Posts Tagged ‘dll injection’

Dll injection in Windows Vista/2008 64bit can be made possible by using the same technique used in DLL Injection Windows Vista. The only difference is the target platform we compile our executable. In order to inject a library inside the address space of a 64bit process you need to compile a 64bit version of your library (DLL). The source code along with a pre-compiled executable and library are provided.

The Injector used in this article must be executed from a command line. It takes one (1) or two (2) arguments. The first argument is the path-name of your library, which must be quoted if it contains white spaces between it, and the other one is the Process ID (or PID) of the target program. If no PID is entered then the program injects the DLL inside it’s own Address Space. ASLR does not affect the usability of the program. For more information follow the link to the DLL Injection Windows Vista article above.

Below is an example of a DLL injected into a process:

Download Source code and executable

Advertisements

This article provides an insight on how to inject a dynamic library (DLL) into a 32 bit process in Windows Vista with the use of Remote Threads and taking into consideration the Address Space Layout Randomization (ASLR). The sample code used is written in assembly language (MASM32) using the WinAsm IDE. It should give you a better understanding on how dynamic libraries can be injected.

The concept of loading a library inside a process is simple. A programmer could dynamically load one by using the LoadLibrary function from Windows API for example:

#include
#include
#include

int main(int argc, char *argv[])
{
HANDLE hlib;
char *lib = "E:\\mylib.dll";
printf("Loading library: %s\n",lib);
hlib = LoadLibraryA(lib);
printf("Handle: %X\n",hlib);
system("PAUSE");
return 0;
}

Therefore we can use the CreateRemoteThread function to create a thread that executes the LoadLibraryA with the library’s path as an argument.

CreateRemoteThread

HANDLE WINAPI CreateRemoteThread(
__in HANDLE hProcess,
__in LPSECURITY_ATTRIBUTES lpThreadAttributes,
__in SIZE_T dwStackSize,
__in LPTHREAD_START_ROUTINE lpStartAddress,
__in LPVOID lpParameter,
__in DWORD dwCreationFlags,
__out LPDWORD lpThreadId
);

hProcess

Is the handle to the remote process we intend like to inject our library.

lpStartAddress

This is the address (or offset) of the function our thread will start executing. In our case this should be equal to the offset of LoadLibraryA in the remote process address space.

lpParameter

This is the address of the parameter (library pathname) we aim to set as an argument to the LoadLibraryA function. Note that this also has to be in the address space of our remote process.

The main issues we have to take into consideration are:

* The offset of LoadLibraryA is not constant (not after Microsoft implemented Address Space Layout Randomisation or ASLR)
* Our library’s pathname string does not exist in the remote thread’s address space

Offset of LoadLibraryA

LoadLibraryA resides within kernel32.dll which is an essential library for every process that runs in our operating system. After each restart there is a probability that the address of kernel32 library would change due to ASLR. Fortunately the address of LoadLibraryA in our process is the same with the one in the remote process. Therefore we will need to use the GetProcAddress in combination with GetModuleHandle. The example code below does this thing:

#include
#include
#include

int main(int argc, char *argv[])
{
HINSTANCE kernel32;
FARPROC proc;
char *procname = “LoadLibraryA”;
char *modulename = “Kernel32″;
kernel32 = GetModuleHandle(modulename);
printf(”hModule: %X\n”,kernel32);
proc = GetProcAddress(kernel32,procname);
printf(”hProc: %X\n”,proc);
system(”PAUSE”);
return 0;
}

Getting the pathname inside the remote process’s address space

To do such a thing we would need to allocate space in the remote thread’s address space using VirtualAllocEx function and then patch our pathname to it using WriteProcessMemory function. You can lookup this two functions on MSDN using the links below:

VirtualAllocEx
WriteProcessMemory

Another “hack” you are be able to use is that you could name you library after a string inside the executable file and then copy it inside the executables folder or any other folder defined by the PATH environment variable. For the example program’s hex dump below you could use ernel32.dll (at 00402229) or nel32.dll (at 0040222A) 32.dll (at 0040222D) or even NameA (at 00402243) as your library’s filename.

004020F0 ø .......Dialog

00402100 BoxParamA.´.EndD

00402110 ialog.ü.GetDlgIt

00402120 emTextA.±Messag

00402130 eBoxA.SetDlgIt

00402140 emTextA.user32.d

00402150 ll..R.CreateRemo

00402160 teThread..›.Exit

00402170 Process.Ì.Format

00402180 MessageA..GetC

00402190 urrentProcessId.

004021A0 (GetLastError..

004021B0 4GetModuleHandl

004021C0 eA..SGetProcAdd

004021D0 ress..OpenProc

004021E0 ess.\RtlZeroMem

004021F0 ory.ÞVirtualAll

00402200 ocEx..WritePro

00402210 cessMemory..ls

00402220 trlenA..kernel32

00402230 .dll....GetOpenF

00402240 ileNameA..comdlg

00402250 32.dll..........


Download Source code and executable