Simple Injection. An in-depth look.

[Jason]

Injection Tutorial
By Chooka/Jason

Alright, hey guys. I'm bored as shit tonight and I've been looking for pretty much any way to dodge doing my uni assignment so I figured why not. A few people have been asking for a proper injection tutorial (not just delicious copy-pasta which the original poster doesn't actual understand). I'm not going to walk you through creating a whole injector and shit, I'm too lazy, but I'll cover the actual injection function in as much detail as I can be bothered giving.

I'm relatively new to injection and those that know me know I'm a tad memtarded, so this is much a learning exercise for me as it is for you. I figure actually having to write out and explain each step in the process in detail will also strengthen my own knowledge on the subject. In this tutorial I'm only going to cover the most basic injection method; LoadLibrary Injection. For those of you that don't know what that is, don't worry, it will all be explained.

Before I begin there are some definite shoutouts that must be made, I wouldn't have ever bothered learning this crap without them.

@Void - Originally attempted to explain the process to me, I was completely memtarded then and ragequit
@Hell_Demon - Second guy to explain it to me (yes, I'm a bit slow, shut the fuck up ) Much more successful than my first attempt, understood it all.
@Hassan - Chill guy, for a religious fucker.
@Blubb1337 - Resident db expert (or he likes to think so), has no relevance to this thread but he's 1337 so it's .
...I could go on and on but then this would just turn into a "who i'm friends with" list rather than an actual credits list.

The Tutorial

Here's how it's going to go down. I'm going to run through the theory on its own first, then I'll start writing it out in code and explain each step as it appears.

What is LoadLibrary Injection?

This is the very first thing you need to know; What are we attempting to do?
Well, for starters, LoadLibrary (as you may or may not know) is a function in the kernel32.dll. Here's its actual method signature according to MSDN:

Code:

HMODULE WINAPI LoadLibrary(__in  LPCTSTR lpFileName );

Despite the C++, that's not that scary right? It's just a function that takes a single string argument which then tells LoadLibrary where to load the file from. It then loads that library into the process and -in the case of dlls- calls the DllMain function. Simple enough to grasp I hope (you don't have to know how LoadLibrary works, just understand what it does)

Why is this useful to us?
Well, I'll tell you. kernel32.dll is loaded into almost, if not all (there, protected against your nitpicking @freedompeace) windows processes. This means that all it's functions are ALSO loaded into the process, in particular, LoadLibrary. Due to some trickery, we can call LoadLibrary in an external process and tell it to load our designated dll. More on that to come.

Okay, so we have to somehow call LoadLibrary in the external process...how the?
Okay, first things first, you need to open a handle to your process so we can access it. Next you'll need to write the dll location to that processes memory (in bytes, of course). We need to do this because when calling the LoadLibrary function, we'll need to pass the parameter as an address for it to find the dll location. After we've called the LoadLibrary function, and everything has worked successfully, we just do some cleaning up, close all the handles and shit.

That's it! Simple eh? Now we just need to translate that simple process into code.

First, we'll need some API declarations so we can do what we need. Here they are.

Code:

    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Integer, ByVal dwProcessId As Integer) As Integer
    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
    Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
    Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
    Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer

And here's what we'll use them for:
OpenProcess This function returns the handle to the process specified by the dwProcessId parameter, we need this when accessing the process externally.

VirtualAllocEx Allows us to allocate memory in an external process specified by the hProcess handle. This is needed to allocate the memory to write our dll location to.

WriteProcessMemory Write memory to an external process specified by the hProcess handle. We'll use this simple function to write our dll location to the memory allocated by VirtualAllocEx

GetModuleHandle Gets the handle to a specified module within our program (THIS IS NOT EXTERNAL), we'll use this to get the handle to the kernel32.dll module.

GetProcAddress Find the address of a function within a module, given the module handle. We'll find the address of the LoadLibrary function within kernel32 with this.

CreateRemoteThread Creates a thread in the remote process. We'll use this as the final step: Calling the LoadLibrary function and giving the dll its own thread so it doesn't conflict with the process's main thread.

WaitForSingleObject Waits for an object to return. In particular we'll wait for the LoadLibrary function to finish its work, then close the handle to it.

CloseHandle Very simple function. Closes an open handle.

That's it for APIs. All we need

First up, I just wanna code a tiny little cleanup routine for when we get further into the function and want to abort. Basically just cleans up input handles and returns false. You'll see it in action later.

Code:

Private Function Die(Optional ByVal hProc As Integer = Nothing, Optional ByVal libThread As Integer = Nothing) As Boolean
    If Not hProc = Nothing Then CloseHandle(hProc)
    If Not libThread = Nothing Then CloseHandle(libThread)
    Return False
End Function

Now that moment is finally here, coding our function.to inject a process. First comes the method signature.

Code:

Private Function InjectDll(ByVal processID As Integer, ByVal dllLocation As String) As Boolean

Simple method singature, we'll take in a process id and a dll location and do our injection. If everything goes okay, we'll return true, otherwise false.

Now we're going to start with some simple error checking so that our function doesn't assrape itself.

Code:

If Not IO.File.Exists(dllLocation) Then Return False 'if the dll doesn't exist, no point in continuing. So we return false.
If IntPtr.Size = 8 Then Return False 'If the size of an IntPtr is 8, then is program was compiled as x64. x64 processes can't access x86 processes properly, so we just return false. You need to compile this program as x86.

Time to open up that process!

Code:

Dim hProcess As Integer = OpenProcess(&H1F0FFF, 1, processID) 'We'll open the process specified by the input process ID. With PROCESS_ALL_ACCESS access, seeing as we only need to write.
If hProcess = 0 Then Return Die() 'If we didn't get the handle, we exit and return false. No cleanup so no params for die()

Next we've gotta allocate some memory for the dll location, and then write it.

Code:

Dim dllBytes As Byte() = System.Text.Encoding.ASCII.GetBytes(dllLocation + ControlChars.NullChar) 'As I mentioned earlier, we have to write the dll location as bytes to the process memory, so we take the bytes of the string using the standard encoding, adding a null byte at the end.
Dim pathLocation As Integer = VirtualAllocEx(hProcess, 0, dllBytes.Length, &H1000, &H4) 'Allocate memory the size of the string we need to write to memory. pathLocation now holds the address of where the memory was allocated.
If pathLocation = Nothing Then Return Die(hProcess) 'VirtualAllocEx returns Nothing when it fails, so we check for that and return false if we find it. We've opened a process handle so we have to pass that to Die to clean it up.

So hopefully you could see in that step that we just converted the dll location to bytes, and then allocated some memory (the size of the dll location bytes) in the target process. Now we need to write to it.

Code:

Dim wpm As Integer = WriteProcessMemory(hProcess, pathLocation, dllBytes, dllBytes.Length, 0) 'write the contents of dllBytes to the memory allocated at pathLocation.
If wpm = 0 Then Return Die(hProcess) ' WriteProcessMemory returns 0 if it fails.

Alright we're getting there, so far we have written the location of our dll to the other processes memory, and we have the address where we wrote that. That's part one complete, the next part is actually finding and calling LoadLibrary

in that process and passing in the variable we wrote to memory. We'll get the address of LoadLibrary first.

Here's how:

Code:

Dim kernelMod As Integer = GetModuleHandle("kernel32.dll") 'Remember what I was saying about kernel32 being loaded into the same address space for every normal process? This means we don't have to do any fancy crap to find its location in our target process, we can get the location in our own process and safely assume it will be the same for all process. This means we can use GetModuleHandle, which only works internally.
Dim loadLibAddr As Integer = GetProcAddress(kernelMod, "LoadLibraryA") ' GetProcAddress gives us the address of the specified function within the module.
If loadLibAddr = 0 Then Return Die(hProcess) 'If GetProcAddress failed it'll return 0.

Yay, we finally have the address of the LoadLibrary function. NOW WE CAN CALL IT AND LOAD THIS FUCKER.

Code:

Dim procThread As Integer = CreateRemoteThread(hProcess, 0, 0, loadLibAddr, pathLocation, 0, 0) 'Okay, this is the thread creation. We pass our process handle to tell what process to create the thread on. the third param is the handle of the function to call. In this case we choose the LoadLibrary function. The next param is the arguments to pass to the function (omg remember we wrote that to memory? NOW WE PASS THE ADDRESS BACK!)
If procThread = 0 Then Return Die(hProcess) 'unable to create the thread. Return false
Dim waitVal As Integer = WaitForSingleObject(procThread, 5000) 'allow the LoadLibrary function 5 seconds to process.
If Not waitVal = &H0UI Then Return Die(hProcess, procThread) 'Function didn't signal completion. Fuck that shit abort ABORT
CloseHandle(procThread) 'close the handle to the LoadLibrary function
CloseHandle(hProcess) 'close the handle to the process
Return True 'made it, yay.

And that's it, you have successfully located the LoadLibrary function and called it, passing our dll location as the param. The dll should now load successfully.

I hope someone actually reads the tutorial, it's pretty lengthy for such a short function but there's a lot of shit going on if you're new to it.

EDIT: Oh yeah, if you're having trouble finding how to compile to x86. Check out this MSDN article.
Compile options VS Express Editions - SocialMSDN

Any questions, criticisms (if their constructive, haters can just fuck off) or suggestions... feel free to post

Cheers.
Chooka/Jason

UPDATE
UPDATE:

Okay, modified the injection code slightly. After starting to learn C the importance of memory management has become apparent. So, I've now added VirtualFreeEx to free the allocated memory.

Also, I discovered the GetExitCodeThread function, which allows you to get the return value of a specific thread, thereby allowing us to actually return whatever the LoadLibrary function returned (the handle to the module if successful). I've now written a new function "LoadLibraryEx" to tie in with the injection, but also be re-usable.

Here's the updated code:
Imports:

Code:

Imports System.Runtime.InteropServices 'for marshaling unmanaged return types.

API Declarations (Note VirtualFreeEx and GetExitCodeThread)

Code:

    Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Integer, ByVal bInheritHandle As Boolean, ByVal dwProcessId As Integer) As Integer
    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flAllocationType As Integer, ByVal flProtect As Integer) As Integer
    Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal dwFreeType As Integer) As <MarshalAs(UnmanagedType.Bool)> Boolean
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Integer, ByVal lpBaseAddress As Integer, ByVal lpBuffer() As Byte, ByVal nSize As Integer, ByVal lpNumberOfBytesWritten As UInteger) As Boolean
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Integer, ByVal lpProcName As String) As Integer
    Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Integer
    Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Integer, ByVal lpThreadAttributes As Integer, ByVal dwStackSize As Integer, ByVal lpStartAddress As Integer, ByVal lpParameter As Integer, ByVal dwCreationFlags As Integer, ByVal lpThreadId As Integer) As Integer
    Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Integer, ByVal dwMilliseconds As Integer) As Integer
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Integer) As Integer
    Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Integer, <Out()> ByRef lpExitCode As UInt32) As <MarshalAs(UnmanagedType.Bool)> Boolean

I've already said what all these API functions do pretty much. VirtualFreeEx is basically the opposite of VirtualAllocEx, except there is a catch with its "dwSize" param:

dwSize [in]

The size of the region of memory to free, in bytes.

If the dwFreeType parameter is MEM_RELEASE, dwSize must be 0 (zero). The function frees the entire region that is reserved in the initial allocation call to VirtualAllocEx.

So basically if we're freeing memory completely (releasing it), you don't put a value for dwSize despite what you might think, leave it at 0 for mem_release. Also, you no longer need the "Die" function at all.

Okay, the LoadLibraryEx function (commented, as usual).

This function is quite long now:

Code:

    Public Shared Function LoadLibraryEx(ByVal hProcess As Integer, ByVal lpFileName As String) As UInt32
        If Not IO.File.Exists(lpFileName) OrElse IntPtr.Size = 8 Then Return 0 'first thing: Make sure the file exists, and we're compiled in x86

        Dim bFileName As Byte() = System.Text.Encoding.ASCII.GetBytes(lpFileName + ControlChars.NullChar) 'convert the string to chars (add a nullbyte)
        Dim lpFileAddress As Integer = VirtualAllocEx(hProcess, 0, bFileName.Length, &H1000, &H4) 'allocate the memory to put our char array in.
        If lpFileAddress = 0 Then Return 0

        Dim writeSuccess As Integer = WriteProcessMemory(hProcess, lpFileAddress, bFileName, bFileName.Length, 0) 'write our chars to the process.
        If writeSuccess = 0 Then Return 0

        Dim lpLoadLibrary As Integer = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA") 'find where LoadLibrary is located
        If lpLoadLibrary = 0 Then Return 0 'if for some reason we couldn't get it.

        Dim libThread As Integer = CreateRemoteThread(hProcess, 0, 0, lpLoadLibrary, lpFileAddress, 0, 0) 'execute loadlibrary in the remote process.
        If libThread = 0 Then Return False
        Dim waitVal As Integer = WaitForSingleObject(libThread, 10000) 'wait up to 10 seconds for the thread to return. 
        '(be warned, if the target DLL puts a messagebox in DllMain and the user doesn't click it in 10 seconds, this function will return 0 so edit the wait time if you want.
        If Not waitVal = &H0UI Then Return CloseHandle(libThread) < Int32.MinValue 'simple trick to close the handle and simultaneously return 0.

        Dim hModule As UInt32 = 0 'prepare our hModule holder.
        If Not GetExitCodeThread(libThread, hModule) Then Return CloseHandle(libThread) < Int32.MinValue 'try to get the thread return value
        VirtualFreeEx(hProcess, lpFileAddress, 0, &H8000) 'dont bother checking the return value of VF, we've successfully injected and if the memory fails to free there's nothing we can do.

        CloseHandle(libThread) 'dispose our thread handle, we're done with it.
        Return hModule
    End Function

Okay, so now we need to refactor our Inject code to work with LoadLibraryEx.

Code:

Public Shared Function InjectDll(ByVal dwProcID As Integer, ByVal lpFileName As String) As Uint32
    Dim hProc As Integer = OpenProcess(&H42A, True, dwProcID) 'open the process with a combination of PROCESS_CREATE_THREAD, PROCESS_VM_OPERATION, PROCESS_VM_WRITE and PROCESS_QUERY_INFORMATION.
    If hProc = 0 Then Return 0 'if unable to obtain a handle, quit.
    Dim hModule As UInt32 = LoadLibraryEx(hProc, lpFileName) 'try and load the library
    CloseHandle(hProc) 'finished our use with the handle, dispose of it.
    Return hModule
End Function

And that's it!

For extra curricular activities, here's my FreeLibraryEx. It functions very much the same as LoadLibraryEx, but those of you who are actually paying attention will notice we didn't write the hModule value to memory! Why not you may ask? The difference is in the param types for LoadLibrary and FreeLibrary.

LoadLibrary = LPCSTR (pointer to C-string)
FreeLibrary = HMODULE (essentially a typedef of unsigned int, which is a value type not a reference!)

So for LoadLibrary, we are required to pass a POINTER to it, rather than a literal value, LoadLibrary then reads from where the pointer points to. For this reason, we had to generate a pointer by allocating some memory, writing a string there and then keeping the pointer to that memory address.

On the other hand, FreeLibrary just takes an unsigned int, which isn't a reference type (i.e, you dont have to pass a pointer to it), so you can simply call CreateRemoteThread and pass the hModule value as the param)

Here's the code:

Code:

    Public Shared Function FreeLibraryEx(ByVal hProcess As Integer, ByVal hModule As UInt32) As Boolean
        Dim freeLibAddress As Integer = GetProcAddress(GetModuleHandle("kernel32"), "FreeLibrary")
        If freeLibAddress = 0 Then Return False

        Dim flThread As Integer = CreateRemoteThread(hProcess, 0, 0, freeLibAddress, hModule, 0, 0)
        If flThread = 0 Then Return 0
        Dim waitVal As Integer = WaitForSingleObject(flThread, 10000)
        If Not waitVal = &H0UI Then Return CloseHandle(flThread) < Int32.MinValue

        CloseHandle(flThread)
        Return True
    End Function

Now you just pass the value returned by LoadLibraryEx to FreeLibraryEx to unload the DLL.

Enjoy

[Blubb1337]

Very good job bro. Finally a tutorial that does not only handle the code but also explains it in-depth(ly?).

@Chooka

[Jason]

Very good job bro. Finally a tutorial that does not only handle the code but also explains it in-depth(ly?).

@Chooka

Thanks babycakes.

[Nathan]

Looks nice.
I'll read it when I get back home.

[Lyoto Machida]

Dude this is very useful!
Maybe will stop leccherrrrrs!

[Hell_Demon]

You still suck dick for doing it in VB <:

[T0P-CENT]

After reading it twice still didn't understand the most ... maah i fail

[Hassan]

Great Job Jason. Finally got some idea of injection shit. Very well explained. Thanks ;]

[cgallagher21]

Nice Jason/Chooka Nice TuT

[TheBest-1337]

Nice job. What is the vbnet forum code? I don't wanna use [code]

[Hassan]

Nice job. What is the vbnet forum code? I don't wanna use [code]

[highlight=vbnet]code here...[/high light]

Remove space in "high light"

[Jason]

You still suck dick for doing it in VB <:

Was going to do the example in C#, but no-one would ever find it there

Thanks everyone else.

[Lyoto Machida]

This must be stickied!

[Stephen]

Just Wondering, it it x64 compatible?

[Jason]

Just Wondering, it it x64 compatible?

Read the thread? This needs to be compiled as x86 application. It works on 64 bit computers then. My PC is a x64 and it injects fine as long as the project is compiled as x86.