DLL Injection

1. #undef _UNICODE
2. #undef UNICODE
3.  
4.  
5. #include <windows.h>
6.  
7.  
8. typedef HINSTANCE (__stdcall *PLOADLIB)(LPCTSTR);
9.  
10.  
11. struct INJDAT
12. {
13.  _TCHAR dll[MAX_PATH];
14.  HINSTANCE hInst;
15.  DWORD err;
16.  
17.  
18.  PLOADLIB LoadLibrary;
19.  
20.  
21.  
22. };
23.  
24.  
25. static DWORD WINAPI LLProc(LPVOID _pInjDat)
26. {
27.  struct INJDAT *pDat = (struct INJDAT *)_pInjDat;
28.  
29.  SetLastError(0);
30.  pDat->hInst = pDat->LoadLibrary(pDat->dll);
31.  
32.  
33.  if(!pDat->hInst)
34.   pDat->err = GetLastError();
35.  else
36.   pDat->err = 0;
37.  
38.  
39.  return pDat->err;
40.  
41.  
42.  
43. }
44.  
45.  
46. static void LLProcEnd() {} // Mark the end
47.  
48. HINSTANCE __stdcall InjectDll(HANDLE hProc, LPCTSTR dll)
49. {
50.  const unsigned cb =
51.   ((unsigned)LLProcEnd) - ((unsigned)LLProc);
52.  
53.  
54.  struct INJDAT dat;
55.  HINSTANCE hKernel = 0;
56.  
57.  
58.  PVOID pRemoteDat = 0;
59.  
60.  
61.  HANDLE hThread = 0;
62.  
63.  
64.  DWORD id = 0;
65.  
66.  
67.  LPTHREAD_START_ROUTINE pRemoteProc =
68.   (LPTHREAD_START_ROUTINE)VirtualAllocEx(
69.   hProc,      // Target process
70.   NULL,      // Let the VMM decide where
71.   cb,       // Size
72.   MEM_COMMIT,     // Commit the memory
73.   PAGE_EXECUTE_READWRITE); // Protections
74.  if(!pRemoteProc) return 0;
75.  
76.  
77.  __try {
78.  
79.  
80.   if(!WriteProcessMemory(
81.    hProc,     // Target process
82.    pRemoteProc,   // Source for code
83.    LLProc,     // The code
84.    cb,      // Code length
85.    NULL))     // We don't care
86.    return 0;
87.  
88.  
89.   // Now fill in a INJDAT
90.   strcpy(dat.dll, dll);
91.  
92.  
93.   hKernel = LoadLibrary("KERNEL32.DLL");
94.   if(!hKernel) return 0;
95.  
96.  
97.   dat.LoadLibrary =
98.    (PLOADLIB)GetProcAddress(hKernel, "LoadLibrary");
99.   if(!dat.LoadLibrary) return 0;
100.  
101.  
102.   // Now copy the INJDAT
103.   pRemoteDat = VirtualAllocEx(hProc, NULL,
104.    sizeof(struct INJDAT), MEM_COMMIT, PAGE_READWRITE);
105.   if(!pRemoteDat) return 0;
106.  
107.  
108.   if(!WriteProcessMemory(hProc, pRemoteDat, &dat,
109.    sizeof(struct INJDAT), NULL))
110.    return 0;
111.  
112.  
113.   // Now spawn the thread
114.   hThread = CreateRemoteThread(
115.    hProc,     // Target process
116.    NULL,     // No security
117.    4096 * 16,    // 16 pages of stack
118.    pRemoteProc,   // Thread proc
119.    pRemoteDat,    // Data
120.    0,      // Run NOW
121.    &id);
122.  
123.  
124.   if(!hThread) return 0;
125.  
126.  
127.   // Wait for it!!
128.   WaitForSingleObject(hThread, INFINITE);
129.  
130.  
131.   // Read the data back out
132.   if(!ReadProcessMemory(
133.    hProc,     // Target process
134.    pRemoteDat,    // Their data
135.    &dat,     // Our data
136.    sizeof(struct INJDAT), // Size
137.    NULL))     // We don't care
138.    return 0;
139.  
140.  
141.   // Restore the status
142.   SetLastError(dat.err);
143.   return dat.hInst;
144.  
145.  
146.  }
147.  
148.  
149.  __finally // Clean up
150.  {
151.   DWORD lerr = GetLastError();
152.  
153.  
154.   if(pRemoteProc) VirtualFreeEx(hProc, pRemoteProc,
155.    cb, MEM_RELEASE);
156.  
157.  
158.   if(hKernel) CloseHandle(hKernel);
159.  
160.  
161.   if(pRemoteDat) VirtualFreeEx(hProc, pRemoteDat,
162.    sizeof(struct INJDAT), MEM_RELEASE);
163.  
164.  
165.   if(hThread) CloseHandle(hThread);
166.  
167.  
168.   SetLastError(lerr);
169.  }
170.  
171.  
172.  return 0; // Something blew up!!