Another Injection method using madCHook Library

c++ / delphi package - dll injection and api hooking

Another Injection method using madCHook Library

Postby Layane » Sun May 02, 2004 2:42 pm

I create another injection method that i read yesterday at Codeguru.com called Method 2

Code: Select all
BOOL RemoteLoadLibrary(DWORD dwIdProcess,LPCSTR pLibFileName,DWORD dwTimeOut)
{
   HANDLE hTargetProc;
   FARPROC fpLoadLibrary;
   DWORD dwResult;
   BOOL bResult;

   //Open the process
   hTargetProc = OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwIdProcess);

   if (hTargetProc == NULL) {
      return FALSE;
   }

   //Get a pointer to LoadLibraryA
   fpLoadLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");

   if (fpLoadLibrary == NULL) {
      CloseHandle(hTargetProc);
      return FALSE;
   }
   
   //Run remotly LoadLibraryA(pLibFileName);
   bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpLoadLibrary,&dwResult,
      (LPVOID)pLibFileName,strlen(pLibFileName));

   CloseHandle(hTargetProc);

   return bResult;
}


NOTE: pLibFileName = ABSOLUTE PATH!!! for example, if you execute MyDll.dll located at Current directory:

Code: Select all
//Absolute path
char szPath[MAX_PATH];
GetCurrentDirectory(MAX_PATH,szPath);
strcat(szPath,"\\MyDll.dll");

RemoteLoadLibrary(dwIdTargetProc,szPath);



It's tested and run very well :redBalloon::greenBalloon::blueBalloon: 8) :blueBalloon::greenBalloon::redBalloon:

Im writting the uninjection methods 8)
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby Layane » Sun May 02, 2004 3:52 pm

The Uninjection Function

Code: Select all

BOOL RemoteFreeLibrary(DWORD dwIdProcess,LPCSTR pLibFileName) {
   FARPROC fpGetModule,fpFreeLibrary;
   DWORD dwResult;
   BOOL bResult;
   HANDLE hTargetProc;
   HMODULE hModule;

   //Open the process
   hTargetProc = OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwIdProcess);

   if (hTargetProc == NULL) {
      return FALSE;
   }

   //Get a pointer to FreeLibrary and GetModuleHandleA
   fpGetModule = GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
   fpFreeLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"),"FreeLibrary");   

   if (fpFreeLibrary == NULL || fpGetModule == NULL) {
      CloseHandle(hTargetProc);
      return FALSE;
   }

   bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpGetModule,&dwResult,
      (LPVOID)pLibFileName,strlen(pLibFileName));   

   if (dwResult == NULL || !bResult) {
      CloseHandle(hTargetProc);
      return FALSE;
   }

   hModule = (HMODULE)dwResult;

   //Run remotly function FreeLibrary(hModule);
   bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpFreeLibrary,&dwResult,
      (LPVOID)hModule,sizeof(HMODULE)/8);

   CloseHandle(hTargetProc);

   return bResult;
}


Note: pLibFileName = dll's file name, not the absolute path. For example

Code: Select all
RemoteFreeLibrary(dwIdTargetProc,"MyDll.dll");


It's tested using Listdll.exe by Sysinternals :redBalloon::greenBalloon::blueBalloon: 8) :blueBalloon::greenBalloon::redBalloon:
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby madshi » Sun May 02, 2004 4:06 pm

Basically this is what madCodeHook does internally, too. However, there are some differences:

(1) Try that code on a process which is not yet initialized (e.g. a process created with CreateProcess(CREATE_SUSPENDED)) and you'll run into problems. madCodeHook's InjectLibrary doesn't have this problem.

(2) When madCodeHook uninjects a hook dll from another process, the API hooks are uninstalled *BEFORE* the dll gets unloaded. That avoids possible freezes when unhooking.

Btw, did that CodeGuru Method 2 use madCodeHook, too? Or did it use CreateRemoteThread or what?
madshi
Site Admin
 
Posts: 9704
Joined: Sun Mar 21, 2004 5:25 pm

Postby Layane » Sun May 02, 2004 4:20 pm

mmm... i believe that you write the dll in the process and then run it using CreateRemoteThread (this is method 3). Read the article of Code Guru about Dll Injections at Here

About point 2, i though unhook all apis with madCHook on DLL_PROCESS_DETACH, is it not necesary unhooks do this step with madCHook Lib? :crazy:
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby madshi » Sun May 02, 2004 4:59 pm

Layane wrote:i though unhook all apis with madCHook on DLL_PROCESS_DETACH, is it not necesary unhooks do this step with madCHook Lib?

Yes and no. madCodeHook does unhook during DLL_PROCESS_DETACH. But that's not the optimal point in time. DLL_PROCESS_DETACH comes when someone frees the library by calling FreeLibrary. The optimal point in time is to unhook *BEFORE* FreeLibrary is called.
madshi
Site Admin
 
Posts: 9704
Joined: Sun Mar 21, 2004 5:25 pm

Postby Layane » Sun May 02, 2004 5:22 pm

Amazing!! :sceptic: :shock: I love your library its very flexible and powerfull :crazy: and thks for the support is excelent :D

mmmm... another thing, my MFC dll not run :sorry: so i lose and MFC wins!! :cry: so... i'll begin tomorrow to write all my code in pure C/C++ :cry:
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Postby madshi » Sun May 02, 2004 5:32 pm

You like the smilies I've chosen for the forum, it seems? :D
madshi
Site Admin
 
Posts: 9704
Joined: Sun Mar 21, 2004 5:25 pm

Postby Layane » Sun May 02, 2004 5:41 pm

hahaha :lol: dough!! i confess it :cry:.... i chose this forums for the smileis :cry: :sorry:
Layane
 
Posts: 20
Joined: Sat May 01, 2004 11:03 am


Return to madCodeHook

Who is online

Users browsing this forum: Google [Bot] and 3 guests