[hanan]

Hi,


I have a very basic DLL injection code (using CreateRemoteThread), but i am unable to get it to work under windows 7 64bit.
I have done some research and i understand that in order to inject 64 bit process my code should be 64bit too, but i prefer not to do it just yet until i am getting my basic code run,
so after i inject a 32bit process (like pythonw.exe) i am don't see that it's working ( i should get a MessageBox from the injected DLL).

I have tried to run it as Administrator and as non admin account but still it doesn't work.
I have tried to inject a user session process (something like python IDLE (pythonw.exe)), but no avail.

It there any way to make it to work?

[EP_X0FF]

Post code, last error code.

http://www.kernelmode.info/forum/viewto ... =10&t=1905

[hanan]

Code: Select all

LPTSTR InjectWhat = TEXT("test.dll");
	TCHAR Inject[MAX_PATH]; // TODO: create custom memory length for longer paths
	GetFullPathName(InjectWhat, MAX_PATH, Inject, NULL); 

	
	STARTUPINFO si = {sizeof(si)};
	PROCESS_INFORMATION pi;

	CreateProcess("C:\\Program Files (x86)\\PuTTY\\putty.exe", NULL, NULL, FALSE, 0, NULL, NULL, NULL, &si, &pi);

	DWORD iPID = pi.dwProcessId;

	HANDLE hTargetProc;
	hTargetProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, iPID);

	HMODULE hKernl32;
	hKernl32 = GetModuleHandle("Kernel32.dll");

	LPVOID hLoadLibrary;
	hLoadLibrary = (LPVOID) GetProcAddress(hKernl32, "LoadLibraryW");

	VOID *iBaseAddress;
	iBaseAddress = VirtualAllocEx(hTargetProc, NULL, 256, 
		MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

	BOOL bMemWrite;
	bMemWrite = WriteProcessMemory(hTargetProc, iBaseAddress, (VOID *) Inject, sizeof(Inject), NULL); 

	HANDLE hRemoteThread;
	hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0,(LPTHREAD_START_ROUTINE) hLoadLibrary, iBaseAddress, 0, NULL);


	return 0;

The test.dll file is simply suppose to print a MessageBox :

Code: Select all

#include <Windows.h>

int WINAPI DllMain( HINSTANCE hInst, DWORD fdwReason, PVOID pvReserved)
{
	if (fdwReason == DLL_PROCESS_ATTACH)
		MessageBox(NULL, TEXT("DLL_PROCESS_ATTACH"), TEXT("Test Run"), NULL);
	else if (fdwReason == DLL_THREAD_ATTACH)
		MessageBox(NULL, TEXT("DLL_THREAD_ATTACH"), TEXT("Test Run"), NULL);
	else if (fdwReason == DLL_PROCESS_DETACH)
		MessageBox(NULL, TEXT("DLL_PROCESS_DETACH"), TEXT("Test Run"), NULL);
	else if (fdwReason == DLL_THREAD_DETACH)
		MessageBox(NULL, TEXT("DLL_THREAD_DETACH"), TEXT("Test Run"), NULL);
	return TRUE;
}

EXPORT BOOL CALLBACK MessageTest()
{
	MessageBox(NULL, TEXT("Run in the MessageTest()"), TEXT("Test Run Function"), NULL);
	return TRUE;
}

I am using CreateProcess just to demonstrate that i am trying to inject a process that has started by a program in the same session and and that the program is a 32bit process.

GetLastError return 0 after each function in the injection code so that there isn't any errors with it, but i am can't get a MessageBox from the injected dll nor i can see the test.dll in the module list (using procexp) on the injected process (putty.exe).

[hanan]

OK, it works now .
I just have had to change the "LoadLibraryW" to "LoadLibraryA", although i am unable to understand why it doesn't work if i use the unicode version of LoadLibrary since i am writing to the process a unicode string with the sizeof the unicode string.

I am able to run it on a process that i start outside of the code with regular privileges.

THX.

[EP_X0FF]

Code: Select all

	TCHAR Inject[MAX_PATH]; // TODO: create custom memory length for longer paths
	
	VOID *iBaseAddress;
	iBaseAddress = VirtualAllocEx(hTargetProc, NULL, 256, 
		MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

	BOOL bMemWrite;
	bMemWrite = WriteProcessMemory(hTargetProc, iBaseAddress, (VOID *) Inject, sizeof(Inject), NULL); 

Don't you see anything strange? :)