Here's how it's going to go down. I'm going to run through the theory on its own first, then I'll start writing it out in code and explain each step as it appears.
What is LoadLibrary Injection?
This is the very first thing you need to know; What are we attempting to do?
Well, for starters, LoadLibrary (as you may or may not know) is a function in the kernel32.dll. Here's its actual method signature according to MSDN:
Code:
HMODULE WINAPI LoadLibrary(__in LPCTSTR lpFileName );
Despite the C++, that's not that scary right? It's just a function that takes a single string argument which then tells LoadLibrary where to load the file from. It then loads that library into the process and -in the case of dlls- calls the DllMain function. Simple enough to grasp I hope (you don't have to know how LoadLibrary works, just understand what it does)
Why is this useful to us?
Well, I'll tell you. kernel32.dll is loaded into almost, if not all (there, protected against your nitpicking @freedompeace) windows processes. This means that all it's functions are ALSO loaded into the process, in particular, LoadLibrary. Due to some trickery, we can call LoadLibrary in an external process and tell it to load our designated dll. More on that to come.
Okay, so we have to somehow call LoadLibrary in the external process...how the?
Okay, first things first, you need to open a handle to your process so we can access it. Next you'll need to write the dll location to that processes memory (in bytes, of course). We need to do this because when calling the LoadLibrary function, we'll need to pass the parameter as an address for it to find the dll location. After we've called the LoadLibrary function, and everything has worked successfully, we just do some cleaning up, close all the handles and shit.
That's it! Simple eh? Now we just need to translate that simple process into code.
First, we'll need some API declarations so we can do what we need. Here they are.
Code:
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As Integer
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer
And here's what we'll use them for:
OpenProcess This function returns the handle to the process specified by the dwProcessId parameter, we need this when accessing the process externally.
VirtualAllocEx Allows us to allocate memory in an external process specified by the hProcess handle. This is needed to allocate the memory to write our dll location to.
WriteProcessMemory Write memory to an external process specified by the hProcess handle. We'll use this simple function to write our dll location to the memory allocated by VirtualAllocEx
GetModuleHandle Gets the handle to a specified module within our program (THIS IS NOT EXTERNAL), we'll use this to get the handle to the kernel32.dll module.
GetProcAddress Find the address of a function within a module, given the module handle. We'll find the address of the LoadLibrary function within kernel32 with this.
CreateRemoteThread Creates a thread in the remote process. We'll use this as the final step: Calling the LoadLibrary function and giving the dll its own thread so it doesn't conflict with the process's main thread.
WaitForSingleObject Waits for an object to return. In particular we'll wait for the LoadLibrary function to finish its work, then close the handle to it.
CloseHandle Very simple function. Closes an open handle.
That's it for APIs. All we need
First up, I just wanna code a tiny little cleanup routine for when we get further into the function and want to abort. Basically just cleans up input handles and returns false. You'll see it in action later.
Code:
Private Function Die(Optional ByVal hProc As Integer = Nothing, Optional ByVal libThread As Integer = Nothing) As Boolean
If Not hProc = Nothing Then CloseHandle(hProc)
If Not libThread = Nothing Then CloseHandle(libThread)
Return False
End Function
Now that moment is finally here, coding our function.to inject a process. First comes the method signature.
Code:
Private Function InjectDll(ByVal processID As Integer, ByVal dllLocation As String) As Boolean
Simple method singature, we'll take in a process id and a dll location and do our injection. If everything goes okay, we'll return true, otherwise false.
Now we're going to start with some simple error checking so that our function doesn't assrape itself.
Code:
If Not IO.File.Exists(dllLocation) Then Return False 'if the dll doesn't exist, no point in continuing. So we return false.
If IntPtr.Size = 8 Then Return False 'If the size of an IntPtr is 8, then is program was compiled as x64. x64 processes can't access x86 processes properly, so we just return false. You need to compile this program as x86.
Time to open up that process!
Code:
Dim hProcess As Integer = OpenProcess(&H1F0FFF, 1, processID) 'We'll open the process specified by the input process ID. With PROCESS_ALL_ACCESS access, seeing as we only need to write.
If hProcess = 0 Then Return Die() 'If we didn't get the handle, we exit and return false. No cleanup so no params for die()
Next we've gotta allocate some memory for the dll location, and then write it.
Code:
Dim dllBytes As Byte() = System.Text.Encoding.ASCII.GetBytes(dllLocation + ControlChars.NullChar) 'As I mentioned earlier, we have to write the dll location as bytes to the process memory, so we take the bytes of the string using the standard encoding, adding a null byte at the end.
Dim pathLocation As Integer = VirtualAllocEx(hProcess, 0, dllBytes.Length, &H1000, &H4) 'Allocate memory the size of the string we need to write to memory. pathLocation now holds the address of where the memory was allocated.
If pathLocation = Nothing Then Return Die(hProcess) 'VirtualAllocEx returns Nothing when it fails, so we check for that and return false if we find it. We've opened a process handle so we have to pass that to Die to clean it up.
So hopefully you could see in that step that we just converted the dll location to bytes, and then allocated some memory (the size of the dll location bytes) in the target process. Now we need to write to it.
Code:
Dim wpm As Integer = WriteProcessMemory(hProcess, pathLocation, dllBytes, dllBytes.Length, 0) 'write the contents of dllBytes to the memory allocated at pathLocation.
If wpm = 0 Then Return Die(hProcess) ' WriteProcessMemory returns 0 if it fails.
Alright we're getting there, so far we have written the location of our dll to the other processes memory, and we have the address where we wrote that. That's part one complete, the next part is actually finding and calling LoadLibrary
in that process and passing in the variable we wrote to memory. We'll get the address of LoadLibrary first.
Here's how:
Code:
Dim kernelMod As Integer = GetModuleHandle("kernel32.dll") 'Remember what I was saying about kernel32 being loaded into the same address space for every normal process? This means we don't have to do any fancy crap to find its location in our target process, we can get the location in our own process and safely assume it will be the same for all process. This means we can use GetModuleHandle, which only works internally.
Dim loadLibAddr As Integer = GetProcAddress(kernelMod, "LoadLibraryA") ' GetProcAddress gives us the address of the specified function within the module.
If loadLibAddr = 0 Then Return Die(hProcess) 'If GetProcAddress failed it'll return 0.
Yay, we finally have the address of the LoadLibrary function. NOW WE CAN CALL IT AND LOAD THIS FUCKER.
Code:
Dim procThread As Integer = CreateRemoteThread(hProcess, 0, 0, loadLibAddr, pathLocation, 0, 0) 'Okay, this is the thread creation. We pass our process handle to tell what process to create the thread on. the third param is the handle of the function to call. In this case we choose the LoadLibrary function. The next param is the arguments to pass to the function (omg remember we wrote that to memory? NOW WE PASS THE ADDRESS BACK!)
If procThread = 0 Then Return Die(hProcess) 'unable to create the thread. Return false
Dim waitVal As Integer = WaitForSingleObject(procThread, 5000) 'allow the LoadLibrary function 5 seconds to process.
If Not waitVal = &H0UI Then Return Die(hProcess, procThread) 'Function didn't signal completion. **** that shit abort ABORT
CloseHandle(procThread) 'close the handle to the LoadLibrary function
CloseHandle(hProcess) 'close the handle to the process
Return True 'made it, yay.
And that's it, you have successfully located the LoadLibrary function and called it, passing our dll location as the param. The dll should now load successfully.
I hope someone actually reads the tutorial, it's pretty lengthy for such a short function but there's a lot of shit going on if you're new to it.
EDIT: Oh yeah, if you're having trouble finding how to compile to x86. Check out this MSDN article.
Compile options VS Express Editions - SocialMSDN
Any questions, criticisms (if their constructive, haters can just **** off) or suggestions... feel free to post
Cheers.
Chooka/Jason
UPDATE
UPDATE:
Okay, modified the injection code slightly. After starting to learn C the importance of memory management has become apparent. So, I've now added VirtualFreeEx to free the allocated memory.
Also, I discovered the GetExitCodeThread function, which allows you to get the return value of a specific thread, thereby allowing us to actually return whatever the LoadLibrary function returned (the handle to the module if successful). I've now written a new function "LoadLibraryEx" to tie in with the injection, but also be re-usable.
Here's the updated code:
Imports:
Code:
Imports System.Runtime.InteropServices 'for marshaling unmanaged return types.
API Declarations (Note VirtualFreeEx and GetExitCodeThread)
Code:
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Boolean, ByVal dwProcessId As Integer) As Integer
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal dwFreeType As Integer) As <MarshalAs(UnmanagedType.Bool)> Boolean
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Integer, <Out()> ByRef lpExitCode As UInt32) As <MarshalAs(UnmanagedType.Bool)> Boolean
I've already said what all these API functions do pretty much. VirtualFreeEx is basically the opposite of VirtualAllocEx, except there is a catch with its "dwSize" param:
Quote Originally Posted by msdn
dwSize [in]
The size of the region of memory to free, in bytes.
If the dwFreeType parameter is MEM_RELEASE, dwSize must be 0 (zero). The function frees the entire region that is reserved in the initial allocation call to VirtualAllocEx.
So basically if we're freeing memory completely (releasing it), you don't put a value for dwSize despite what you might think, leave it at 0 for mem_release. Also, you no longer need the "Die" function at all.
Okay, the LoadLibraryEx function (commented, as usual).
This function is quite long now:
Code:
Public Shared Function LoadLibraryEx(ByVal hProcess As Integer, ByVal lpFileName As String) As UInt32
If Not IO.File.Exists(lpFileName) OrElse IntPtr.Size = 8 Then Return 0 'first thing: Make sure the file exists, and we're compiled in x86
Dim bFileName As Byte() = System.Text.Encoding.ASCII.GetBytes(lpFileName + ControlChars.NullChar) 'convert the string to chars (add a nullbyte)
Dim lpFileAddress As Integer = VirtualAllocEx(hProcess, 0, bFileName.Length, &H1000, &H4) 'allocate the memory to put our char array in.
If lpFileAddress = 0 Then Return 0
Dim writeSuccess As Integer = WriteProcessMemory(hProcess, lpFileAddress, bFileName, bFileName.Length, 0) 'write our chars to the process.
If writeSuccess = 0 Then Return 0
Dim lpLoadLibrary As Integer = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA") 'find where LoadLibrary is located
If lpLoadLibrary = 0 Then Return 0 'if for some reason we couldn't get it.
Dim libThread As Integer = CreateRemoteThread(hProcess, 0, 0, lpLoadLibrary, lpFileAddress, 0, 0) 'execute loadlibrary in the remote process.
If libThread = 0 Then Return False
Dim waitVal As Integer = WaitForSingleObject(libThread, 10000) 'wait up to 10 seconds for the thread to return.
'(be warned, if the target DLL puts a messagebox in DllMain and the user doesn't click it in 10 seconds, this function will return 0 so edit the wait time if you want.
If Not waitVal = &H0UI Then Return CloseHandle(libThread) < Int32.MinValue 'simple trick to close the handle and simultaneously return 0.
Dim hModule As UInt32 = 0 'prepare our hModule holder.
If Not GetExitCodeThread(libThread, hModule) Then Return CloseHandle(libThread) < Int32.MinValue 'try to get the thread return value
VirtualFreeEx(hProcess, lpFileAddress, 0, &H8000) 'dont bother checking the return value of VF, we've successfully injected and if the memory fails to free there's nothing we can do.
CloseHandle(libThread) 'dispose our thread handle, we're done with it.
Return hModule
End Function
Okay, so now we need to refactor our Inject code to work with LoadLibraryEx.
Code:
Public Shared Function InjectDll(ByVal dwProcID As Integer, ByVal lpFileName As String) As Uint32
Dim hProc As Integer = OpenProcess(&H42A, True, dwProcID) 'open the process with a combination of PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_WRITE and PROCESS_QUERY_INFORMATION.
If hProc = 0 Then Return 0 'if unable to obtain a handle, quit.
Dim hModule As UInt32 = LoadLibraryEx(hProc, lpFileName) 'try and load the library
CloseHandle(hProc) 'finished our use with the handle, dispose of it.
Return hModule
End Function
And that's it!
For extra curricular activities, here's my FreeLibraryEx. It functions very much the same as LoadLibraryEx, but those of you who are actually paying attention will notice we didn't write the hModule value to memory! Why not you may ask? The difference is in the param types for LoadLibrary and FreeLibrary.
LoadLibrary = LPCSTR (pointer to C-string)
FreeLibrary = HMODULE (essentially a typedef of unsigned int, which is a value type not a reference!)
So for LoadLibrary, we are required to pass a POINTER to it, rather than a literal value, LoadLibrary then reads from where the pointer points to. For this reason, we had to generate a pointer by allocating some memory, writing a string there and then keeping the pointer to that memory address.
On the other hand, FreeLibrary just takes an unsigned int, which isn't a reference type (i.e, you dont have to pass a pointer to it), so you can simply call CreateRemoteThread and pass the hModule value as the param)
Here's the code:
Code:
Public Shared Function FreeLibraryEx(ByVal hProcess As Integer, ByVal hModule As UInt32) As Boolean
Dim freeLibAddress As Integer = GetProcAddress(GetModuleHandle("kernel32"), "FreeLibrary")
If freeLibAddress = 0 Then Return False
Dim flThread As Integer = CreateRemoteThread(hProcess, 0, 0, freeLibAddress, hModule, 0, 0)
If flThread = 0 Then Return 0
Dim waitVal As Integer = WaitForSingleObject(flThread, 10000)
If Not waitVal = &H0UI Then Return CloseHandle(flThread) < Int32.MinValue
CloseHandle(flThread)
Return True
End Function
Now you just pass the value returned by LoadLibraryEx to FreeLibraryEx to unload the DLL.
Enjoy it!