DLL Injection into notepad

Question

I want to make a message box appear in notepad , so I found a simple dll injection example. The injector itself is not mine and seems to work fine (gets the process's id , creates a remote thread , gets absolute path of the dll file). The problem, I think, is in the implementation of the dll. The projects compile without any warnings, but the expected outcome isn't achieved. Can you take a look and help me understand the problem? (I have put the release version of the dll in the injector project folder)

dllmain.cpp:

// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"

#include "dll.h"
#include <windows.h>

#include <stdio.h>
#include <stdlib.h>

DLLEXPORT void mess() {
    MessageBoxA(NULL, "HELLO THERE", "From Notepad", NULL);
}
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
{
    case DLL_PROCESS_ATTACH: mess(); break;
    case DLL_THREAD_ATTACH: mess(); break;
    case DLL_THREAD_DETACH: mess(); break;
    case DLL_PROCESS_DETACH: mess(); break;
}
return TRUE;
}

dll.h:

#ifndef _DLL_H_
#define _DLL_H_

# define DLLEXPORT __declspec (dllexport)

# define DLLIMPORT __declspec (dllimport)

DLLEXPORT void mess(void);
#endif 

and the injection.cpp for reference, it contains a function which finds the wanted process id, a function which creates the remote thread and a main:

#include "stdafx.h"
#include <windows.h> 
#include <tlhelp32.h> 
#include <shlwapi.h> 
#include <conio.h> 
#include <stdio.h>
#include <iostream>
using namespace std;
#define WIN32_LEAN_AND_MEAN 
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
DWORD GetProcessId(IN PCHAR szExeName)

{
    DWORD dwRet = 0;
    DWORD dwCount = 0;

    HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);

    if (hSnapshot != INVALID_HANDLE_VALUE)
    {
        PROCESSENTRY32 pe = { 0 };
        pe.dwSize = sizeof(PROCESSENTRY32);

        BOOL bRet = Process32First(hSnapshot, &pe);

        while (bRet)
        {
            if (!strcmp( szExeName, pe.szExeFile))
            {
                dwCount++;
                dwRet = pe.th32ProcessID;
            }
            bRet = Process32Next(hSnapshot, &pe);
        }

        if (dwCount > 1)
            dwRet = 0xFFFFFFFF;

        CloseHandle(hSnapshot);
    }

    return dwRet;
}

BOOL CreateRemoteThreadInject(DWORD ID, const char * dll)
{
    HANDLE Process;

    LPVOID Memory;

    LPVOID LoadLibrary;

    if (!ID) return false;

    Process = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, ID);

    LoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

    Memory = (LPVOID)VirtualAllocEx(Process, NULL, strlen(dll) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

    WriteProcessMemory(Process, (LPVOID)Memory, dll, strlen(dll) + 1, NULL);

    CreateRemoteThread(Process, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibrary, (LPVOID)Memory, NULL, NULL);

    CloseHandle(Process);

    VirtualFreeEx(Process, (LPVOID)Memory, 0, MEM_RELEASE);

    return true;
}

int main()
{
    char dll[MAX_PATH] ;

    GetFullPathName("testdll.dll", MAX_PATH, dll, NULL);

    DWORD ID = GetProcessId("notepad.exe");

    if (!CreateRemoteThreadInject(ID, dll)) cout<<"failure";

    else cout << "success";

    return 0;
}

Thanks.

Answer 1

Be carefull on x64 x86 binaries

On windows 7 / 8 / 10 notepad.exe is a 64 bits process, so you need to compile your DLL & injector in x64