Multi DLL Injection

[Codemunkie]

Hello!

I've been at this for hours and i still can't seem to find a way to make a muti DLL injector I've made a single injector before that worked fine.

I'm using a ListBox for the DLL's, and i've got the Add/Remove DLL buttons working however i can't find a way to save the file directories for injecting!

When they browse i use ListBox.Items.Add("ITEM.DLL") and it shows fine, and then i tried using an array to store the whole file directory, but then when it comes to injecting using a for each loop, i get tons of errors because i'm taking the directory from an array not the OpenFileDialog.

The only thing i can think to do is to make a new OpenFileDialog for each new DLL they want to import, will this work? :\ And how would i use a for loop with multiple FileDialogs?

[[MPGH]master131]

Mind sharing some code?

[Codemunkie]

Code:

Private Sub OpenFileDialog1_FileOk(ByVal sender As System.Object, ByVal e As System.ComponentModel.CancelEventArgs) Handles OpenFileDialog1.FileOk
        Dim FileName As String = OpenFileDialog1.FileName.Substring(OpenFileDialog1.FileName.LastIndexOf("\"))
        Dim DllFileName As String = FileName.Replace("\", "")
        ListBox1.Items.Add(DllFileName)
        dlls(counter1) = OpenFileDialog1.FileName
        counter1 = counter1 + 1
    End Sub

Code:

Private Sub Timer1_Tick(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Timer1.Tick
                Dim ProcID As Integer = Process.GetProcessesByName(TextBox1.Text)(0).Id
                Dim IDLL As String
                For Each IDLL In dlls
                    Inject(ProcID, IDLL)
                Next
    End Sub

And the Inject function is the same as the tutorial that was posted

I'm having a new problem now where the loop is never ending. I replaced the Inject function with a message box and whenever it tries to inject the message box just pops up continuously!

[[MPGH]master131]

Well obviously, you need the full path to the DLL, not just the file name.

You should also use For Each IDLL in ListBox1.Items instead. And the reason why it loops is because it's being run on a timer....

[Codemunkie]

Well obviously, you need the full path to the DLL, not just the file name.

You should also use For Each IDLL in ListBox1.Items instead. And the reason why it loops is because it's being run on a timer....

OpenFileDialog.FileName returns the full path, i checked

As for the timer issue, i just found that out before i came to read this :P Thanks!

New problem however -.- It doesn't give any errors at all, it jsut decides not to inject. I ran some trial and error by setting up a lable to change text and tried running it through different parts of the inject function. It gets so far and then just breaks :\

Does the function need some time inbetween injecting more than 1 dll?

Code:

Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As Integer
    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
    Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
    Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
    Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer

    Private Function Inject(ByVal pID As Integer, ByVal dllLocation As String) As Boolean
        If IntPtr.Size = 8 Then Throw New ArgumentException("Please make sure this program is compiled as x86, not x64. Memory functions don't work so well otherwise.") '//check our project is compiled to x86, otherwise everything will run fine, but nothing will happen.
        Dim hProcess As Integer = OpenProcess(&H1F0FFF, 1, pID) '//copied the access value /tehe
        If hProcess = 0 Then Return False '//check that we managed to obtain a handle, if we didn't there is no point continuing.
        Dim dllBytes As Byte() = System.Text.Encoding.ASCII.GetBytes(dllLocation)
        Dim allocAddress As Integer = VirtualAllocEx(hProcess, 0, dllBytes.Length, &H1000, &H4)
        If allocAddress = Nothing Then Return False '//if the memory allocation failed then we gotta quit.
        Dim kernelMod As Integer = GetModuleHandle("kernel32.dll") '//kernel holds the LoadLibrary function, and its loaded to a constant address space, so we can find the load address in our own processes memory and assume it will be the same in the target process.
        Dim loadLibAddr = GetProcAddress(kernelMod, "LoadLibraryA") '//find the address of LoadLibrary in kernel.
        If kernelMod = 0 OrElse loadLibAddr = 0 Then Return False
        WriteProcessMemory(hProcess, allocAddress, dllBytes, dllBytes.Length, 0) '// write the dll location as bytes to the process memory in the location we allocated earlier, we'll use this address when we call LoadLibrary so it knows where to load the dll from
        Dim libThread As Integer = CreateRemoteThread(hProcess, 0, 0, loadLibAddr, allocAddress, 0, 0) '//call the LoadLibrary function in the target process and pass the location of our DLL to it (actually, we just pass the address to where it should read it from, it does the rest)
        If libThread = 0 Then
            Return False '// couldn't create the thread, quit now
        Else
            WaitForSingleObject(libThread, 5000) '//give the process 5 seconds to finish using the LoadLibrary function if it needs it
            CloseHandle(libThread) '//close our handle to the thread.
        End If
        CloseHandle(hProcess) '//close our handle to the process
        Label1.Text = "DLL injected successfully."
        If CheckBox1.Checked = True Then
            Timer2.Start()
        End If
        Label1.ForeColor = Color.Green
        Return True '//WE DID IT YAY. If this has no syntax errors I will jizz myself.
    End Function

If libThread = 0 Then
Return False '// couldn't create the thread, quit now
Else
WaitForSingleObject(libThread, 5000) '//give the process 5 seconds to finish using the LoadLibrary function if it needs it
CloseHandle(libThread) '//close our handle to the thread.
End If

It gets to there and then stops, but not displaying any error messages.

[wtfiwantthatname]

What OS are you testing this code on?

Edit: You should use the minimum amount of access requried.
Private Const process_vm_write As Int32 = &H20 ' Access Rights
Private Const process_vm_read As Int32 = &H10 ' Access Rights
Private Const process_vm_operation As Int32 = &H8 ' Access Rights
Private Const process_create_thread As Int32 = &H2 'Access rights

Dim Access as int32 = process_vm_write AND process_vm_read AND process_vm_operation AND process_create_thread

[Codemunkie]

I'm running Windows 7 x32. I don't get where you want me to use the Access variable?

[wtfiwantthatname]

Instead of Proces_All_Access.