hey.
i was wondering on how to inject a dll into a process while it is starting?
thx.
Posted on 2004-10-11 09:19:51 by ReVeR
CreateProcess in suspended mode, inject, then ResumeThread on the main suspended thread
Posted on 2004-10-11 09:40:04 by comrade
nice description comrade! :-D

why inject it trough createprocess?
Posted on 2004-10-11 12:27:58 by diablo2oo2
why inject it trough createprocess?

Cause otherwise it is hard to inject it while it is starting.

I do currently something similar (for logging some I/O port in/output), so I just insert some code in the original DLL I want to log doing a LoadLibrary() call, and then my DLL patching the functions of the I/O DLL
Posted on 2004-10-11 13:11:18 by wols
hello guys
i was just wondering whether u guys want to inject a dll (a new dll i mean)or ur trying to inject some code to a particular dll.
anyway i hope this will help you out.

http://www.codeproject.com/dll/DLL_Injection_tutorial.asp

Please share ur work when u finish it.all the best.
nickdigital
Posted on 2004-10-11 14:39:31 by nickdigital
i just codoed a little.

ok its simple to inject.

1.CreateProcess: your target.exe
2.WriteProcess: insert your code to entrypoint

it also works without Suspend mode and also without VirtualProtectEx (to make the code section writeable). i dont know why.
Posted on 2004-10-11 14:42:48 by diablo2oo2
here is a code snippet

invoke GetEntrypoint,addr target_exe	;returns entrypoint in eax

mov ENTRY_POINT,eax

invoke CreateProcess,
addr target_exe, ;target filename
NULL,
NULL,
NULL,
NULL,
CREATE_SUSPENDED,
NULL,
NULL,
ADDR Startup,
ADDR processinfo
.if eax == NULL
;invoke MessageBox, NULL,SADD ("Can't create process"),NULL, MB_ICONEXCLAMATION
jmp @exit
.endif

;---try to attach code at entrypoint---
mov esi,0
@patchmemory:
mov eax,offset End_PatcherCode ;calc size of attached code
sub eax,offset Begin_PatcherCode
mov ebx,offset Begin_PatcherCode
invoke WriteProcessMemory,processinfo.hProcess, ENTRY_POINT,ebx,eax, NULL
.if eax == FALSE
cmp esi,1
je @exit
;invoke MessageBox, NULL,SADD ("Failed: WriteProcessMemory"),NULL, MB_ICONEXCLAMATION
invoke VirtualProtectEx,
processinfo.hProcess, ;handle of process
ENTRY_POINT, ;region
512, ;size
PAGE_EXECUTE_READWRITE, ;access mode
addr oldprotection ;bla bla bla
mov esi,1
.if eax == FALSE
;invoke MessageBox, NULL,SADD ("Failed: VirtualProtectEx"),NULL, MB_ICONEXCLAMATION
jmp @exit
.endif
jmp @patchmemory
.endif

;lets run the target
invoke ResumeThread, processinfo.hThread

@exit:
invoke ExitProcess,NULL
Posted on 2004-10-11 14:54:20 by diablo2oo2
hi diablo2002
thats good piece of work i also did something like that earlier but without virtualprotectex api and it works fine.wat i did was related to codeinjection as well as dll injection.

however i cannot discuss it here for some reasons
all the best.
nickdigital
Posted on 2004-10-11 14:56:56 by nickdigital
hi Rever

there are actually 3 different ways of injecting a dll

1.Put your code into a DLL; then, map the DLL to the remote process via windows hooks.

2.Put your code into a DLL and map the DLL to the remote process using the CreateRemoteThread & LoadLibrary technique.

3.Instead of writing a separate DLL, copy your code to the remote process directly - via WriteProcessMemory - and start its execution with CreateRemoteThread.
Posted on 2004-10-11 15:25:15 by nickdigital