Inject DLL into running process with CPP

What is the purpose of injecting a DLL into a process?

Injecting a Dynamic link library (Dll) into a process can be used for many things - that is, it's up to the programmer what they want to do. Dll injection is most normally used to hook API in the process, however, it's often used in game hacking to redirect method calls within the game or application to the programmer's custom functions.

In this tutorial I will show only one method of injecting a dll into a running process. This tutorial is a little advanced for the average programmer - this is something most colleges do not teach. If you do not have the fundamentals of creating cpp applications and little knowledge of Win32 API you should not read any further.

We start this tutorial by including couple basic libraries and defining constant variables that we will be using:
#include <windows.h> #include <string> #define MAXWAIT 10000

Next we create a method that will house the code to inject our dll into the process. This method will return a boolean result and take two parameters: DWORD : ProcID, String dll. *Note that we have not set a namespace for the string library that we'll be using, we'll specify that in the declaration of method.
bool insertDll(DWORD procID, std::string dll) { }

And now the fun begins

First we need to find the address of the LoadLibrary api, luckily it is loaded in the same address for every process.
HMODULE hKernel32 = GetModuleHandle("Kernel32"); FARPROC hLoadLibrary = GetProcAddress(hKernel32, "LoadLibraryA");

Then adjust token privileges to open system processes
HANDLE hToken; TOKEN_PRIVILEGES tkp; if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) { LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tkp.Privileges[0].Luid); tkp.PrivilegeCount = 1; tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(hToken, 0, &tkp, sizeof(tkp), NULL, NULL); }

Open the process with all access
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);

Allocate memory to hold the path to the DLL file in the process's memory
dll += '\0'; LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT, PAGE_READWRITE);

Write the path to the DLL file at the location in process we just created
DWORD numBytesWritten; WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten);

Now we create a remote thread that begins at the LoadLibrary function and is passed our memory pointer that holds path to dll file. If the purpose of this dll injection is for a game hack, a lot of anti cheat software detect creation of remote threads.
HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLoadLibrary, hRemoteMem, 0, NULL);

And wait for the thread to finish.
bool res = false; if(hRemoteThread) res = (bool)WaitForSingleObject(hRemoteThread, MAXWAIT) != WAIT_TIMEOUT;

Almost done. . . Time to clean up. Free the memory created in the target process, and release it's handle.
VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE); CloseHandle(hProc); return res;

Put this all together and you and inject your own dll into a target process.

You must be logged in to add comments.

Comments

Author Info	Comment
iPromise Posted about 1 year ago.	Programmed this in Visual Basic .NET and i'm having trouble.. Function: Public Declare Function GetModuleHandle Lib "Kernel32.dll" Alias "GetModuleHandleA" (ByVal IpModuleName As String) As IntPtr Public Declare Function GetProcAddress Lib "Kernel32.dll" (ByVal ModuleHandle As IntPtr, ByVal ProcName As String) As IntPtr Public Declare Function OpenProcessToken Lib "Advapi32.dll" (ByVal ProcessHandle As IntPtr, ByVal DesiredAccess As Integer, ByVal TokenHandle As Long) As Boolean Public Declare Function GetCurrentProcess Lib "Kernel32.dll" () As IntPtr Public Declare Function LookupPrivilegeValue Lib "Advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, ByVal lpLuid As LUID) As Boolean Public Declare Function AdjustTokenPrivileges Lib "Advapi32.dll" (ByVal TokenHandle As IntPtr, ByVal DisableAllPriviledges As Boolean, ByVal NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Integer, ByVal PreviousState As Boolean, ByVal ReturnLength As Boolean) As Boolean Public Declare Function OpenProcess Lib "Kernel32.dll" (ByVal DesiredAccess As Long, ByVal InheritHandle As Boolean, ByVal ProcessID As Long) As IntPtr Public Declare Function FindWindow Lib "User32.dll" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As IntPtr Public Declare Function VirtualAllocEx Lib "Kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UInteger, ByVal flAllocationType As UInteger, ByVal flProtect As UInteger) As IntPtr Public Declare Function WriteProcessMemory Lib "Kernel32.dll" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByRef lpBuffer As Integer, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer Public Declare Function ReadProcessMemory Lib "Kernel32.dl" Alias "ReadProcessMemory" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByRef lpBuffer As Integer, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer Public Declare Function CreateRemoteThread Lib "Kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpThreadAttributes As IntPtr, ByVal StackSize As IntPtr, ByVal StartRoutine As Long, ByVal Parameter As Long, ByVal CreationFlags As Integer, ByVal ThreadId As Long) As IntPtr Public Declare Function WaitForSingleObject Lib "Kernel32.dll" (ByVal hHandle As IntPtr, ByVal Milliseconds As UInt32) As UInt32 Public Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As Integer, ByRef dwSize As Integer, ByVal dwFreeType As Long) As IntPtr Public Declare Function CloseHandle Lib "Kernel32.dll" (ByVal hObject As IntPtr) As IntPtr Public Declare Function Main Lib "MyDLL 2.dll" (ByVal Text As String) As Boolean Public Declare Function LoadLibrary Lib "kernel32.dll" Alias "LoadLibraryA" (ByVal Library As String) As IntPtr Public Declare Function FreeLibrary Lib "kernel32.dll" Alias "FreeLibraryA" (ByVal Handle As IntPtr) As IntPtr Public Delegate Function DllSelfRegister() As Integer Public Const TOKEN_ADJUST_PRIVILEGES As Short = &H20S Public Const TOKEN_QUERY As Short = &H8S Public Const SE_DEBUG_NAME As String = "SeDebugPrivilege" Public Const SE_PRIVILEGE_ENABLED = &H2 Public Const PROCESS_ALL_ACCESS As Integer = &H1F0FFF Public Const MEM_COMMIT As Long = &H1000 Public Const PAGE_READWRITE As Integer = &H4 Public Const MAX_WAIT = 10000 Public Const MEM_RELEASE As Long = &H8000 Public Structure LUID Dim LowPart As Long Dim HighPart As Long End Structure Public Structure LUID_AND_ATTRIBUTES Dim pLuid As LUID Dim Attributes As Long End Structure Public Structure TOKEN_PRIVILEGES Dim PrivilegeCount As Long Dim TheLuid As LUID Dim Attributes As Long End Structure Module: Public Shared Function insertDLL(ByVal ProcID As Integer, ByVal DLL As String) As Boolean Dim hKernel32 As IntPtr = GetModuleHandle("Kernel32.dll") Dim hLoadLibrary As IntPtr = GetProcAddress(hKernel32, "LoadLibraryA") Dim hToken As IntPtr Dim TKP As TOKEN_PRIVILEGES If (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)) Then LookupPrivilegeValue(vbNullString, SE_DEBUG_NAME, TKP.TheLuid) TKP.PrivilegeCount = 1 TKP.Attributes = SE_PRIVILEGE_ENABLED AdjustTokenPrivileges(hToken, 0, TKP, Len(TKP), False, False) End If Dim hProc As IntPtr = OpenProcess(PROCESS_ALL_ACCESS, False, ProcID) DLL += "\0" Dim hRemoteMem As IntPtr = VirtualAllocEx(hProc, vbNull, DLL.Length, MEM_COMMIT, PAGE_READWRITE) Dim BytesWritten As Integer WriteProcessMemory(hProc, hRemoteMem, DLL.Length, DLL.Length, BytesWritten) Dim hRemoteThread As IntPtr = CreateRemoteThread(hProc, IntPtr.Zero, 0, hLoadLibrary, hRemoteMem, 0, vbNull) Dim Res As Boolean = False Dim wtf As Integer = 1 If (hRemoteThread) Then Res = WaitForSingleObject(hRemoteThread, MAX_WAIT) VirtualFreeEx(hProc, hRemoteMem, DLL.Length, MEM_RELEASE) CloseHandle(hProc) Return Res End If MsgBox(Res) End Function Made a DLL called "MyDLL 2.DLL" In it, I put: Public Sub Main() MsgBox("Injected!") End Sub Then, in my form I put this: Dim Notepad As IntPtr = FindWindow(vbNullString, "Untitled - Notepad") Dim ProcID As Integer GetWindowThreadProcessId(Notepad, ProcID) insertDLL(ProcID, "C:\Documents and Settings\Hussain Al Homedawy\My Documents\Visual Studio 2008\Projects\MyDLL 2\MyDLL 2\bin\Release\MyDLL 2.dll") Press the button, no luck! Dont get a "Injected" msgbox, some help will be nice :)

Author Info

Comment

iPromise
Posted about 1 year ago.
User Avatar

Programmed this in Visual Basic .NET and i'm having trouble..

Function:

Public Declare Function GetModuleHandle Lib "Kernel32.dll" Alias "GetModuleHandleA" (ByVal IpModuleName As String) As IntPtr Public Declare Function GetProcAddress Lib "Kernel32.dll" (ByVal ModuleHandle As IntPtr, ByVal ProcName As String) As IntPtr Public Declare Function OpenProcessToken Lib "Advapi32.dll" (ByVal ProcessHandle As IntPtr, ByVal DesiredAccess As Integer, ByVal TokenHandle As Long) As Boolean Public Declare Function GetCurrentProcess Lib "Kernel32.dll" () As IntPtr Public Declare Function LookupPrivilegeValue Lib "Advapi32.dll" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, ByVal lpLuid As LUID) As Boolean Public Declare Function AdjustTokenPrivileges Lib "Advapi32.dll" (ByVal TokenHandle As IntPtr, ByVal DisableAllPriviledges As Boolean, ByVal NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Integer, ByVal PreviousState As Boolean, ByVal ReturnLength As Boolean) As Boolean Public Declare Function OpenProcess Lib "Kernel32.dll" (ByVal DesiredAccess As Long, ByVal InheritHandle As Boolean, ByVal ProcessID As Long) As IntPtr Public Declare Function FindWindow Lib "User32.dll" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As IntPtr Public Declare Function VirtualAllocEx Lib "Kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, ByVal dwSize As UInteger, ByVal flAllocationType As UInteger, ByVal flProtect As UInteger) As IntPtr Public Declare Function WriteProcessMemory Lib "Kernel32.dll" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByRef lpBuffer As Integer, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer Public Declare Function ReadProcessMemory Lib "Kernel32.dl" Alias "ReadProcessMemory" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByRef lpBuffer As Integer, ByVal nSize As Integer, ByRef lpNumberOfBytesWritten As Integer) As Integer Public Declare Function CreateRemoteThread Lib "Kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpThreadAttributes As IntPtr, ByVal StackSize As IntPtr, ByVal StartRoutine As Long, ByVal Parameter As Long, ByVal CreationFlags As Integer, ByVal ThreadId As Long) As IntPtr Public Declare Function WaitForSingleObject Lib "Kernel32.dll" (ByVal hHandle As IntPtr, ByVal Milliseconds As UInt32) As UInt32 Public Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As IntPtr, ByVal lpAddress As Integer, ByRef dwSize As Integer, ByVal dwFreeType As Long) As IntPtr Public Declare Function CloseHandle Lib "Kernel32.dll" (ByVal hObject As IntPtr) As IntPtr Public Declare Function Main Lib "MyDLL 2.dll" (ByVal Text As String) As Boolean Public Declare Function LoadLibrary Lib "kernel32.dll" Alias "LoadLibraryA" (ByVal Library As String) As IntPtr Public Declare Function FreeLibrary Lib "kernel32.dll" Alias "FreeLibraryA" (ByVal Handle As IntPtr) As IntPtr Public Delegate Function DllSelfRegister() As Integer Public Const TOKEN_ADJUST_PRIVILEGES As Short = &H20S Public Const TOKEN_QUERY As Short = &H8S Public Const SE_DEBUG_NAME As String = "SeDebugPrivilege" Public Const SE_PRIVILEGE_ENABLED = &H2 Public Const PROCESS_ALL_ACCESS As Integer = &H1F0FFF Public Const MEM_COMMIT As Long = &H1000 Public Const PAGE_READWRITE As Integer = &H4 Public Const MAX_WAIT = 10000 Public Const MEM_RELEASE As Long = &H8000 Public Structure LUID Dim LowPart As Long Dim HighPart As Long End Structure Public Structure LUID_AND_ATTRIBUTES Dim pLuid As LUID Dim Attributes As Long End Structure Public Structure TOKEN_PRIVILEGES Dim PrivilegeCount As Long Dim TheLuid As LUID Dim Attributes As Long End Structure

Module:

Public Shared Function insertDLL(ByVal ProcID As Integer, ByVal DLL As String) As Boolean Dim hKernel32 As IntPtr = GetModuleHandle("Kernel32.dll") Dim hLoadLibrary As IntPtr = GetProcAddress(hKernel32, "LoadLibraryA") Dim hToken As IntPtr Dim TKP As TOKEN_PRIVILEGES If (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or TOKEN_QUERY, hToken)) Then LookupPrivilegeValue(vbNullString, SE_DEBUG_NAME, TKP.TheLuid) TKP.PrivilegeCount = 1 TKP.Attributes = SE_PRIVILEGE_ENABLED AdjustTokenPrivileges(hToken, 0, TKP, Len(TKP), False, False) End If Dim hProc As IntPtr = OpenProcess(PROCESS_ALL_ACCESS, False, ProcID) DLL += "\0" Dim hRemoteMem As IntPtr = VirtualAllocEx(hProc, vbNull, DLL.Length, MEM_COMMIT, PAGE_READWRITE) Dim BytesWritten As Integer WriteProcessMemory(hProc, hRemoteMem, DLL.Length, DLL.Length, BytesWritten) Dim hRemoteThread As IntPtr = CreateRemoteThread(hProc, IntPtr.Zero, 0, hLoadLibrary, hRemoteMem, 0, vbNull) Dim Res As Boolean = False Dim wtf As Integer = 1 If (hRemoteThread) Then Res = WaitForSingleObject(hRemoteThread, MAX_WAIT) VirtualFreeEx(hProc, hRemoteMem, DLL.Length, MEM_RELEASE) CloseHandle(hProc) Return Res End If MsgBox(Res) End Function

Made a DLL called "MyDLL 2.DLL"

In it, I put:

Public Sub Main() MsgBox("Injected!") End Sub

Then, in my form I put this:

Dim Notepad As IntPtr = FindWindow(vbNullString, "Untitled - Notepad") Dim ProcID As Integer GetWindowThreadProcessId(Notepad, ProcID) insertDLL(ProcID, "C:\Documents and Settings\Hussain Al Homedawy\My Documents\Visual Studio 2008\Projects\MyDLL 2\MyDLL 2\bin\Release\MyDLL 2.dll")

Press the button, no luck! Dont get a "Injected" msgbox, some help will be nice :)