I created a simple DLL that open cmd.exe.
I did it with these options:
In the default dlllmain.cpp I added a code that creates a new cmd.exe:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include <Windows.h>
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
STARTUPINFO info = { sizeof(info) };
PROCESS_INFORMATION processInfo;
BOOL h = CreateProcessW(L"C:\\Windows\\System32\\cmd.exe", L"", NULL, NULL, TRUE, 0, NULL, NULL, &info, &processInfo);
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
These three lines below the DLL_PROCESS_ATTACH worked for me when I tested it with a console application.
I am expecting that every process that will load this DLL will open cmd.exe.
I tried to load the DLL with PowerShell:
Add-Type -TypeDefinition #"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
public static class Kernel32
{
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary(
[MarshalAs(UnmanagedType.LPStr)]string lpFileName);
}
"#
$LibHandle = [Kernel32]::LoadLibrary("C:\tmp\myDll.dll")
But nothing happens, the value of the $LibHandle was 0.
What I am doing wrong ?
I found what was the problem.
My system is 64 bit and the file was compiled in 32 bit.
I needed to specify in Visual Studio that I am compiling it in x64 bit.
I didn't check it in the beginning because I thought that when I am compiling it on "Any CPU" mode, it compile the file in 64 bit automatically as the OS architecture.
Now it works fine.
Related
Code injection can get the Qt application I developed correctly, but third-party applications can't. What should I do?
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
DoSomeThing();
break;
case DLL_THREAD_ATTACH:
DoSomeThing();
break;
default:
break;
}
return TRUE;
}
void DoSomeThing() {
LPCTSTR step = L"GetQCoreApplication";
LPCSTR CustomApplications = "CustomApp";
LPCSTR ThirdPartyApplications = "ThirdPartyApp";
//CustomApplications = ThirdPartyApplications;
HWND hwnd = FindWindowA(NULL, CustomApplications);
DWORD procId;
GetWindowThreadProcessId(hwnd, &procId);
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procId);
/*Custom programs are available. But third-party applications are not available.*/
QCoreApplication* qCoreApplication = QCoreApplication::instance();
if (qCoreApplication != NULL) {
MessageBox(NULL, L"Get QCoreApplication", TEXT("Inject Code"), MB_OK);
}
else
{
MessageBox(NULL, L"Not Acquired QCoreApplication", TEXT("Inject Code"), MB_OK);
}
ofstream mcfile;
mcfile.open("D://Inject.txt");
mcfile << "This is my message.";
mcfile.close();
/*Custom programs are available. But third-party applications are not available.*/
HWND hwnd11 = FindWindowA(NULL, CustomApplications);
QWidget* q = QWidget::find((WId)hwnd);
if (q != NULL) {
//
}
else {
//
}
}
Custom programs are available. Third-party applications are not available.
When I looked at the qt dynamic library, I found Qtxxxd.dll and Qtxxx.dll. Check out the qt documentation and find that the qt application uses Qtxxxd.dll in debug mode and Qtxxx.dll in release mode.
Make sure your injection program is consistent with the injected program using the same pattern.
I have met some issues when trying to inject a dll into a process. I am quite new at the topic but am familiar with C# so reading and understand the syntax of C++ wasnt that unfamiliar and i understand it for the most part.
What i am trying is only for learning, and i am trying this with simple applications like notepad.exe and calc.exe.
Project setup:
WPF application - To pick the process i want to tinker with and inject the unmanaged dll.
CppDLL.dll - Unmanaged dll to load CLR, managed dll and call method on managed dll.
SharpDLL.dll - Managed dll.
(wpf) c# of interest
dllToInject = fileDialog.FileName;
Process targetProcess = Process.GetProcessById(processToInject.ID);
var dllInjector = DllInjector.GetInstance;
DllInjectionResult injectResult;
if ((injectResult = dllInjector.Inject(processToInject.Name,dllToInject)) == DllInjectionResult.Success)
{
MessageBox.Show("Success");
} else
{
MessageBox.Show("Error: " + injectResult.ToString());
}
The unmanaged dll is successfully injected when not trying to load clr and managed dll as shown below.
But when i try to load CLR and managed dll it fails.
CppDLL.dll dllmain.cpp :
#include "stdafx.h"
#include <Windows.h>
#include <metahost.h>
#pragma comment(lib, "mscoree.lib")
#import "mscorlib.tlb" raw_interfaces_only \
high_property_prefixes("_get","_put","_putref") \
rename("ReportEvent", "InteropServices_ReportEvent")
void LoadDotNet()
{
HRESULT hr;
ICLRMetaHost *pMetaHost = NULL;
ICLRRuntimeInfo *pRuntimeInfo = NULL;
ICLRRuntimeHost *pClrRuntimeHost = NULL;
hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_PPV_ARGS(&pMetaHost));
hr = pMetaHost->GetRuntime(L"v4.0.30319", IID_PPV_ARGS(&pRuntimeInfo));
hr = pRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost,
IID_PPV_ARGS(&pClrRuntimeHost));
hr = pClrRuntimeHost->Start();
DWORD pReturnValue;
hr = pClrRuntimeHost->ExecuteInDefaultAppDomain(
L"C:\\Users\\DanHovedPC\\Desktop\\inject\\SharpDLL.dll",
L"SharpDLL.Injected",
L"Start",
L"Hello from .NET",
&pReturnValue);
pMetaHost->Release();
pRuntimeInfo->Release();
pClrRuntimeHost->Release();
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
MessageBox(NULL, L"Hi!", L"From cpp DLL", NULL);
//LoadDotNet();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
SharpDLL.dll Injected.cs
using System.Windows;
namespace SharpDLL
{
class Injected
{
public static int Start(string arg)
{
MessageBox.Show(arg);
return 0;
}
}
}
In CppDLL.dll if i uncomment the function and comment the messagebox it fails. The SharpDLL.dll does not get injected. And when i try to close notepad the process still shows up in Process Explorer.
I have looked at the process in Process Explorer beforehand and the clr.dll is not loaded by default, but it gets loaded when the function runs. Maybe it could be the .NET version? I am running Windows 10 x64.
Update
The code runs until i try to actually start the runtime
void LoadDotNet()
{
HRESULT hr;
ICLRMetaHost *pMetaHost = NULL;
ICLRRuntimeInfo *pRuntimeInfo = NULL;
ICLRRuntimeHost *pClrRuntimeHost = NULL;
hr = CLRCreateInstance(CLSID_CLRMetaHost, IID_PPV_ARGS(&pMetaHost));
hr = pMetaHost->GetRuntime(L"v4.0.30319", IID_PPV_ARGS(&pRuntimeInfo));
hr = pRuntimeInfo->GetInterface(CLSID_CLRRuntimeHost,
IID_PPV_ARGS(&pClrRuntimeHost));
// start runtime
MessageBox(NULL, L"Runs up to here...", L"DEBUG", NULL);
hr = pClrRuntimeHost->Start();
MessageBox(NULL,(LPCWSTR)GetLastError(),L"DEBUG",NULL);
pMetaHost->Release();
pRuntimeInfo->Release();
pClrRuntimeHost->Release();
}
The first messagebox shows.
I figured out that the problem was that code within DllMain must not access the CLR.
Code within DllMain must not access the CLR. This means that DllMain should make no calls to managed functions, directly or indirectly; no managed code should be declared or implemented in DllMain; and no garbage collection or automatic library loading should take place within DllMain.
https://msdn.microsoft.com/en-us/library/ms173266.aspx
When creating a new thread the code runs successfully
BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
//printf("DLL Loaded!");
CreateThread(NULL, 0,
(LPTHREAD_START_ROUTINE)LoadDotNet, NULL, 0, NULL);
}
return TRUE;
}
And from reading a comment on another question here on SO CreateThread should be safe in this particular case.
I posted a recent question on SO about code injection, this one is similar but not the same. I am injecting dll into Firefox, it injects successfully but the code in the DLL doesn't run. If i inject the same code into a custom application, it works. Why might that be. This is the code that I'm using.
Injector.exe // the file that's injecting the code
#include <stdio.h>
#include <windows.h>
#define procId 2844
#define dllname "dllinject.dll" // located in same directory
int main()
{
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, false, procId);
LPVOID allocated = (LPVOID)VirtualAllocEx(hProc, NULL, strlen(dllname), MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProc, (LPVOID)allocated, dllname, strlen(dllname), NULL);
LPVOID libaddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
CreateRemoteThread(hProc, NULL, NULL, (LPTHREAD_START_ROUTINE)libaddr, NULL, NULL);
CloseHandle(hProc);
return 0;
}
Simpleinjected.exe // the file being injected
#include <stdio.h>
int main()
{
printf("Hello");
return 0;
}
dllinject.dll
#include <windows.h>
int message(const char *msg)
{
MessageBox(NULL, msg, "Message from Dll", MB_OK);
return 0;
}
BOOL WINAPI DLLMain(HINSTANCE hInstDll, DWORD ulReason, LPVOID lpReserved)
{
switch(ulReason)
{
case DLL_PROCESS_ATTACH:
message("process attach");
break;
case DLL_THREAD_ATTACH:
message("thread attach");
break;
case DLL_PROCESS_DETACH:
message("process detach");
break;
case DLL_THREAD_DETACH:
message("thread detach");
break;
}
return true;
}
It works when injected into simpleinjected.exe but when injected in Firefox, nothing happens even though the dll is injected successfully.
I cannot reproduce your observations. I was able to inject dllinject.dll into other processes (also firefox) but I've never seen a message box.
After a bit of digging I found that your DLLMain is spelled wrong. Change it into DllMain and you'll see message boxes in Firefox.
By the way: You propably want to change MessageBox into MessageBeep since FireFox creates/destroys a lot of threads... (this is annoying even for a quick test!)
Im trying to get a basic hook going using microsoft detours. My program is able to successfully run CreateProcessWithDllEx and inject a dll. However, I cannot seem to resume the actual hooked program. I am using notepad for testing and I can see notepad.exe running in my process list, but the notepad window never actually comes up.
my dll is as follows:
#undef UNICODE
#include <cstdio>
#include <windows.h>
#include <detours.h>
#pragma comment(lib, "detours.lib")
typedef void (WINAPI *pFunc)(void);
DWORD WINAPI MyFunc(void);
pFunc FuncToDetour = (pFunc)DetourFindFunction("Winmm.dll", "timeGetTime"); //Set it at address to detour in
//the process
extern "C" __declspec( dllexport )VOID NullExport( VOID )
{
}
INT APIENTRY DllMain(HMODULE hDLL, DWORD Reason, LPVOID Reserved)
{
switch(Reason)
{
case DLL_PROCESS_ATTACH:
{
DisableThreadLibraryCalls(hDLL);
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
//DetourAttach(&(PVOID&)FuncToDetour, MyFunc);
//DetourTransactionCommit();
}
break;
case DLL_PROCESS_DETACH:
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)FuncToDetour, MyFunc);
DetourTransactionCommit();
break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
break;
}
return TRUE;
}
DWORD WINAPI MyFunc()
{
return 0;
}
And my injector is as follows:
#undef _UNICODE
#include "stdafx.h"
#include <cstdio>
#include <windows.h>
#include <detours.h>
int main()
{
STARTUPINFO si;
PROCESS_INFORMATION pi;
ZeroMemory(&si, sizeof(STARTUPINFO));
ZeroMemory(&pi, sizeof(PROCESS_INFORMATION));
si.cb = sizeof(STARTUPINFO);
WCHAR DirPath[MAX_PATH+1];
wcscpy_s(DirPath, MAX_PATH, L"C:\\Documents and Settings\\Administrator\\My Documents\\Visual Studio 2010\\Projects\\hbotinjector\\Release");
char DLLPath[MAX_PATH+1] = "C:\\Documents and Settings\\Administrator\\My Documents\\Visual Studio 2010\\Projects\\hbotinjector\\Release\\hbotdll.dll";
WCHAR EXE[MAX_PATH+1]={0};
wcscpy_s( EXE, MAX_PATH, L"C:\\Documents and Settings\\Administrator\\My Documents\\Visual Studio 2010\\Projects\\hbotinjector\\Release\\notepad.exe" );
STARTUPINFO _StartupInfo;
PROCESS_INFORMATION _Information;
ZeroMemory( &_Information, sizeof( PROCESS_INFORMATION ) );
if(DetourCreateProcessWithDllEx( EXE, NULL, NULL, NULL, TRUE,
CREATE_DEFAULT_ERROR_MODE | CREATE_SUSPENDED, NULL, DirPath, &_StartupInfo, &_Information,
DLLPath, NULL ))
{
MessageBoxA(NULL,"INJECTED", NULL, NULL);
ResumeThread(_Information.hThread);
WaitForSingleObject(_Information.hProcess, INFINITE);
}
else
{
char error[100];
sprintf(error, "%d", GetLastError());
MessageBoxA(NULL, error, NULL, NULL);
}
return 0;
}
And I build my dll with a .def file, insuring that there is the required function at ordinal 1 for detours to work properly:
LIBRARY HBOTDLL
EXPORTS
NullExport #1
Does anyone know what is causing the process from not running? As a side note, I've tried it with a blank dll as well where it just contains the required function at ordinal 1 and nothing else and it seems to have identical results.
Also, my injector runs forever as long as the notepad.exe process is showing in the process list. This is in response to WaitForSingleObject, which seems to indicate the process has been spawned correctly.
On the comment of Hans Passant, I went back and realized that I had declared pi and si as well as _Information and _StartupInfo. I wasn't zeroing out the second group I had created, and that was the group I was using. So I changed the call to CreateProcessWithDllEx to use &pi and &si. Everything works fine now.
I try to implement password filter, so I write a simple password filter.
I followed the document in the MSDN, and make sure that the functions are declared correctly.
I compile in VS 2010.
.def file:
LIBRARY myFilt
EXPORTS
InitializeChangeNotify
PasswordFilter
PasswordChangeNotify
.cpp file:
#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>
void writeToLog(const char* szString)
{
FILE* pFile = fopen("c:\\work\\logFile.txt", "a+");
if (NULL == pFile)
{
return;
}
fprintf(pFile, "%s\r\n", szString);
fclose(pFile);
return;
}
// Default DllMain implementation
BOOL APIENTRY DllMain( HANDLE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
OutputDebugString(L"DllMain");
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
BOOLEAN __stdcall InitializeChangeNotify(void)
{
OutputDebugString(L"InitializeChangeNotify");
writeToLog("InitializeChangeNotify()");
return TRUE;
}
BOOLEAN __stdcall PasswordFilter(
PUNICODE_STRING AccountName,
PUNICODE_STRING FullName,
PUNICODE_STRING Password,
BOOLEAN SetOperation
)
{
OutputDebugString(L"PasswordFilter");
return TRUE;
}
NTSTATUS __stdcall PasswordChangeNotify(
PUNICODE_STRING UserName,
ULONG RelativeId,
PUNICODE_STRING NewPassword
)
{
OutputDebugString(L"PasswordChangeNotify");
writeToLog("PasswordChangeNotify()");
return 0;
}
I put myFilt.dll in %windir%\system32, add "myFilt" to "Notification Packages" in the registry, restart the computer, change the password, and nothing happens.
I opened depends.exe and saw that the functions are correctly:
InitializeChangeNotify
PasswordChangeNotify
PasswordFilter
Where is the mistake??
Thanks.
I found the problem! I changed the runtime library from Multi-threaded Debug DLL (/MDd) to Multi-threaded Debug (/MTd) and it works perfect! :)
– user1375970 May 5 at 10:38
Notification Packages
Specifies the dynamic-link libraries (DLLs) that are loaded or called when passwords are set or changed. To specify more than one file, list the file names one above the other by pressing ENTER between each file name.
above the other!