madshi.net

high quality low level programming
http://forum.madshi.net/

Another Injection method using madCHook Library

http://forum.madshi.net/viewtopic.php?f=7&t=38

Page 1 of 1

Another Injection method using madCHook Library

Posted: Sun May 02, 2004 2:42 pm
by Layane
I create another injection method that i read yesterday at Codeguru.com called Method 2

Code: Select all

BOOL RemoteLoadLibrary(DWORD dwIdProcess,LPCSTR pLibFileName,DWORD dwTimeOut)
{
	HANDLE hTargetProc;
	FARPROC fpLoadLibrary;
	DWORD dwResult;
	BOOL bResult;

	//Open the process
	hTargetProc = OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwIdProcess);

	if (hTargetProc == NULL) {
		return FALSE;
	}

	//Get a pointer to LoadLibraryA
	fpLoadLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");

	if (fpLoadLibrary == NULL) {
		CloseHandle(hTargetProc);
		return FALSE;
	}
	
	//Run remotly LoadLibraryA(pLibFileName);
	bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpLoadLibrary,&dwResult,
		(LPVOID)pLibFileName,strlen(pLibFileName));

	CloseHandle(hTargetProc);

	return bResult;
}
NOTE: pLibFileName = ABSOLUTE PATH!!! for example, if you execute MyDll.dll located at Current directory:

Code: Select all

//Absolute path
char szPath[MAX_PATH];
GetCurrentDirectory(MAX_PATH,szPath);
strcat(szPath,"\\MyDll.dll");

RemoteLoadLibrary(dwIdTargetProc,szPath);

It's tested and run very well :redBalloon::greenBalloon::blueBalloon: 8) :blueBalloon::greenBalloon::redBalloon:

Im writting the uninjection methods 8)

Posted: Sun May 02, 2004 3:52 pm
by Layane
The Uninjection Function

Code: Select all


BOOL RemoteFreeLibrary(DWORD dwIdProcess,LPCSTR pLibFileName) {
	FARPROC fpGetModule,fpFreeLibrary;
	DWORD dwResult;
	BOOL bResult;
	HANDLE hTargetProc;
	HMODULE hModule;

	//Open the process
	hTargetProc = OpenProcess(PROCESS_ALL_ACCESS,TRUE,dwIdProcess);

	if (hTargetProc == NULL) {
		return FALSE;
	}

	//Get a pointer to FreeLibrary and GetModuleHandleA
	fpGetModule = GetProcAddress(GetModuleHandle("kernel32.dll"),"GetModuleHandleA");
	fpFreeLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"),"FreeLibrary");	

	if (fpFreeLibrary == NULL || fpGetModule == NULL) {
		CloseHandle(hTargetProc);
		return FALSE;
	}

	bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpGetModule,&dwResult,
		(LPVOID)pLibFileName,strlen(pLibFileName));	

	if (dwResult == NULL || !bResult) {
		CloseHandle(hTargetProc);
		return FALSE;
	}

	hModule = (HMODULE)dwResult;

	//Run remotly function FreeLibrary(hModule);
	bResult = RemoteExecute(hTargetProc,(PREMOTE_EXECUTE_ROUTINE)fpFreeLibrary,&dwResult,
		(LPVOID)hModule,sizeof(HMODULE)/8);

	CloseHandle(hTargetProc);

	return bResult;
}
Note: pLibFileName = dll's file name, not the absolute path. For example

Code: Select all

RemoteFreeLibrary(dwIdTargetProc,"MyDll.dll");
It's tested using Listdll.exe by Sysinternals :redBalloon::greenBalloon::blueBalloon: 8) :blueBalloon::greenBalloon::redBalloon:

Posted: Sun May 02, 2004 4:06 pm
by madshi
Basically this is what madCodeHook does internally, too. However, there are some differences:

(1) Try that code on a process which is not yet initialized (e.g. a process created with CreateProcess(CREATE_SUSPENDED)) and you'll run into problems. madCodeHook's InjectLibrary doesn't have this problem.

(2) When madCodeHook uninjects a hook dll from another process, the API hooks are uninstalled *BEFORE* the dll gets unloaded. That avoids possible freezes when unhooking.

Btw, did that CodeGuru Method 2 use madCodeHook, too? Or did it use CreateRemoteThread or what?

Posted: Sun May 02, 2004 4:20 pm
by Layane
mmm... i believe that you write the dll in the process and then run it using CreateRemoteThread (this is method 3). Read the article of Code Guru about Dll Injections at Here

About point 2, i though unhook all apis with madCHook on DLL_PROCESS_DETACH, is it not necesary unhooks do this step with madCHook Lib? :crazy:

Posted: Sun May 02, 2004 4:59 pm
by madshi
Layane wrote:i though unhook all apis with madCHook on DLL_PROCESS_DETACH, is it not necesary unhooks do this step with madCHook Lib?
Yes and no. madCodeHook does unhook during DLL_PROCESS_DETACH. But that's not the optimal point in time. DLL_PROCESS_DETACH comes when someone frees the library by calling FreeLibrary. The optimal point in time is to unhook *BEFORE* FreeLibrary is called.

Posted: Sun May 02, 2004 5:22 pm
by Layane
Amazing!! :sceptic: :shock: I love your library its very flexible and powerfull :crazy: and thks for the support is excelent :D

mmmm... another thing, my MFC dll not run :sorry: so i lose and MFC wins!! :cry: so... i'll begin tomorrow to write all my code in pure C/C++ :cry:

Posted: Sun May 02, 2004 5:32 pm
by madshi
You like the smilies I've chosen for the forum, it seems? :D

Posted: Sun May 02, 2004 5:41 pm
by Layane
hahaha :lol: dough!! i confess it :cry:.... i chose this forums for the smileis :cry: :sorry:
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited