Remote Dll Injection in WM
today i'll explain how inject dlls into another process.
To inject external dlls into the processes we need to use some functions exported from coredll.dll. These functions are documented in Platform Builder but not in SDK so we need to declare them as extern:
1 extern "C"
2 {
3 BOOL __stdcall SetKMode(BOOL fMode);
4 DWORD __stdcall SetProcPermissions(DWORD);
5 LPVOID __stdcall MapPtrToProcess (LPVOID lpv, HANDLE hProc);
6 struct CALLBACKINFO
7 {
8 HANDLE m_hDestProcess;
9 FARPROC m_pFunction;
10 PVOID m_pFirstArgument;
11 };
12 DWORD __stdcall PerformCallBack4(CALLBACKINFO *pcbi, DWORD dw1, DWORD dw2, DWORD dw3);
13 }
14
After declared the undocumented functions we need to write code to use them to inject dlls, so:
2 {
3 BOOL __stdcall SetKMode(BOOL fMode);
4 DWORD __stdcall SetProcPermissions(DWORD);
5 LPVOID __stdcall MapPtrToProcess (LPVOID lpv, HANDLE hProc);
6 struct CALLBACKINFO
7 {
8 HANDLE m_hDestProcess;
9 FARPROC m_pFunction;
10 PVOID m_pFirstArgument;
11 };
12 DWORD __stdcall PerformCallBack4(CALLBACKINFO *pcbi, DWORD dw1, DWORD dw2, DWORD dw3);
13 }
14
1 //change the kernelmode and the permission for our code
2 BOOL bMode = SetKMode(TRUE);
3 DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
4
5 CALLBACKINFO cbi;
6 cbi.m_hDestProcess = hProcess;
7 cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"LoadLibraryW"), hProcess);
8 cbi.m_pFirstArgument = (LPVOID)MapPtrToProcess(lpszFullPathDll, GetCurrentProcess());
9 HINSTANCE hInst = (HINSTANCE)PerformCallBack4(&cbi, 0,0,0); //returns the HINSTANCE from LoadLibraryW
10
11 //restore kernelmode and permission
12 SetKMode(bMode);
13 SetProcPermissions(dwPerm);
14
2 BOOL bMode = SetKMode(TRUE);
3 DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);
4
5 CALLBACKINFO cbi;
6 cbi.m_hDestProcess = hProcess;
7 cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"LoadLibraryW"), hProcess);
8 cbi.m_pFirstArgument = (LPVOID)MapPtrToProcess(lpszFullPathDll, GetCurrentProcess());
9 HINSTANCE hInst = (HINSTANCE)PerformCallBack4(&cbi, 0,0,0); //returns the HINSTANCE from LoadLibraryW
10
11 //restore kernelmode and permission
12 SetKMode(bMode);
13 SetProcPermissions(dwPerm);
14
Some details:
hProcess: is the handle of the process where the dll will be injected;
lpszFullPathDll: is the full path to the dll which must be injected;
After a dll is injected into the hProcess we can call every exported function with the same method:
1 //get the proc address
2 FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"ExportedFunction");
3 cbi.m_hDestProcess = hProcess;
4 cbi.m_pFunction = (FARPROC)MapPtrToProcess(pHook, hProcess);
5 cbi.m_pFirstArgument = NULL; //here we can pass any argument for our 'ExportedFunction'
6 DWORD dw = PerformCallBack4(&cbi, 0, 0, 0);//returns the same value of 'ExportedFunction'
2 FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"ExportedFunction");
3 cbi.m_hDestProcess = hProcess;
4 cbi.m_pFunction = (FARPROC)MapPtrToProcess(pHook, hProcess);
5 cbi.m_pFirstArgument = NULL; //here we can pass any argument for our 'ExportedFunction'
6 DWORD dw = PerformCallBack4(&cbi, 0, 0, 0);//returns the same value of 'ExportedFunction'
1 cbi.m_hDestProcess = hProcess;
2 cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcess);
3 cbi.m_pFirstArgument = hInst; //HINSTANCE returned by LoadLibrary
4 DWORD dw = PerformCallBack4(&cbi, 0,0,0); //returns 1 if correctly unloaded
2 cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcess);
3 cbi.m_pFirstArgument = hInst; //HINSTANCE returned by LoadLibrary
4 DWORD dw = PerformCallBack4(&cbi, 0,0,0); //returns 1 if correctly unloaded
posted on 2009-08-16 15:03 IamEasy_Man 阅读(412) 评论(0) 收藏 举报
浙公网安备 33010602011771号