infotic infotic - 3 months ago 15
C++ Question

DLL injection doesn't work in target process

I'm trying to use CreateRemoteThread() function in order to inject a function injectedFunction() ans make it run inside a remote process.

However, it seems that this code can't work. The target program just crashes as soon as the injector program runs the CreateRemoteThread() function. Any pointer on what went wrong?

void injectedFunction()
{
MessageBoxA(NULL, "Injection OK", "Injection OK", NULL);
}


void injectionFunction()
{
HANDLE hTargetProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, pid);

CreateRemoteThread(hTargetProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)injectedFunction, NULL, NULL, NULL);

}

Answer

I think you are mangling a few concepts: Basically you are trying to inject a function without using an external DLL, so it's not really a DLL injection that you are doing here.

Here's what went wrong:

CreateRemoteThread does create a thread inside the address space of the target process whose execution starts at the address pointed by the third argument of the function (lpStartAddress). However, your injectedFunction() is inside the address space of your injector process, so it's code is not visible at all for the target process.

Let's say that your injectedFunction() is at address 0xABCD1234 in your injector process. Basically, what you are doing here is making a call to the address 0xABCD1234 in the target process, which contains a bunch of random code and no trace at all of injectedFunction()'s code. This can be extremly dangerous (OK, the probabilities are very low that this random code will format your hard drive or does anything barely dangerous other than crashing your target process, but still, executing a code in a random location is NOT something you should ever do at all).

What You should do:

1) First, allocate a space in the target process which contains the filepath of the DLL in your hard drive (the filepath must be in the target process, or else it won't be visible). Use VirtualAllocEx and WriteProcessMemory for that.

2) Call CreateRemoteThread with LoadLibraryA as third argument and the value returned by VirtualAllocEx as fourth argument (the address of the string containing the filepath of the DLL). This will create a thread that only loads the DLL. The DLL will come into action and do the rest.

Code:

DLL.cpp

extern "C" __declspec(dllexport) VOID injectedFunction(void)
{
    MessageBoxA(NULL, "Injection OK", "Injection OK", NULL);
}

Injector.cpp

void injectionFunction()
{
    HANDLE hTargetProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, pid);

    LPVOID lpParameter = VirtualAllocEx(hTargetProcess, NULL, 16, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hTargetProcess, (PBYTE)lpParameter, PATH_OF_YOUR_DLL, SIZE_OF_THE_DLL_PATH, NULL);

    CreateRemoteThread(hTargetProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibraryA, lpParameter, NULL, NULL);
}