Corrales

    Monday, March 11, 2019 11:40 AM
  • You must use FreeLibrary with CreateRemoteThread to unload the DLL
    Monday, March 11, 2019 12:33 PM
  • You must use FreeLibrary with CreateRemoteThread to unload the DLL

    It doesnt work, this is my code:

    Dim TargetProcess As Process() = Process.GetProcessesByName(TextBox1.Text)
            TargetProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, False, TargetProcess(0).Id)
            pszLibFileRemote = OpenFileDialog1.FileName
            pfnStartAddr = GetProcAddress(GetModuleHandle("kernel32"), "LoadLibraryA")
            pfnRelAddr = GetProcAddress(GetModuleHandle("kernel32"), "FreeLibrary")
            TargetBufferSize = Len(pszLibFileRemote)
            Dim Rtn As Integer

            LoadLibParamAdr = VirtualAllocEx(TargetProcessHandle, 0, TargetBufferSize, MEM_COMMIT, PAGE_READWRITE)
            Rtn = WriteProcessMemory(TargetProcessHandle, LoadLibParamAdr, pszLibFileRemote, TargetBufferSize, 0)

            Dim htr = CreateRemoteThread(TargetProcessHandle, 0, 0, pfnStartAddr, LoadLibParamAdr, 0, 0)
            Dim htr2 = CreateRemoteThread(TargetProcessHandle, 0, 0, pfnRelAddr, LoadLibParamAdr, 0, 0)

    What i need to do to call the dll more than 1 time?, this code works, but just 1 time... i need to execute it more than 1 time



    Yordy Corrales


    Tuesday, March 12, 2019 4:04 AM
  • I had tested on Windows 10 and it works

    You must use ProcessModule.BaseAddress of the DLL as parameter for FreeLibrary


    • Edited by Castorix31 Tuesday, March 12, 2019 9:11 PM
    Tuesday, March 12, 2019 9:11 PM