I want to make a message box appear in notepad , so I found a simple dll
injection example. The injector itself is not mine and seems to work fine (gets the process's id , creates a remote thread , gets absolute path of the dll file). The problem, I think, is in the implementation of the dll
. The projects compile without any warnings, but the expected outcome isn't achieved. Can you take a look and help me understand the problem? (I have put the release version of the dll
in the injector project folder)
dllmain.cpp:
// dllmain.cpp : Defines the entry point for the DLL application.
#include "stdafx.h"
#include "dll.h"
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
DLLEXPORT void mess() {
MessageBoxA(NULL, "HELLO THERE", "From Notepad", NULL);
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH: mess(); break;
case DLL_THREAD_ATTACH: mess(); break;
case DLL_THREAD_DETACH: mess(); break;
case DLL_PROCESS_DETACH: mess(); break;
}
return TRUE;
}
dll.h:
#ifndef _DLL_H_
#define _DLL_H_
# define DLLEXPORT __declspec (dllexport)
# define DLLIMPORT __declspec (dllimport)
DLLEXPORT void mess(void);
#endif
and the injection.cpp
for reference, it contains a function which finds the wanted process id, a function which creates the remote thread and a main:
#include "stdafx.h"
#include <windows.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#include <conio.h>
#include <stdio.h>
#include <iostream>
using namespace std;
#define WIN32_LEAN_AND_MEAN
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ)
DWORD GetProcessId(IN PCHAR szExeName)
{
DWORD dwRet = 0;
DWORD dwCount = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 pe = { 0 };
pe.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hSnapshot, &pe);
while (bRet)
{
if (!strcmp( szExeName, pe.szExeFile))
{
dwCount++;
dwRet = pe.th32ProcessID;
}
bRet = Process32Next(hSnapshot, &pe);
}
if (dwCount > 1)
dwRet = 0xFFFFFFFF;
CloseHandle(hSnapshot);
}
return dwRet;
}
BOOL CreateRemoteThreadInject(DWORD ID, const char * dll)
{
HANDLE Process;
LPVOID Memory;
LPVOID LoadLibrary;
if (!ID) return false;
Process = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_READ | PROCESS_VM_WRITE | PROCESS_VM_OPERATION, FALSE, ID);
LoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
Memory = (LPVOID)VirtualAllocEx(Process, NULL, strlen(dll) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(Process, (LPVOID)Memory, dll, strlen(dll) + 1, NULL);
CreateRemoteThread(Process, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibrary, (LPVOID)Memory, NULL, NULL);
CloseHandle(Process);
VirtualFreeEx(Process, (LPVOID)Memory, 0, MEM_RELEASE);
return true;
}
int main()
{
char dll[MAX_PATH] ;
GetFullPathName("testdll.dll", MAX_PATH, dll, NULL);
DWORD ID = GetProcessId("notepad.exe");
if (!CreateRemoteThreadInject(ID, dll)) cout<<"failure";
else cout << "success";
return 0;
}
Thanks.
Be carefull on x64 x86 binaries
On windows 7 / 8 / 10 notepad.exe is a 64 bits process, so you need to compile your DLL & injector in x64
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With