SecurityAndStuff

Dll injection (CreateRemoteThread technique)

 1111  6 mins

What is DLL injection

DLL injection is a way of inserting a dynamic link library into some software whose source code you have no access to, so you can run custom code.

Writing an injector

Let’s begin with with importing some necessary libraries:

1
2
3
4

#include <cstdio>
#include <Windows.h>
#include <tchar.h>
#include <psapi.h>

I will be introducing a few Windows API functions, along with an explanation and the MSDN documentation.

Obtaining the PID of the process

We first need to find what the PID of the process we want is, we can do that by enumerating through every process.

Microsoft provides an helpful example

We can modify it slightly to find the process we want:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

int FindTargetProcessPID(TCHAR* processName) {
    TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");
    DWORD aProcesses[1024], cbNeeded, cProcesses;
    unsigned int i;

    if (!EnumProcesses(aProcesses, sizeof(aProcesses), &cbNeeded))
    {
        return -1;
    }

    cProcesses = cbNeeded / sizeof(DWORD);

    for (i = 0; i < cProcesses; i++)
    {
        if (aProcesses[i] != 0)
        {
            HANDLE hProcess = OpenProcess(PROCESS_QUERY_INFORMATION |
                PROCESS_VM_READ,
                FALSE, aProcesses[i]);
            if (NULL != hProcess)
            {
                HMODULE hMod;
                DWORD cbNeeded;

                if (EnumProcessModules(hProcess, &hMod, sizeof(hMod),
                    &cbNeeded))
                {
                    GetModuleBaseName(hProcess, hMod, szProcessName,
                        sizeof(szProcessName) / sizeof(TCHAR));
                }
                if (_tcscmp(szProcessName, processName) == 0)
                {
                    CloseHandle(hProcess);
                    return aProcesses[i];
                }
            }
            CloseHandle(hProcess);
        }
    }
    return -1;
}

int main(int argc, int** argv)
{
    const TCHAR* process = L"notepad.exe";
    int PID = FindTargetProcessPID((TCHAR*)process);
    if (PID != -1) {
        printf("%d", PID);
    }
}

We begin by enumerating each process, we obtain an handle to each one, and check if the base module’s name matches what we want.

An handle is an unique reference to a resource, in this case a process.

After we have the PID, we want to request an handle to the process with enough permissions to read and write its memory and create a thread in it.

Requesting an handle to the process

The signature of the function we need:

HANDLE OpenProcess(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId);

Its documentation is available here

The documentation for the available flags for dwDesiredAccess is available here

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

HANDLE processHandle = OpenProcess(PROCESS_CREATE_THREAD |
    PROCESS_QUERY_INFORMATION |
    PROCESS_VM_OPERATION |
    PROCESS_VM_WRITE |
    PROCESS_VM_READ,
    FALSE,
    PID);

if (processHandle == NULL)
{
    printf("%s\n", "Couldn't obtain an handle to the process.");
    exit(1);
}

Creating a DLL

For the next step we will need an actual DLL we can inject. You can create a Dynamic Link Library project with Visual Studio. Make sure its built for the same architecture as the target process and the DLL Injector. Replace the generated code with this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        MessageBox(NULL, L"Hello, World", L"Hello, World", MB_OK);
        break;
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

When the DLL is injected, it will display a message box. After you build the DLL, place it anywhere you’d like.

Allocating memory on the process

The next function we will use is VirtualAllocEx.

This function lets you allocate memory in another process, and will return the address where it was allocated. We need this because later on we will create a thread in the target process, and we will need a place to store the argument to the function we will start the thread with.

The function we will be starting in the target process is LoadLibrary. This function loads a DLL into the current process and since we will be starting it from a thread we create on the target process, it really means it will load a DLL into the target process. Its signature is as follows:

HMODULE LoadLibraryW(LPCWSTR lpLibFileName);

This means we will need to allocate enough space on the target process for a string with the path of the DLL we want to inject, and then copy the path string to that memory. I placed my DLL in “C:/Dll.dll”, you will want to adjust the path to where you put yours.

1
2
3
4
5
6
7
8
9

const char* path = "C:\\Dll.dll";
LPVOID allocatedMemoryLocation = VirtualAllocEx(processHandle, 0, strlen(path) + 1,
    MEM_RESERVE | MEM_COMMIT,
    PAGE_READWRITE);

if (allocatedMemoryLocation == NULL) {
    printf("%s", "Couldn't allocate memory on the process.\n");
    exit(1);
}

The documentation for flProtect argument is available here

Writing into the process

Now, we need to write the path string into the memory we just allocated, we can use WriteProcessMemory for that.

1
2
3
4

if (!WriteProcessMemory(processHandle, allocatedMemoryLocation, path, strlen(path) + 1, NULL)) {
    printf("%s", "Couldn't write into the process.\n");
    exit(1);
}

Running the DLL

We are almost at the end.

The only thing left to do is create a thread on the target process, with the LoadLibrary function, and with the DLL path as an argument.

First we need the address of the LoadLibrary function. Even though Windows has ASLR, this doesn’t appear to affect where addresses of functions in the kernel32.dll library are located, so we can obtain the function’s address from our own process.

We will use GetProcAddress to obtain the function’s address. The function signature is as follows:

FARPROC GetProcAddress(HMODULE hModule,LPCSTR lpProcName);

To obtain the value for the first argument, we will need an handle to the kernel32.dll module.

We can use GetModuleHandle for that, its signature:

HMODULE GetModuleHandleW(LPCSTR lpModuleName);

We will also need to start a thread on the remote process, we can use CreateRemoteThread for that. Its signature:

HANDLE CreateRemoteThread( HANDLE hProcess, LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId );

There’s a lot of arguments, but we can safely ignore most of them by using 0 or NULL and the default values for thread creation will be used. The most important one is dwCreationFlags, which we want to set to 0 so the thread runs immediately once created.

1
2
3
4
5
6
7
8
9

HMODULE kernel32Module = GetModuleHandle(L"kernel32.dll");
LPVOID loadLibraryAddress = GetProcAddress(kernel32Module, "LoadLibraryA");

if (CreateRemoteThread(processHandle, NULL, 0, (LPTHREAD_START_ROUTINE)loadLibraryAddress, allocatedMemoryLocation, 0, NULL) != NULL)
{
    printf("%s", "DLL successfully injected.\n");
}

CloseHandle(processHandle);

If all worked correctly, you should see a message box pop up saying “Hello, World”.

Conclusion

This is only one of several methods on DLL Injection, the Wikipedia article contains a few more.

https://en.wikipedia.org/wiki/DLL_injection#Approaches_on_Microsoft_Windows

While writing this article, Windows Defender kept preventing me from running the injector, so you might need to briefly disable it.

updatedupdated2023-03-192023-03-19