Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts

Dll injection with c++ dll?

Started by MVR , Apr 18 2009 01:05 PM

Please log in to reply

2 replies to this topic

#1 MVR

Private

Members
2 posts

Posted 18 April 2009 - 01:05 PM

I use Dev-C++ to create my dll's with the c language and I can inject them without problems...

But when i create a c++ dll nothing happens when I inject it???

Here's an example code:

/* Replace "dll.h" with the name of your header */
#include "dll.h"
#include <windows.h>

DllClass::DllClass()
{

}

DllClass::~DllClass ()
{

}

BOOL APIENTRY DllMain (HINSTANCE hInst /* Library instance handle. */ ,
DWORD reason /* Reason this function is being called. */ ,
LPVOID reserved /* Not used. */ )
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
MessageBox (0, "DLL Attached!\n", "Inj Attach", MB_ICONINFORMATION);
break;

case DLL_PROCESS_DETACH:
MessageBox (0, "DLL Detached!\n", "Inj Detach", MB_ICONINFORMATION);
break;

case DLL_THREAD_ATTACH:
break;

case DLL_THREAD_DETACH:
break;
}

/* Returns TRUE on success, FALSE on failure */
return TRUE;
}

How can i make this work???

Back to top

#2 KOrUPt

Private First Class

Sergeant Major
64 posts

Posted 20 April 2009 - 03:09 PM

Not all process's have the C++ runtimes loaded. Also, you should be creating a new thread within your DLL_PROCESS_ATTACH clause...

What's with the empty constructors/deconstructors?

Your loader is at fault... Try this:

// Simple DLL Injector by KOrUPt with credits to C++Noob. UNTESTED!!! Quick hackjob.
 #include <windows.h>
#include <stdio.h>

#define dll "path to dll"

// originally by C++Noob, refactored by KOrUPt
int InjDll(char *dllname, DWORD procID)
{
	char buf[MAX_PATH];
	LPVOID dllNameMem;
	HANDLE hProcess, hThread[2];
	LPVOID loadlibaddr, stringaddr;
	HMODULE findoff;
	DWORD exitcode, modfunc;
	int nStatus = 0;
	
	if((hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_CREATE_THREAD, FALSE, procID))){
		loadlibaddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
		if(loadlibaddr){
			dllNameMem = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(dllname), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
			WriteProcessMemory(hProcess, (LPVOID)dllNameMem, dllname, strlen(dllname), NULL);
			hThread[0] = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadlibaddr, (LPVOID)dllNameMem, NULL, NULL);
			if(hThread[0]){
				WaitForSingleObject(hThread[0], INFINITE);
				GetExitCodeThread(hThread[0], &exitcode);
				findoff = LoadLibrary(dllname);
				if(findoff){
					modfunc = (DWORD)GetProcAddress(findoff, (LPSTR)1);
					exitcode += modfunc - (DWORD)findoff;
					hThread[1] = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)exitcode, NULL, NULL, NULL);
					if(hThread[1]) nStatus = 1;
				}
			}
		}
		CloseHandle(hProcess);
	}
		
	return nStatus;
}


int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,LPSTR lpCmdLine, int nCmdShow)
{
	char processPath[MAX_PATH], *err;
	PROCESS_INFORMATION pi;
	STARTUPINFO si;
	TOKEN_PRIVILEGES tp;
	HANDLE hPrivToken;

	memset(&si, 0, sizeof(STARTUPINFO));
	memset(&pi, 0, sizeof(PROCESS_INFORMATION));
	GetSystemDirectory(processPath, MAX_PATH);
	strncat(processPath, "\\notepad.exe", MAX_PATH - sizeof("\\notepad.exe"));
	if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hPrivToken)){
		LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
		tp.PrivilegeCount = 1, tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		AdjustTokenPrivileges(hPrivToken, 0, &tp, sizeof(tp), NULL, NULL);
		CloseHandle(hPrivToken);
	}

	si.cb = sizeof(STARTUPINFO), si.wShowWindow = SW_SHOW, si.dwFlags = STARTF_USESHOWWINDOW;
	if(CreateProcess(processPath, NULL, NULL, NULL, false, 0, NULL, NULL, &si, &pi)){
		if(InjDll(dll, pi.dwProcessId)){
			err = "DLL Injected successfully";
		}else{
			err = "Cannot inject DLL";
			TerminateProcess(pi.hProcess, 0);
		}
		CloseHandle(pi.hProcess);
		CloseHandle(pi.hThread);
	}else err = "Cannot CreateProcess";
	MessageBox(0, err, "Info", MB_ICONINFORMATION);
	return 0;
}

Let me know if you've any problems, it compiles fine within MSVC6 though I've not tested it.

Hope this helps.

KOrUPt.

Coder and Reverse Engineer. My blog.

Back to top

#3 BobS0327

Private First Class

Members
27 posts

Posted 21 April 2009 - 04:19 PM

Here's a pure C++ implementation:

// File: myapp.cpp
// Compile:  cl.exe /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /EHsc /MLd  myapp.cpp
#include <windows.h>
#include <iostream>
#include "myclass.h"</P> <P>int main	( void )
{
	PFNINITIALIZEMYDLLCLASS pfnInitializeMyClass = NULL;
	PFNDELETEMYDLLCLASS pfnDeleteMyClass = NULL;
  PFNGETCLASSMETHOD pfnGetClassMethod   =   NULL;
	 PMYCLASSSYAHELLOMETHOD  pfnSayHelloToTheWorld = NULL;
	MyClassinDLL* pMyClass = NULL;</P> <P>	HMODULE hDll = (HMODULE) INVALID_HANDLE_VALUE;
	hDll = LoadLibrary( "myclass.dll" );
	if( INVALID_HANDLE_VALUE == hDll )
	{
		std::cout << "LoadLibrary failed" << std::endl;
		return  ( -1 );
	}
	pfnInitializeMyClass = ( PFNINITIALIZEMYDLLCLASS ) GetProcAddress( hDll, "CreateMyClass" );
	pfnDeleteMyClass = ( PFNDELETEMYDLLCLASS ) GetProcAddress( hDll, "DeleteMyClass" );
   pfnGetClassMethod =( PFNGETCLASSMETHOD )GetProcAddress( hDll, "GetClassMethod" );
		pMyClass = ( pfnInitializeMyClass ) ();
		pfnSayHelloToTheWorld =( pfnGetClassMethod ());
	   ( pMyClass->*pfnSayHelloToTheWorld )();
		( pfnDeleteMyClass( pMyClass ));
	FreeLibrary ( hDll );
	return  ( 0 );
}

// File: myclass.h
#ifndef __MYDYNCLASS_H
#define __MYDYNCLASS_H</P> <P>#include <windows.h></P> <P>#ifdef _DLL 
#define _DYNAMICLINK __declspec( dllexport)
#else
#define _DYNAMICLINK __declspec( dllimport)
#endif</P> <P>class _DYNAMICLINK MyClassinDLL
{ 
	public:
	MyClassinDLL ();
	virtual ~MyClassinDLL();
	void SayHelloToTheWorld();
};</P> <P>typedef void ( MyClassinDLL::*PMYCLASSSYAHELLOMETHOD)();</P> <P>#ifndef _DLL
typedef MyClassinDLL* ( *PFNINITIALIZEMYDLLCLASS )();
#else
_DYNAMICLINK MyClassinDLL* CreateMyClass() 
{ 
	return (new MyClassinDLL());
}
#endif</P> <P>#ifndef _DLL
typedef void (*PFNDELETEMYDLLCLASS)( MyClassinDLL*);
#else
_DYNAMICLINK void DeleteMyClass (MyClassinDLL* pObj) 
{ 
	delete pObj;
}
#endif</P> <P>#ifndef _DLL
typedef PMYCLASSSYAHELLOMETHOD (PFNGETCLASSMETHOD)();
#else
_DYNAMICLINK PMYCLASSSYAHELLOMETHOD GetClassMethod () 
{ 
	return &MyClassinDLL::SayHelloToTheWorld;
}
#endif
#endif

// File: myclass.cpp
// Compile: cl.exe /LD /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_DLL" /D "_WINDLL" /FD /EHsc /MTd  /W3 myclass.cpp /link /DLL /DEF:"myclass.def" 
#include <windows.h>
#include <iostream>
#include "myclass.h"</P> <P>MyClassinDLL::MyClassinDLL ()
{
	std::cout << "We created my class" << std::endl;
}</P> <P>MyClassinDLL::~MyClassinDLL()
{
	std::cout << "We deleted my class " << std::endl;
}</P> <P>void	MyClassinDLL::SayHelloToTheWorld() 
{
	std::cout << "Hello world!!!" << std::endl;
}

LIBRARY myclass.dll
EXPORTS
 CreateMyClass			   @2 PRIVATE		 ; object creation
 DeleteMyClass			   @3 PRIVATE		 ; object destruction
 GetClassMethod			  @4 PRIVATE		 ; method access