I made in C++, DLL Injector and DLL file which one will be inject to process.
But how can I test my injector correct inject my dll file? Is possible send some logs from DLL file after inject to process?
Process and DLL file is 32bit.
There are probably better way but a message box and beep is provably sufficient
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
hInstance = hModule;
DisableThreadLibraryCalls(hModule); //disable unwanted thread notifications to reduce overhead
//CreateThread(NULL, NULL, Engine, NULL, NULL, NULL);
_beginthreadex(NULL, NULL, Engine, NULL, NULL, NULL);
Beep(750, 500);
MessageBox(NULL, "Hello!!\r\nInjected", "Injected", MB_OK);
//MessageBox(NULL, L"Hello!!\r\nInjected", L"Injected", MB_OK); //unicode
break; //break attach
case DLL_PROCESS_DETACH:
break;
}
return true;
}
Related
hey i would like to ask is this the way to use SetThreadAffinityMask in first core? Thanks
void start()
uint64_t threadId = (uint64_t)GetCurrentThreadId();
HANDLE handle = OpenThread(THREAD_ALL_ACCESS, false, threadId);
SetThreadAffinityMask(&handle, 0x01);
for (;;) {
Xtimer MyRdtscTimer;
MyRdtscTimer.Delay(1000000000);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&start, 0, 0, 0);
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
i tried GetCurrentThread but seems not working in my end
I am trying to create a DLL which can be executed with RunDLL32. I know that RunDLL32 is running correctly because if I execute the following command, it pops up a message box:
rundll32 printui.dll,PrintUIEntry/.
However I cannot get it to execute a DLL that I created, which looks like this:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(0, L"Hello1", 0, 0);
break;
case DLL_THREAD_ATTACH:
MessageBox(0, L"Hello2", 0, 0);
break;
case DLL_THREAD_DETACH:
MessageBox(0, L"Hello3", 0, 0);
break;
case DLL_PROCESS_DETACH:
MessageBox(0, L"Hello4", 0, 0);
break;
}
return TRUE;
}
The code compiles fine (In Visual Studio 2017, Release mode, x64) but when I execute
RunDLL32 MyDLL.dll
Nothing happens. There are no error messages, not output, and no message boxes. Why is that?
Since your are compiling a 64bit DLL, make sure you are running the 64bit version of RunDll32:
rundll32.exe equivalent for 64-bit DLLs
Per this page:
If you pass the wrong type of DLL to Rundll32, it may fail to run without returning any error message.
Even if you could get RunDLL32 to load your DLL, you can't safely call MessageBox() in DllMain() at all.
You need to export a function for RunDLL32 to execute besides your DllMain. You can call MessageBox() in that function, eg:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
return TRUE;
}
extern "C" __declspec(dllexport) void CALLBACK MyFunctionW(HWND hwnd, HINSTANCE hinst, LPWSTR lpszCmdLine, int nCmdShow)
{
MessageBoxW(hwnd, lpszCmdLine, L"Hello", MB_OK);
}
rundll32 my.dll,MyFunction "hello world"
I am writing a simple dll hook to draw on a program, to do this I inject the dll into the process, which than creates a thread where it retrieved the endScene location. In order to retrieve the end scene location, I found the address of "Direct3DCreate9", which I than used to find the vtable. My problem is, Calling the Direct3DCreate9 seems to be crashing the program instantly.
My code is the following, is there something wrong with how I get the Direct3DCreate9 location or something else about it?
DWORD WINAPI MainThread(LPVOID param) {
// Information
HMODULE module = GetModuleHandleA("d3d9");
//d3d = Direct3DCreate9(D3D_SDK_VERSION); // create the Direct3D interface
// Find adress of create
LPDIRECT3D9(__stdcall*pDirect3DCreate9)(UINT) = (LPDIRECT3D9(__stdcall*)(UINT))GetProcAddress( module, "Direct3DCreate9");
// Create the direct3d
LPDIRECT3D9 pD3D = pDirect3DCreate9(D3D_SDK_VERSION);
// Create IDirect3DDevice9 and destroy
D3DDISPLAYMODE d3ddm;
HRESULT hRes = pD3D->GetAdapterDisplayMode(D3DADAPTER_DEFAULT, &d3ddm);
D3DPRESENT_PARAMETERS d3dpp;
ZeroMemory(&d3dpp, sizeof(d3dpp));
d3dpp.Windowed = true;
d3dpp.SwapEffect = D3DSWAPEFFECT_DISCARD;
d3dpp.BackBufferFormat = d3ddm.Format;
IDirect3DDevice9 * ppReturnedDeviceInterface; // interface IDirect3DDevice9 (pointer to array of pointers)
// Set the window to program window
HWND window = FindWindowA(NULL, "test");
// Create it
hRes = pD3D->CreateDevice(D3DADAPTER_DEFAULT,
D3DDEVTYPE_HAL,
window,
D3DCREATE_SOFTWARE_VERTEXPROCESSING,
&d3dpp,
&ppReturnedDeviceInterface);
pD3D->Release();
DestroyWindow(window);
unsigned long* pInterface = (unsigned long*)*((unsigned long*)ppReturnedDeviceInterface);
DWORD endScene = (DWORD)pInterface[42];
// Output information to log file
std::fstream test;
test.open("log.txt", std::ios::out);
test << endScene;
test.close();
FreeLibraryAndExitThread((HMODULE)param, 0);
return (0);
}
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
{
CreateThread(NULL, 0, MainThread, hModule, 0, NULL);
break;
}
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
I've got a Win32 exe which I want to convert into an injectable Dll file.
This is what I tried:
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwAttached, LPVOID lpvReserved)
{
if (dwAttached == DLL_PROCESS_ATTACH) {
CreateThread(NULL, 0, &WinMain, NULL, 0, NULL); //This doen't work...
}
return 1;
}
I don't know how to make it call WinMain on attach.
How do I do it the right way. Thanks for your help.
Try this :
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwAttached, LPVOID lpvReserved)
{
if (dwAttached == DLL_PROCESS_ATTACH) {
CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)WinMain, NULL, 0, NULL); //starts the routine in anew thread
}
return 1;
}
I am trying to hook win32 API function "CreateFile" using MS Detours, but when I test it by opening a *.doc file using MS Word, The CreateFile call for DLLs and font files and directories loaded by MS Word are redirected to my detoured function but not for that *.doc file, but when I open a *.txt file using notepad the CreateFile call for that *.txt file comes to my detoured function.
I am using following code for hooking CreateFile:
static HANDLE (WINAPI *Real_CreateFile)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile) = CreateFile;
HANDLE WINAPI Routed_CreateFile(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile)
{
OutputDebugString(lpFileName);
return Real_CreateFile(lpFileName, dwDesiredAccess, dwShareMode, lpSecurityAttributes, dwCreationDisposition, dwFlagsAndAttributes, hTemplateFile);
}
BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved )
{
LONG Error;
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
OutputDebugString(L"Attaching MyDLL.dll");
OutputDebugString(strInfo);
DetourRestoreAfterWith();
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)Real_CreateFile, Routed_CreateFile);
Error = DetourTransactionCommit();
if (Error == NO_ERROR)
OutputDebugString(L"Hooked Success");
else
OutputDebugString(L"Hook Error");
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
OutputDebugString(L"De-Attaching MyDLL.dll");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)Real_CreateFile, Routed_CreateFile);
Error = DetourTransactionCommit();
if (Error == NO_ERROR)
OutputDebugString(L"Un-Hooked Success");
else
OutputDebugString(L"Un-Hook Error");
break;
}
return TRUE;
}
Thanks in advance.
I think you are missing a break after this:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break; // Not interested in thread messages
case DLL_PROCESS_DETACH:
Are you just detaching the detour before it is called? Maybe opening a .doc creates a new thread but a .txt doesn't, triggering this code path.
It looks like you're not initializing your Real_CreateFile function pointer properly. I'm guessing you're setting it to your module's import table entry for CreateFile.
Instead, initialize it to GetProcAddress(GetModuleHandle("kernel32"),"CreateFileW");