CreateRemoteThread .dll Injection
This is not the best method of injecting , its the by far more easy than
other methods.
(I personally don't like this method very much)
This tutorial is intended for beginners . Or someone who has never done
.dll Injection before.
We will be using notepad as the target for this tutorial.
NOTE : This method only works on Windows NT and above.
Okay we will need to follow these steps in using CreateRemoteThread :
-----------------------------------------------------
STEP 1 : Get the target Process ID.
STEP 2 : Get the full path of the .dll .
STEP 3 : Allocate some memory in the process for the loading of our .dll
STEP 4 : Write the name of the .dll to our new allocated space.
STEP 5 : Execute the code Using CreateRemoteThread
STEP 6 : Clean up.
-----------------------------------------------------
Okay those are our basic steps .
Now its time to start.
Open up Visual Studio -> C++ - > CLR Console Application .
Go to Project->Character Set -> Multi-byte Character Set
->Common Language Runtime Support ->
Common Language Runtime Support (/clr)
Add these headers to the top of your project :
Okay we want to get the ID of the process we want to inject to . So how do we do this? Simple . We use a neat little function coded by batfitch
... GetProcessId :
Add that to your project ...
how do we use this function? : Simple
Okay now that we have the process ID we can continue . For the .dll injection we will need the full path to our .dll.
We can get the full path by doing this : Okay our full path to the .dll is saved in the variable dll .
NOTE : The .dll that we are using is "Tutorial.dll" and its name should stay that way. GetFullPathName gets the Tutorial.dll 's path if its in the current directory of the application.
.Okay now we need to declare the handle of the process we want to inject to. Lets declare the the memory witch we will be allocating.
Now lets declare LoadLibrary
Now that we have the handle of the process declared lets open the process for read , write and execute access.
okay now that we have gained access to the process we can get the address of LoadLibraryA.
//Get the address of LoadLibraryA
Now lets allocate some space for the name of our .dll
Now that we have the space we should use it! Use WriteProcessMemory to write the .dll name to the allocated space.
Now the golden moment ... lets execute LoadLibraryA using CreateRemoteThread .
There we go ... we are not done yet though . Lets just do some cleaning.
So the full code will look like this (NOTE : I've coded the CreateRemoteThreadInject function for easier usage) :
Okay thats about it . 
(NOTE : Code is working fine)
If you did the injection right you should get a message When you press F2.
Feel free to comment , tell me if I did something wrong.
and you may use this code as you wish.
Here is the download for the tutorial : http://www.ziddu.com/download/12654106/Tutorial.zip.html
Greets :
batfitch - Great help
other methods.
(I personally don't like this method very much)
This tutorial is intended for beginners . Or someone who has never done
.dll Injection before.
We will be using notepad as the target for this tutorial.
NOTE : This method only works on Windows NT and above.
Okay we will need to follow these steps in using CreateRemoteThread :
-----------------------------------------------------
STEP 1 : Get the target Process ID.
STEP 2 : Get the full path of the .dll .
STEP 3 : Allocate some memory in the process for the loading of our .dll
STEP 4 : Write the name of the .dll to our new allocated space.
STEP 5 : Execute the code Using CreateRemoteThread
STEP 6 : Clean up.
-----------------------------------------------------
Okay those are our basic steps .
Now its time to start.
Open up Visual Studio -> C++ - > CLR Console Application .
Go to Project->Character Set -> Multi-byte Character Set
->Common Language Runtime Support ->
Common Language Runtime Support (/clr)
Add these headers to the top of your project :
PHP Code:
#include "stdafx.h" //Precompiled Header
#include
#include
#include
#include
#include ... GetProcessId : PHP Code:
//Function written by batfitch DWORD GetProcessId(IN PCHAR szExeName)
{
DWORD dwRet = 0;
DWORD dwCount = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 pe = {0};
pe.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hSnapshot, &pe);
while (bRet)
{
if (!_stricmp(pe.szExeFile, szExeName))
{
dwCount++;
dwRet = pe.th32ProcessID;
}
bRet = Process32Next(hSnapshot, &pe);
}
if (dwCount > 1)
dwRet = 0xFFFFFFFF;
CloseHandle(hSnapshot);
}
return dwRet;
} how do we use this function? :
PHP Code:
DWORD ID = GetProcessId("notepad.exe") Okay now that we have the process ID we can continue . For the .dll injection we will need the full path to our .dll.
We can get the full path by doing this :
PHP Code:
//Declare our dll variable
char dll[10];
//Get the full path of our .dll
GetFullPathName("Tutorial.dll",MAX_PATH,dll,NULL); NOTE : The .dll that we are using is "Tutorial.dll" and its name should stay that way. GetFullPathName gets the Tutorial.dll 's path if its in the current directory of the application.
.Okay now we need to declare the handle of the process we want to inject to.
PHP Code:
//Declare the handle of the process.
HANDLE Process; PHP Code:
//Declare the memory we will be allocating
LPVOID Memory; PHP Code:
//Declare LoadLibrary
LPVOID LoadLibrary; PHP Code:
//Open the process with read , write and execute access.
Process = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION, FALSE, ID); //Get the address of LoadLibraryA
PHP Code:
//Get the address of LoadLibraryA
LoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); PHP Code:
// Allocate space in the process for our DLL
Memory = (LPVOID)VirtualAllocEx(Process, NULL, strlen(dll) +1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); Now that we have the space we should use it! Use WriteProcessMemory to write the .dll name to the allocated space.
PHP Code:
// Write the string name of our DLL in the memory allocated
WriteProcessMemory(Process, (LPVOID)Memory, dll, strlen(dll) +1, NULL); PHP Code:
// Load our DLL
CreateRemoteThread(Process, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibrary, (LPVOID)Memory, NULL, NULL); PHP Code:
//Let the program regain control of itself.
CloseHandle(Process);
//Free the allocated memory. VirtualFreeEx(Process , (LPVOID)Memory ,0, MEM_RELEASE); So the full code will look like this (NOTE : I've coded the CreateRemoteThreadInject function for easier usage) :
PHP Code:
// Tutorial.cpp : Defines the entry point for the console application.
//
//We Will Be Using These.
#include "stdafx.h"
#include
#include
#include
#include
#include
//Lets Just Define Some Variables
#define WIN32_LEAN_AND_MEAN
#define CREATE_THREAD_ACCESS (PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
//Lets declare our function BOOL CreateRemoteThreadInject(DWORD ID, const char * dll);
//Let declare GetProcessId DWORD GetProcessId(IN PCHAR szExeName);
//Our Application Starts Here. int main()
{
//Declare our dll variable
char dll[MAX_PATH];
//Get the full path of our .dll
GetFullPathName("Tutorial.dll",MAX_PATH,dll,NULL);
//We will be using this neat little function written by batfitch - GetProcessId.
DWORD ID = GetProcessId("notepad.exe");
if (!CreateRemoteThreadInject(ID,dll))
{
//If CreateRemoteThreadInject Returned true
printf("Injection failed!");
Sleep(3000);
exit(1);
}
else
{
//If CreateRemoteThreadInject Returned true
printf("Injection Successful!");
Sleep(3000);
exit(1);
}
return 0;
}
//Function written by batfitch DWORD GetProcessId(IN PCHAR szExeName)
{
DWORD dwRet = 0;
DWORD dwCount = 0;
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot != INVALID_HANDLE_VALUE)
{
PROCESSENTRY32 pe = {0};
pe.dwSize = sizeof(PROCESSENTRY32);
BOOL bRet = Process32First(hSnapshot, &pe);
while (bRet)
{
if (!_stricmp(pe.szExeFile, szExeName))
{
dwCount++;
dwRet = pe.th32ProcessID;
}
bRet = Process32Next(hSnapshot, &pe);
}
if (dwCount > 1)
dwRet = 0xFFFFFFFF;
CloseHandle(hSnapshot);
}
return dwRet;
}
//We will be writing our own little function called CreateRemoteThreadInject BOOL CreateRemoteThreadInject(DWORD ID, const char * dll)
{ //Declare the handle of the process.
HANDLE Process;
//Declare the memory we will be allocating
LPVOID Memory;
//Declare LoadLibrary
LPVOID LoadLibrary;
//If there's no process ID we return false.
if(!ID)
{
return false;
}
//Open the process with read , write and execute priviledges
Process = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION, FALSE, ID);
//Get the address of LoadLibraryA
LoadLibrary = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
// Allocate space in the process for our DLL
Memory = (LPVOID)VirtualAllocEx(Process, NULL, strlen(dll)+1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
// Write the string name of our DLL in the memory allocated
WriteProcessMemory(Process, (LPVOID)Memory, dll, strlen(dll)+1, NULL);
// Load our DLL
CreateRemoteThread(Process, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibrary, (LPVOID)Memory, NULL, NULL);
//Let the program regain control of itself
CloseHandle(Process);
//Lets free the memory we are not using anymore.
VirtualFreeEx(Process , (LPVOID)Memory , 0, MEM_RELEASE);
return true;
}
} (NOTE : Code is working fine)If you did the injection right you should get a message When you press F2.
Feel free to comment , tell me if I did something wrong.
and you may use this code as you wish.
Here is the download for the tutorial : http://www.ziddu.com/download/12654106/Tutorial.zip.html
Greets :
batfitch - Great help
1 comentarios:
bro can u help me with my source code, about chams.. and change into createremotethread()..
i will give my source code..
Publicar un comentario