Jump to content

Recommended Posts

Posted

The Tutorial

Here's how it's going to go down. I'm going to run through the theory on its own first, then I'll start writing it out in code and explain each step as it appears.

 

What is LoadLibrary Injection?

This is the very first thing you need to know; What are we attempting to do?

Well, for starters, LoadLibrary (as you may or may not know) is a function in the kernel32.dll. Here's its actual method signature according to MSDN:

HMODULE WINAPI LoadLibrary(__in  LPCTSTR lpFileName );

 

Despite the C++, that's not that scary right? It's just a function that takes a single string argument which then tells LoadLibrary where to load the file from. It then loads that library into the process and -in the case of dlls- calls the DllMain function. Simple enough to grasp I hope (you don't have to know how LoadLibrary works, just understand what it does)

 

Why is this useful to us?

Well, I'll tell you. kernel32.dll is loaded into almost, if not all (there, protected against your nitpicking [MENTION=609301]freedompeace[/MENTION]) windows processes. This means that all it's functions are ALSO loaded into the process, in particular, LoadLibrary. Due to some trickery, we can call LoadLibrary in an external process and tell it to load our designated dll. More on that to come.

 

Okay, so we have to somehow call LoadLibrary in the external process...how the?

Okay, first things first, you need to open a handle to your process so we can access it. Next you'll need to write the dll location to that processes memory (in bytes, of course). We need to do this because when calling the LoadLibrary function, we'll need to pass the parameter as an address for it to find the dll location. After we've called the LoadLibrary function, and everything has worked successfully, we just do some cleaning up, close all the handles and shit.

 

That's it! Simple eh? Now we just need to translate that simple process into code.

 

First, we'll need some API declarations so we can do what we need. Here they are.

 

    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As Integer
    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
    Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
    Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
    Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer

 

And here's what we'll use them for:

OpenProcess This function returns the handle to the process specified by the dwProcessId parameter, we need this when accessing the process externally.

 

VirtualAllocEx Allows us to allocate memory in an external process specified by the hProcess handle. This is needed to allocate the memory to write our dll location to.

 

WriteProcessMemory Write memory to an external process specified by the hProcess handle. We'll use this simple function to write our dll location to the memory allocated by VirtualAllocEx

 

GetModuleHandle Gets the handle to a specified module within our program (THIS IS NOT EXTERNAL), we'll use this to get the handle to the kernel32.dll module.

 

GetProcAddress Find the address of a function within a module, given the module handle. We'll find the address of the LoadLibrary function within kernel32 with this.

 

CreateRemoteThread Creates a thread in the remote process. We'll use this as the final step: Calling the LoadLibrary function and giving the dll its own thread so it doesn't conflict with the process's main thread.

 

WaitForSingleObject Waits for an object to return. In particular we'll wait for the LoadLibrary function to finish its work, then close the handle to it.

 

CloseHandle Very simple function. Closes an open handle.

 

That's it for APIs. All we need

 

First up, I just wanna code a tiny little cleanup routine for when we get further into the function and want to abort. Basically just cleans up input handles and returns false. You'll see it in action later.

Private Function Die(Optional ByVal hProc As Integer = Nothing, Optional ByVal libThread As Integer = Nothing) As Boolean
    If Not hProc = Nothing Then CloseHandle(hProc)
    If Not libThread = Nothing Then CloseHandle(libThread)
    Return False
End Function

 

Now that moment is finally here, coding our function.to inject a process. First comes the method signature.

Private Function InjectDll(ByVal processID As Integer, ByVal dllLocation As String) As Boolean

 

Simple method singature, we'll take in a process id and a dll location and do our injection. If everything goes okay, we'll return true, otherwise false.

 

Now we're going to start with some simple error checking so that our function doesn't assrape itself.

If Not IO.File.Exists(dllLocation) Then Return False 'if the dll doesn't exist, no point in continuing. So we return false.
If IntPtr.Size = 8 Then Return False 'If the size of an IntPtr is 8, then is program was compiled as x64. x64 processes can't access x86 processes properly, so we just return false. You need to compile this program as x86.

 

Time to open up that process!

Dim hProcess As Integer = OpenProcess(&H1F0FFF, 1, processID) 'We'll open the process specified by the input process ID. With PROCESS_ALL_ACCESS access, seeing as we only need to write.
If hProcess = 0 Then Return Die() 'If we didn't get the handle, we exit and return false. No cleanup so no params for die()

 

Next we've gotta allocate some memory for the dll location, and then write it.

Dim dllBytes As Byte() = System.Text.Encoding.ASCII.GetBytes(dllLocation) 'As I mentioned earlier, we have to write the dll location as bytes to the process memory, so we take the bytes of the string using the standard encoding.
Dim pathLocation As Integer = VirtualAllocEx(hProcess, 0, dllBytes.Length, &H1000, &H4) 'Allocate memory the size of the string we need to write to memory. pathLocation now holds the address of where the memory was allocated.
If pathLocation = Nothing Then Return Die(hProcess) 'VirtualAllocEx returns Nothing when it fails, so we check for that and return false if we find it. We've opened a process handle so we have to pass that to Die to clean it up.

 

So hopefully you could see in that step that we just converted the dll location to bytes, and then allocated some memory (the size of the dll location bytes) in the target process. Now we need to write to it.

 

Dim wpm As Integer = WriteProcessMemory(hProcess, pathLocation, dllBytes, dllBytes.Length, 0) 'write the contents of dllBytes to the memory allocated at pathLocation.
If wpm = 0 Then Return Die(hProcess) ' WriteProcessMemory returns 0 if it fails.

 

Alright we're getting there, so far we have written the location of our dll to the other processes memory, and we have the address where we wrote that. That's part one complete, the next part is actually finding and calling LoadLibrary

 

in that process and passing in the variable we wrote to memory. We'll get the address of LoadLibrary first.

 

Here's how:

Dim kernelMod As Integer = GetModuleHandle("kernel32.dll") 'Remember what I was saying about kernel32 being loaded into the same address space for every normal process? This means we don't have to do any fancy crap to find its location in our target process, we can get the location in our own process and safely assume it will be the same for all process. This means we can use GetModuleHandle, which only works internally.
Dim loadLibAddr As Integer = GetProcAddress(kernelMod, "LoadLibraryA") ' GetProcAddress gives us the address of the specified function within the module.
If loadLibAddr = 0 Then Return Die(hProcess) 'If GetProcAddress failed it'll return 0.

 

Yay, we finally have the address of the LoadLibrary function. NOW WE CAN CALL IT AND LOAD THIS FUCKER.

Dim procThread As Integer = CreateRemoteThread(hProcess, 0, 0, loadLibAddr, pathLocation, 0, 0) 'Okay, this is the thread creation. We pass our process handle to tell what process to create the thread on. the third param is the handle of the function to call. In this case we choose the LoadLibrary function. The next param is the arguments to pass to the function (omg remember we wrote that to memory? NOW WE PASS THE ADDRESS BACK!)
If procThread = 0 Then Return Die(hProcess) 'unable to create the thread. Return false
Dim waitVal As Integer = WaitForSingleObject(procThread, 5000) 'allow the LoadLibrary function 5 seconds to process.
If Not waitVal = &H0UI Then Return Die(hProcess, procThread) 'Function didn't signal completion. Fuck that shit abort ABORT
CloseHandle(procThread) 'close the handle to the LoadLibrary function
CloseHandle(hProcess) 'close the handle to the process
Return True 'made it, yay.

 

And that's it, you have successfully located the LoadLibrary function and called it, passing our dll location as the param. The dll should now load successfully.

 

I hope someone actually reads the tutorial, it's pretty lengthy for such a short function but there's a lot of shit going on if you're new to it.

 

EDIT: Oh yeah, if you're having trouble finding how to compile to x86. Check out this MSDN article.

Compile options VS Express Editions - SocialMSDN

 

 

Credits,

Chooka/Jason

 

 

  • 4 weeks later...
Posted

This is a way to hack your own pc.. rofl usefull xD

 

You can also use it to inject dll's into games like aimbots, and generally cheating dll's ;).

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...