CreateRemoteThread code does not work properly

[Nituvious]

Hi, I took thoriums advice and just went directly for DLL injection, however my code fails and crashes notepad. I'm not sure what is wrong as this is a direct translation(I think).

Here is my procedure:

Code: Select all

Procedure InjectRemoteCode(processID,DLL_NAME.s)
	hProcess = OpenProcess_(#PROCESS_ALL_ACCESS,#False,processID)
	If hProcess
		LoadLibAddy = GetProcAddress_(GetModuleHandle_("kernal32.dll"),"LoadLibraryA")
		dwSize = Len(DLL_NAME.s) + 1
		RemoteString = VirtualAllocEx_(hProcess,#Null,dwSize,#MEM_RESERVE|#MEM_COMMIT,#PAGE_READWRITE)
		WriteProcessMemory_(hProcess,RemoteString,DLL_NAME.s,dwSize,#Null)
		CreateRemoteThread_(hProcess,#Null,#Null,LoadLibAddy,RemoteString,#Null,#Null)
	Else
		Debug "failed to open process"
	EndIf
	CloseHandle_(hProcess)
EndProcedure

Here is my DLL code:

Code: Select all

ProcedureDLL	 msg()
MessageBox_(0,"Hello, World!","Hi",#MB_APPLMODAL)	
EndProcedure

[Rings]

"kernal32.dll"
or
"kernel32.dll"

if you check for results, such errors never happens.

[Nituvious]

Damn you my brain, I will teach it a lesson by watching and finishing the Dune movie! That will show it who's boss.

[edit] Well, notepad doesn't crash any more but it doesn't seem like my dll is injecting since the messagebox doesn't pop up.
[edit2] the problem was I was using a procedure instead of an actual function. Damn you brain, I will watch not only the rest of Dune but also Texas Chainsaw Massacre on channel 503!

[Edit3] Okay so I can inject my DLL or whatever however I cannot inject it twice. Any ideas? Do I need to free the memory up after injecting or something? If so how? VirtualFreeEx?

[PyroStrex]

Owh, this is a very suitable addon to my PureBasic API Hooking. What do you mean by injecting it twice? Is it somehow near these actions?

You have injected the DLL and it works!. Then, It's is now the time to add some more code into the DLL. When you wanna inject it again. It fails. (Same injection process, Not yet exited)

If you somehow trying to do the above actions, You need to eject the DLL first.

[Nituvious]

Owh, this is a very suitable addon to my PureBasic API Hooking. What do you mean by injecting it twice? Is it somehow near these actions?

You have injected the DLL and it works!. Then, It's is now the time to add some more code into the DLL. When you wanna inject it again. It fails. (Same injection process, Not yet exited)

If you somehow trying to do the above actions, You need to eject the DLL first.

Well, I tried to inject A.DLL, it worked. Then I tried to inject B.DLL and nothing happened.
A contained: messagerequester("","DLL A")
B contained: messagerequester("","DLL B")

Not sure what I really need to do to get both to work properly. I don't really know how to eject it.

[PyroStrex]

Here you are. I've convert this directly from my VB.net project. I also have the ejection method but i will post only if requested since I didn't convert it yet. (I've removed some of the actual code for example like injection directly to Process Name since i wanna convert it fast and VB.net detection is different than C or C++)

Tested and working in Windows 7.

Code: Select all

Procedure.i InjectLibrary(ProcessID.l, DLLPath.s)
  Define ProcessHandle.l
  Define StartAddress.l
  Define BufferSize.i
  Define ParamAddress.l
  Define ThreadHandle.l
  
  ProcessHandle = OpenProcess_(#PROCESS_ALL_ACCESS,#False,processID)
  
  If ProcessHandle = 0
    ProcedureReturn -1
  EndIf
  
  StartAddress = GetProcAddress_(GetModuleHandle_("kernel32.dll"), "LoadLibraryA")
  
  If StartAddress = 0
    ProcedureReturn -1
  EndIf
  
  BufferSize = Len(DLLPath) + 1
  
  ParamAddress = VirtualAllocEx_(ProcessHandle, 0, BufferSize, #MEM_COMMIT, #PAGE_READWRITE)
  
  If ParamAddress = 0
    ProcedureReturn -1
  EndIf
  
  If Not WriteProcessMemory_(ProcessHandle, ParamAddress, DLLPath, BufferSize, 0)
    ProcedureReturn -1
  EndIf
  
  ThreadHandle = CreateRemoteThread_(ProcessHandle, 0, 0, StartAddress, ParamAddress, 0, 0)
  
  WaitForSingleObject_(ThreadHandle, #INFINITE)
  
  If ParamAddress <> 0
    VirtualFreeEx_(ProcessHandle, ParamAddress, 0, #MEM_RELEASE)
  Else
    ProcedureReturn -1
  EndIf
  
  CloseHandle_(ProcessHandle)
  
  ProcedureReturn 0
EndProcedure

NotePad = RunProgram("notepad", "", "", #PB_Program_Open|#PB_Program_Read)

Debug(NotePad)

If NotePad
  ProcessID = ProgramID(NotePad)
  
  If ProcessID
    InjectLibrary(ProcessID, "dll01.dll")
    InjectLibrary(ProcessID, "dll02.dll")
  EndIf
EndIf

[Thorium]

Well, I tried to inject A.DLL, it worked. Then I tried to inject B.DLL and nothing happened.
A contained: messagerequester("","DLL A")
B contained: messagerequester("","DLL B")

Not sure what I really need to do to get both to work properly. I don't really know how to eject it.

It sounds like you dont exit the remotly created thread. You must exit that thread!
There is a safty mechanism in windows to prevent endless loops on dll loading. I dont remember how exactly it works but it cancels the loading of dll's while a thread executes AttachProcess() of a dll. If you want a persistent thread running after injection, you have to create a new thread and let AttachProcess() exit. So just put a CreateThread() inside of AttachProcess().