Page 1 of 1
CreateRemoteThread code does not work properly
Posted: Sun Sep 26, 2010 6:02 am
by Nituvious
Hi, I took thoriums advice and just went directly for DLL injection, however my code fails and crashes notepad. I'm not sure what is wrong as this is a direct translation(I think).
Here is my procedure:
Code: Select all
Procedure InjectRemoteCode(processID,DLL_NAME.s)
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS,#False,processID)
If hProcess
LoadLibAddy = GetProcAddress_(GetModuleHandle_("kernal32.dll"),"LoadLibraryA")
dwSize = Len(DLL_NAME.s) + 1
RemoteString = VirtualAllocEx_(hProcess,#Null,dwSize,#MEM_RESERVE|#MEM_COMMIT,#PAGE_READWRITE)
WriteProcessMemory_(hProcess,RemoteString,DLL_NAME.s,dwSize,#Null)
CreateRemoteThread_(hProcess,#Null,#Null,LoadLibAddy,RemoteString,#Null,#Null)
Else
Debug "failed to open process"
EndIf
CloseHandle_(hProcess)
EndProcedure
Here is my DLL code:
Code: Select all
ProcedureDLL msg()
MessageBox_(0,"Hello, World!","Hi",#MB_APPLMODAL)
EndProcedure
Re: CreateRemoteThread code does not work properly
Posted: Sun Sep 26, 2010 7:02 am
by Rings
"kernal32.dll"
or
"kernel32.dll"
if you check for results, such errors never happens.
Re: CreateRemoteThread code does not work properly
Posted: Sun Sep 26, 2010 7:17 am
by Nituvious
Damn you my brain, I will teach it a lesson by watching and finishing the Dune movie! That will show it who's boss.
[edit] Well, notepad doesn't crash any more but it doesn't seem like my dll is injecting since the messagebox doesn't pop up.
[edit2] the problem was I was using a procedure instead of an actual function. Damn you brain, I will watch not only the rest of Dune but also Texas Chainsaw Massacre on channel 503!
[Edit3] Okay so I can inject my DLL or whatever however I cannot inject it twice. Any ideas? Do I need to free the memory up after injecting or something? If so how? VirtualFreeEx?
Re: CreateRemoteThread code does not work properly
Posted: Tue Sep 28, 2010 6:43 am
by PyroStrex
Owh, this is a very suitable addon to my PureBasic API Hooking. What do you mean by injecting it twice? Is it somehow near these actions?
You have injected the DLL and it works!. Then, It's is now the time to add some more code into the DLL. When you wanna inject it again. It fails. (Same injection process, Not yet exited)
If you somehow trying to do the above actions, You need to eject the DLL first.
Re: CreateRemoteThread code does not work properly
Posted: Tue Sep 28, 2010 7:13 am
by Nituvious
PyroStrex wrote:Owh, this is a very suitable addon to my PureBasic API Hooking. What do you mean by injecting it twice? Is it somehow near these actions?
You have injected the DLL and it works!. Then, It's is now the time to add some more code into the DLL. When you wanna inject it again. It fails. (Same injection process, Not yet exited)
If you somehow trying to do the above actions, You need to eject the DLL first.
Well, I tried to inject A.DLL, it worked. Then I tried to inject B.DLL and nothing happened.
A contained: messagerequester("","DLL A")
B contained: messagerequester("","DLL B")
Not sure what I really need to do to get both to work properly. I don't really know how to eject it.
Re: CreateRemoteThread code does not work properly
Posted: Tue Sep 28, 2010 8:37 am
by PyroStrex
Here you are. I've convert this directly from my VB.net project. I also have the ejection method but i will post only if requested since I didn't convert it yet. (I've removed some of the actual code for example like injection directly to Process Name since i wanna convert it fast and VB.net detection is different than C or C++)
Tested and working in Windows 7.
Code: Select all
Procedure.i InjectLibrary(ProcessID.l, DLLPath.s)
Define ProcessHandle.l
Define StartAddress.l
Define BufferSize.i
Define ParamAddress.l
Define ThreadHandle.l
ProcessHandle = OpenProcess_(#PROCESS_ALL_ACCESS,#False,processID)
If ProcessHandle = 0
ProcedureReturn -1
EndIf
StartAddress = GetProcAddress_(GetModuleHandle_("kernel32.dll"), "LoadLibraryA")
If StartAddress = 0
ProcedureReturn -1
EndIf
BufferSize = Len(DLLPath) + 1
ParamAddress = VirtualAllocEx_(ProcessHandle, 0, BufferSize, #MEM_COMMIT, #PAGE_READWRITE)
If ParamAddress = 0
ProcedureReturn -1
EndIf
If Not WriteProcessMemory_(ProcessHandle, ParamAddress, DLLPath, BufferSize, 0)
ProcedureReturn -1
EndIf
ThreadHandle = CreateRemoteThread_(ProcessHandle, 0, 0, StartAddress, ParamAddress, 0, 0)
WaitForSingleObject_(ThreadHandle, #INFINITE)
If ParamAddress <> 0
VirtualFreeEx_(ProcessHandle, ParamAddress, 0, #MEM_RELEASE)
Else
ProcedureReturn -1
EndIf
CloseHandle_(ProcessHandle)
ProcedureReturn 0
EndProcedure
NotePad = RunProgram("notepad", "", "", #PB_Program_Open|#PB_Program_Read)
Debug(NotePad)
If NotePad
ProcessID = ProgramID(NotePad)
If ProcessID
InjectLibrary(ProcessID, "dll01.dll")
InjectLibrary(ProcessID, "dll02.dll")
EndIf
EndIf
Re: CreateRemoteThread code does not work properly
Posted: Tue Sep 28, 2010 10:07 am
by Thorium
Nituvious wrote:
Well, I tried to inject A.DLL, it worked. Then I tried to inject B.DLL and nothing happened.
A contained: messagerequester("","DLL A")
B contained: messagerequester("","DLL B")
Not sure what I really need to do to get both to work properly. I don't really know how to eject it.
It sounds like you dont exit the remotly created thread. You must exit that thread!
There is a safty mechanism in windows to prevent endless loops on dll loading. I dont remember how exactly it works but it cancels the loading of dll's while a thread executes AttachProcess() of a dll. If you want a persistent thread running after injection, you have to create a new thread and let AttachProcess() exit. So just put a CreateThread() inside of AttachProcess().