Problem with a injection MFC Dll

c++ / delphi package - dll injection and api hooking
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Problem with a injection MFC Dll

Post by Layane »

I inject a Dll created (via InjectLibrary();) with Visual C++ 6 without problem but when the dll that is running, try to create a windows an assign it to CWinApp object Windows, this windows is destroyed :(, the source code that i use it:

Code: Select all

//-> MsnNavy.cpp

#include "stdafx.h"
#include "MsnNavy.h"

#include "WinBase.h"

/////////////////////////////////////////////////////////////////////////////
// The one and only CMsnNavyApp object

CMsnNavyApp theApp;
CWinBase WinBase;    //WinBase is CWnd object derived without modify

/////////////////////////////////////////////////////////////////////////////
// CMsnNavyApp initialization

BOOL CMsnNavyApp::InitInstance()
{
	//Create the window
	ASSERT(WinBase.CreateEx(0,AfxRegisterWndClass(NULL),m_pszAppName,WS_POPUP,
		CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL));


	//Assing the Window to CWinApp object
	m_pMainWnd = &WinBase;

	return TRUE;
}

//<- MsnNavy.cpp


I use madCollection 2.1.2.0
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

I'm sorry to say, but I've no knowledge about MFC... :sorry:
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

dough!! no problem, ill write all the code in pure C/C++ using Win32 API without MFC so you'll write with the future problems with interprocess comunication and injects libraries :wink: i'll see you later :D
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Wait a moment.

:idea:

I know what the problem is: You're creating that window in the thread in which the dll initialization is called. However, this thread will be closed as soon as the dll is done with initialization. That's why your window gets destroyed.

If your injected dll needs to create a window, you have to create your very own thread, which then not only has to create the window, but also make sure that a message loop is available (so that the window will react to messages).

If you want to uninject your dll again, your dll has to make sure that both the thread and the window are destroyed before the dll shuts down.
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

When i create the thread but the proccess crash and the thread's not run :cry: , i dont find the problem :cry:

Code: Select all

----------------------------------------------------------
//MsnNvHookApp.cpp

CMsnNvHookApp theApp;

//<-- madshi, this method is the entry point of dll
BOOL CMsnNvHookApp::InitInstance() 
{	
	AfxBeginThread(RUNTIME_CLASS(CMainThread));
	return CWinApp::InitInstance();
}

----------------------------------------------------------
//MainThread.cpp
//<- The entry point of the thread
BOOL CMainThread::InitInstance()
{
	
	::MessageBox(NULL,"Thread's running","DEBUG",MB_OK);

	ASSERT(WinBase.CreateEx(0,AfxRegisterWndClass(NULL),"Pruebas",WS_OVERLAPPED,
		CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL));

	WinBase.ShowWindow(SW_SHOW);
	
	return TRUE;
}
----------------------------------------------------------

madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Ehm, I'm sorry, but that's too much MFC for me!! :confused:
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

hahahaha No problem, i'll rewrite all the code in pure C/C++ without MFC :D Thks for try to understand this mess code of MFC ;)
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

Madshi, Is it posible to inject the dll directly in a new thread inside the target process using your madCHook library? all my problems are resolved with this solution :?
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

Madshi, Is it posible to inject the dll directly in a new thread inside the target process using your madCHook library? all my problems are resolved with this solution :?
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You can use RemoteExecute to load your dll and execute a message loop afterwards. But that's more difficult than to create your own thread inside of the dll!!
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

No :cry: , I hook Microsoft MSN 6 and inject MFC Library that create the windows and inside the process, i create a thread using CWinThread but when i try to run this thread MSN 6 crash and the thread dont execute. for this, i see that its more easy to inject the dll directly in a new thread remote thread on MSN's Process. is it posible with your library inject code in a new thread inside the process? i can see another programs that do this like MSN Plus!

Err... excuseme for the before duplicate menssage
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Well, you can use CopyFunction to copy a function to the target process. Then you can call CreateRemoteThread to start a remote thread which uses the entry point of the copied function. But this is really difficult stuff. It would be much simpler, if the thread would create its own thread.

You said, you planned to convert the MFC stuff to normal win32 APIs. If you do that, I can see better what's wrong with your code (if there's something wrong).
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

Wooo!! Madshi the code in C run very well :redBalloon::blueBalloon::greenBalloon: 8) :greenBalloon::blueBalloon::redBalloon:

The sources:

Code: Select all


//The Injector coded in MFC/C++

BOOL CMsnAvalonApp::InitInstance()
{
	HANDLE hTargetProc,hSnapShot;
	PROCESSENTRY32 ProcInf;
	BOOL bFind=FALSE,bIsValid;
	DWORD dwIdTargetProc;
	CString szMsnProcName;

	szMsnProcName = "msnmsgr.exe";

	hSnapShot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);

	bIsValid = ::Process32First(hSnapShot,&ProcInf);
	while (bIsValid && !bFind) {

		if (szMsnProcName == ProcInf.szExeFile) {
			dwIdTargetProc = ProcInf.th32ProcessID;
			bFind = TRUE;
		}

		bIsValid = ::Process32Next(hSnapShot,&ProcInf);
	}

	if (!bFind) return FALSE;

	hTargetProc = ::OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwIdTargetProc);
	InjectLibrary((DWORD)hTargetProc,"MsnAvHook.dll");

	::CloseHandle(hSnapShot);
	::CloseHandle(hTargetProc);

	return TRUE;
}

Code: Select all

//The Dll that create a new window

void InitApp();
void EndApp();

HINSTANCE hInstance;

BOOL APIENTRY DllMain(HINSTANCE hinstDLL,DWORD fdwReason,LPVOID lpReserved)
{
	switch (fdwReason) {	  
		case DLL_PROCESS_ATTACH:
			hInstance = hinstDLL;
			InitApp();
		break;
		case DLL_PROCESS_DETACH:
			EndApp();
	}

    return TRUE;
}



////////////////////////////////////////////////////
// Main Thread


//Global vars
HANDLE hMainThread=NULL;
DWORD idMainThread=0;
HWND hMainWin;

//Headers

LRESULT CALLBACK MainWinProc(HWND hwnd,UINT uMsg,WPARAM wParam,LPARAM lParam);

DWORD WINAPI MainThread(LPVOID lpParameter) {
	WNDCLASSEX wcex;
	
	MSG msg;
	char szClassName[] = "WndExample";
	
	wcex.cbSize = sizeof(WNDCLASSEX); 

	wcex.style			= CS_HREDRAW | CS_VREDRAW;
	wcex.lpfnWndProc	= (WNDPROC)MainWinProc;
	wcex.cbClsExtra		= 0;
	wcex.cbWndExtra		= 0;
	wcex.hInstance		= hInstance;
	wcex.hIcon			= (HICON)NULL;
	wcex.hCursor		= (HCURSOR)NULL;
	wcex.hbrBackground	= (HBRUSH)NULL;
	wcex.lpszMenuName	= (LPCSTR)NULL;
	wcex.lpszClassName	= szClassName;
	wcex.hIconSm		= (HICON)NULL;

	RegisterClassEx(&wcex);

	hMainWin = CreateWindow(szClassName,"Example",WS_POPUP,CW_USEDEFAULT,CW_USEDEFAULT,
		CW_USEDEFAULT,CW_USEDEFAULT,NULL,NULL,hInstance,NULL);

	if (hMainWin == NULL)
		return FALSE;

	ShowWindow(hMainWin,SW_SHOW);

	// Main message loop:
	while (GetMessage(&msg,NULL,0,0)) {
		TranslateMessage(&msg);
		DispatchMessage(&msg);
	}

	return TRUE;
}

LRESULT CALLBACK MainWinProc(HWND hwnd,UINT uMsg,WPARAM wParam,LPARAM lParam)
{
	return DefWindowProc(hwnd,uMsg,wParam,lParam);
}

/////////////////////////////////
// Events
void InitApp()
{
	MessageBox(NULL,"Im inside the process","DEBUG",MB_OK);

	hMainThread = CreateThread(NULL,0,&MainThread,(LPVOID)NULL,0,&idMainThread);

	if (hMainThread == NULL)
		return;

	MessageBox(NULL,"Thread running","DEBUG",MB_OK);
}

void EndApp() {
	
	if (IsWindow(hMainWin)) {
		DestroyWindow(hMainWin);
	}

}
madshi
Site Admin
Posts: 10753
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Nice!

It's better to not use MFC for hook dlls, anyway... :-x
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

hahaha ill try to use MFC inside another process im very stubborn :D but if MFC resist today, ill rewrite all the code in pure C tomorrow i believe that CWinThread is the problem that blocked the process :confused:
Post Reply