Another Injection method using madCHook Library

c++ / delphi package - dll injection and api hooking
Post Reply
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Another Injection method using madCHook Library

Post by Layane »

I create another injection method that i read yesterday at Codeguru.com called Method 2

Code: Select all

BOOL RemoteLoadLibrary(DWORD dwIdProcess,LPCSTR pLibFileName,DWORD dwTimeOut)
{
	HANDLE hTargetProc;
	FARPROC fpLoadLibrary;
	DWORD dwResult;
	BOOL bResult;

	//Open the process
	hTargetProc = OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwIdProcess);

	if (hTargetProc == NULL) {
		return FALSE;
	}

	//Get a pointer to LoadLibraryA
	fpLoadLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");

	if (fpLoadLibrary == NULL) {
		CloseHandle(hTargetProc);
		return FALSE;
	}
	
	//Run remotly LoadLibraryA(pLibFileName);
	bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpLoadLibrary,&dwResult,
		(LPVOID)pLibFileName,strlen(pLibFileName));

	CloseHandle(hTargetProc);

	return bResult;
}
NOTE: pLibFileName = ABSOLUTE PATH!!! for example, if you execute MyDll.dll located at Current directory:

Code: Select all

//Absolute path
char szPath[MAX_PATH];
GetCurrentDirectory(MAX_PATH,szPath);
strcat(szPath,"\\MyDll.dll");

RemoteLoadLibrary(dwIdTargetProc,szPath);

It's tested and run very well :redBalloon::greenBalloon::blueBalloon: 8) :blueBalloon::greenBalloon::redBalloon:

Im writting the uninjection methods 8)
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

The Uninjection Function

Code: Select all


BOOL RemoteFreeLibrary(DWORD dwIdProcess,LPCSTR pLibFileName) {
	FARPROC fpGetModule,fpFreeLibrary;
	DWORD dwResult;
	BOOL bResult;
	HANDLE hTargetProc;
	HMODULE hModule;

	//Open the process
	hTargetProc = OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwIdProcess);

	if (hTargetProc == NULL) {
		return FALSE;
	}

	//Get a pointer to FreeLibrary and GetModuleHandleA
	fpGetModule = GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
	fpFreeLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"),"FreeLibrary");	

	if (fpFreeLibrary == NULL || fpGetModule == NULL) {
		CloseHandle(hTargetProc);
		return FALSE;
	}

	bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpGetModule,&dwResult,
		(LPVOID)pLibFileName,strlen(pLibFileName));	

	if (dwResult == NULL || !bResult) {
		CloseHandle(hTargetProc);
		return FALSE;
	}

	hModule = (HMODULE)dwResult;

	//Run remotly function FreeLibrary(hModule);
	bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpFreeLibrary,&dwResult,
		(LPVOID)hModule,sizeof(HMODULE)/8);

	CloseHandle(hTargetProc);

	return bResult;
}
Note: pLibFileName = dll's file name, not the absolute path. For example

Code: Select all

RemoteFreeLibrary(dwIdTargetProc,"MyDll.dll");
It's tested using Listdll.exe by Sysinternals :redBalloon::greenBalloon::blueBalloon: 8) :blueBalloon::greenBalloon::redBalloon:
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Basically this is what madCodeHook does internally, too. However, there are some differences:

(1) Try that code on a process which is not yet initialized (e.g. a process created with CreateProcess(CREATE_SUSPENDED)) and you'll run into problems. madCodeHook's InjectLibrary doesn't have this problem.

(2) When madCodeHook uninjects a hook dll from another process, the API hooks are uninstalled *BEFORE* the dll gets unloaded. That avoids possible freezes when unhooking.

Btw, did that CodeGuru Method 2 use madCodeHook, too? Or did it use CreateRemoteThread or what?
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

mmm... i believe that you write the dll in the process and then run it using CreateRemoteThread (this is method 3). Read the article of Code Guru about Dll Injections at Here

About point 2, i though unhook all apis with madCHook on DLL_PROCESS_DETACH, is it not necesary unhooks do this step with madCHook Lib? :crazy:
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

Layane wrote:i though unhook all apis with madCHook on DLL_PROCESS_DETACH, is it not necesary unhooks do this step with madCHook Lib?
Yes and no. madCodeHook does unhook during DLL_PROCESS_DETACH. But that's not the optimal point in time. DLL_PROCESS_DETACH comes when someone frees the library by calling FreeLibrary. The optimal point in time is to unhook *BEFORE* FreeLibrary is called.
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

Amazing!! :sceptic: :shock: I love your library its very flexible and powerfull :crazy: and thks for the support is excelent :D

mmmm... another thing, my MFC dll not run :sorry: so i lose and MFC wins!! :cry: so... i'll begin tomorrow to write all my code in pure C/C++ :cry:
madshi
Site Admin
Posts: 10754
Joined: Sun Mar 21, 2004 5:25 pm

Post by madshi »

You like the smilies I've chosen for the forum, it seems? :D
Layane
Posts: 20
Joined: Sat May 01, 2004 11:03 am

Post by Layane »

hahaha :lol: dough!! i confess it :cry:.... i chose this forums for the smileis :cry: :sorry:
Post Reply