Introduction
There are several articles presented on DLL Injection. But still I wanted to do a simple example which will be easy for a novice programmer.
Background
As you know there are several uses of DLL injection like hot patching, logging, subclassing, etc. This article focuses on subclassing a window using DLL injection. Subclassing is redefining the behavior of the window by changing the window procedure. To change the window procedure, the window procedure should reside in the process which created the window. I planned to mimic the hacking by scrambling the window behavior without the knowledge of the process which created the window. There are three modules involved in this article.
- Injectee: This is a target process which created the window. I call this "Injectee" to which the DLL ("Injection" ) is being injected. This is a simple Win32 application which has a window and whenever the left mouse button is pressed, a circle is being drawn. That's all!!!!
- Injection: This is a DLL which has the new window procedure to be hooked to the window of the Injectee.
- Injector: This is the process which actually injects the injection into the injectee. This is a simple console application.
Using the code
As mentioned earlier, the source code has three modules.
- Make sure to build the Injection first so that the DLL is ready to be injected. Once the Injection module is built successfully, the resulting DLL is copied to the x86 directory.
- Then build the Injectee and launch it. Now when you do left click on the screen using mouse, circles are drawn on the click location and it will continue to work fine. When the injector is built, the DLL is copied from the x86 directory to the Debug/Release directory of the Injectee project.
- Build the Injector and launch it. The injector will inject the injection DLL into the injectee's process and terminates.
- Now if you left click on the screen, you won't see the circle, rather a bizarre message "UR HACKED".
- The source code for the Injetee is nothing special. It's just a plain vanilla code to create a window using the SDK.
Let's see the source code for the Injection. As we know, the Injection is a simple DLL and when DllMain
is called with reason as DLL_PROCESS_ATTACH
, I'm doing the hack.
case DLL_PROCESS_ATTACH:
{
HWND hwnd = ::FindWindow(NULL,TEXT("Injectee") );
if( hwnd )
{
oldWindowProc = ::SetWindowLongPtr( hwnd, GWL_WNDPROC, (LONG_PTR) HackingWndProc );
}
break;
}
The new window procedure looks something like this:
LRESULT CALLBACK HackingWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
switch( message )
{
case WM_LBUTTONDOWN:
{
int x = GET_X_LPARAM(lParam);
int y = GET_Y_LPARAM(lParam);
HDC hDC = ::GetDC( hWnd );
DrawText( hDC,x,y);
break;
}
case WM_RBUTTONDOWN:
{
int x = GET_X_LPARAM(lParam);
int y = GET_Y_LPARAM(lParam);
HDC hDC = ::GetDC( hWnd );
::Ellipse( hDC,x,y,(x+50),(y+50));
break;
}
case WM_DESTROY:
{
PostQuitMessage(0);
break;
}
default:
return DefWindowProc(hWnd, message, wParam, lParam);
}
return 0;
}
Next let's see the source code for the Injector.
This code is simple. First we should know the name of the DLL (injection) to be injected in the target process (injectee).
- This DLL name should be known by the target process. So this has to be written in the target process' address space.
- Find out the window of the Injectee using its window title.
- Next get the handle of the process which created the window using
GetWindowThreadProcessId
.
- Open the injectee's process using its handle.
- Then allocate memory in the injectee's address space to write the name of the DLL to be injected.
- Write the name of the DLL to be injected.
- Get the address of the
LoadLibrary
method. This is the method to be invoked by the thread which is going to be created in the the injectee's address space.
- Then call
CreateRemoteThread
to create a thread inside the injectee's address space. This thread is going to execute the LoadLibrary
function with the library name as the injection DLL.
- As the thread calls the
LoadLibrary
method to load the DLL, DllMain
is called with reason as DLL_PROCESS_ATTACH
. Refer the Injection's code to see what happens when DllMain
is called.
- Wait for the remote thread to execute before calling the
VirtualFree
method, otherwise when the remote thread looks for the name of the DLL, the name of the address block which holds the DLL name is already freed by the injector process which may cause a crash!
int _tmain(int argc, _TCHAR* argv[])
{
char* szInjectionDLLName = TEXT("Injection.dll");
DWORD dwProcessID;
HWND hwnd = ::FindWindow(NULL,TEXT("Injectee") );
GetWindowThreadProcessId(hwnd, &dwProcessID );
HANDLE hProcess = ::OpenProcess( PROCESS_ALL_ACCESS,false, dwProcessID);
void* baseAddress = VirtualAllocEx( hProcess,NULL,
strlen(szInjectionDLLName), MEM_COMMIT, PAGE_READWRITE );
SIZE_T nbBytesWritten = 0;
WriteProcessMemory( hProcess,baseAddress,szInjectionDLLName,
strlen(szInjectionDLLName),&nbBytesWritten );
FARPROC pLoadLib = GetProcAddress( GetModuleHandle(TEXT("kernel32.dll") ), "LoadLibraryA");
DWORD dwThreadID = 0;
HANDLE hRemoteThread = CreateRemoteThread(hProcess,NULL,0,
(LPTHREAD_START_ROUTINE)pLoadLib, baseAddress,0, &dwThreadID );
WaitForSingleObject( hRemoteThread,INFINITE );
VirtualFreeEx( hProcess, baseAddress,0, MEM_RELEASE );
return 0;
}
History
Version1: [ 02/13/2013 ]
This is the first version of the article. Will keep updated based on the viewer's comments.
Version2: [ 09/18/2015 ]
There was an issue/bug with the files uploaded in the first version. I have fixed the issues and uploading the files as version2.
Note: When you want to run in debug mode,make sure to build the Injection (dll) in debug mode and run the Injector as well as the Injectee in debug mode. The same applies to release mode as well.