Thursday, January 23, 2014

DLL injection - Injecting a DLL into a running process.

Hey,

Today I had some free time and decided to write a piece of code that will inject a DLL into a running process. In this blog entry I'll be briefly explaining the injection process.

DLL injection is wildly used by normal software, malware , game cheats. For example , game trainers will inject a DLL in order to hook certain functions inside the game or simply patch them in order to get a certain cheat to work. There are many techniques to inject a DLL into a process and today I'll be introducing one of them to you.

The C++ source code can be found here : http://pastebin.com/wW81nApT
(Tested on win 7 64-bit)

The concept is simple , we will walk through all running processes list until finding the target process in which we want to inject the DLL.
After getting the process id we have to get a Handle to it , that's why we'll use the OpenProcess function.
The only important thing that you need to be aware of is trying to inject a DLL into a protected process which will certainly fail .
Protected processes are processes which are required to be signed .Injecting a dll , a thread , accessing their virtual memory or debugging them is prohibited. So the PROCESS_ALL_ACCESS won't work in this case. Only few Accesses are allowed like SYNCHRONIZE.

After getting the HANDLE we'll try to allocate some memory in the target process and make write/read access possible to it. Thus, we'll be able to copy the dll name into the process's virtual address space (VAS) using WriteProcessMemory.
We're copying the DLL name into the target process for the simple reason that a process can't load a DLL if its name/directory isn't in its VAS.
The next thing is injecting the DLL so we'll need the address of LoadLibraryA function which we'll pass to CreateRemoteThread and as an argument to it we'll pass the pointer to where our DLL name is in the target process VAS.

Now our DLL is successfully injected into the process , we'll be in our DllMain as soon as the CALL to LoadLibrary is made.After that I used CloseHandle to close the handle to the process.

Cheers :) and see you soon.

Souhail Hammou.

2 comments:

  1. I guess you mean "PROCESS_ALL_ACCESS" instead of "ACCESS_ALL_PROCESS".

    ReplyDelete