Injecting C++ DLL

Question

I know there are various questions and books on this but I can't seem to get my C++ DLL injected into any processes.

The code to inject the DLL:

#include <iostream> #include "windows.h"  bool Inject(DWORD pId, char *dllName);  using namespace std;  int main() {     Inject(600, "C:\\d.dll");     return 0; }  bool Inject(DWORD pId, char *dllName) {     HANDLE h = OpenProcess(PROCESS_ALL_ACCESS, false, pId);     if(h)     {         LPVOID LoadLibAddr = (LPVOID)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");         LPVOID dereercomp = VirtualAllocEx(h, NULL, strlen(dllName), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);         WriteProcessMemory(h, dereercomp, dllName, strlen(dllName), NULL);         HANDLE asdc = CreateRemoteThread(h, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, dereercomp, 0, NULL);         WaitForSingleObject(asdc, INFINITE);         VirtualFreeEx(h, dereercomp, strlen(dllName), MEM_RELEASE);         CloseHandle(asdc);         CloseHandle(h);         return true;     }     return false; } 

and the DLL I am trying to inject:

#include <windows.h> #include <stdio.h>  BOOL APIENTRY DllMain (HINSTANCE hInst     /* Library instance handle. */ ,                        DWORD reason        /* Reason this function is being called. */ ,                        LPVOID reserved     /* Not used. */ ) { switch (reason)     {       case DLL_PROCESS_ATTACH:            MessageBox (0, "From DLL\n", "Process Attach", MB_ICONINFORMATION);         break;        case DLL_PROCESS_DETACH:            MessageBox (0, "From DLL\n", "Process Detach", MB_ICONINFORMATION);         break;        case DLL_THREAD_ATTACH:            MessageBox (0, "From DLL\n", "Thread Attach", MB_ICONINFORMATION);         break;        case DLL_THREAD_DETACH:            MessageBox (0, "From DLL\n", "Thread Detach", MB_ICONINFORMATION);         break;     }      return TRUE; } 

I don't know enough C++ to know where this is going wrong. I have run Process Explorer on the process I am trying to inject to (process run as admin aswell) but it isn't being injected. When I run it, nothing happens, any ideas?

Answer 1

Don't do MessageBox from DllMain. Why? See:

• DLL_PROCESS_ATTACH failing to execute on Windows 7 C++
• Some reasons not to do anything scary in your DllMain
• Don’t use standard library/CRT functions in static initializers/DllMain!

Your message box might just deadlock before showing up there. To ensure you reach the code line of interest, use OutputDebugString instead. As you indicated you are familiar with Process Explorer, you might notice created thread there (you can obtain its identifier in your launcher by providing last argument in your CreateRemoteThread) and its locked state with execution inside kernel libraries.

This is where you need to put OutputDebugString:

BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, VOID* pvReserved) {     pvReserved;     TCHAR pszMessage[1024] = { 0 };     _stprintf_s(pszMessage, _T("GetCurrentProcessId() %d, hModule 0x%p, nReason %d\r\n"), GetCurrentProcessId(), hModule, nReason);     OutputDebugString(pszMessage);     /*switch(nReason)     {     case DLL_PROCESS_ATTACH:     case DLL_THREAD_ATTACH:     case DLL_THREAD_DETACH:     case DLL_PROCESS_DETACH:         break;     }*/     return TRUE; } 

Another thing to make sure is that you are loading DLL of correct bitness. Win32 DLL into Win32 process, or x64 DLL into x64 process.

UPDATE. I am putting this up from comment: here is the source code for the Visual Studio 2010 project that does the thing: SVN or Trac.

• You put process identifier into source code
• The executable creates remote thread and loads library
• The library starts from DllMain and generates debug output
• DebugView shows you the output
• ProcessExplorer shows you the thread created, and you also have its identifier printed