Stub Injection Fails when Process is executed

[kibbles18]

Im trying to inject a DLL by writing a stub to allocated memory in the target process and changing the EIP register in the thread. It works fine when it is written after the process has already executed, but if I try and do it when the process first starts up it crashes the process.

Code:

void injectproxy(char szDll[MAX_PATH])
{
	szDll = szGetDirFile(szDll);
	stubLen = sizeof(stub);
	DWORD dwProcId = NULL, threadID = NULL, oEIP = NULL, oldprot = NULL, dwLoadLibrary = NULL;
	out("waiting for process");
	CONTEXT ctx;
	do
	{
		GetWindowTextA(g_hwEdit2, buf, sizeof(buf));
		dwProcId = dwProcessID(buf);
	}
	while(dwProcId == NULL);
	do
	{
	dwLoadLibrary = (DWORD)GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA");
	}
	while(dwLoadLibrary == NULL);

	hProcess = OpenProcess((PROCESS_VM_WRITE | PROCESS_VM_OPERATION), false, dwProcId);
	if(hProcess == NULL)
	{
		out("unable to open process!");
	}
	dllLen = strlen(szDll)+1;
	addrDllPath = VirtualAllocEx(hProcess, NULL, dllLen, MEM_COMMIT, PAGE_READWRITE);
	addrStub = VirtualAllocEx(hProcess, NULL, stubLen, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if(addrStub == NULL)
	{
		sprintf(buf, "error code: %d", GetLastError());
		out(buf);
		return;
	}
	if(WriteProcessMemory(hProcess, addrDllPath, szDll, strlen(szDll), NULL) == 0)
	{
		out("WPM fail");
		return;
	}
	do
	threadID = GetMainThreadId(dwProcId);
	while(threadID == 0);
	hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME | SYNCHRONIZE ), false, threadID);
	if(hThread == NULL)
	{
		sprintf(buf, "unable to open thread. error code:%d", GetLastError());
		out(buf);
		return;
	}
	SuspendThread(hThread);
	ct*****ntextFlags = CONTEXT_CONTROL;
	if(GetThreadContext(hThread, &ctx) == 0)
	{
		sprintf(buf,"failed to get thread context. error code:%d", GetLastError());
		out(buf);
		return;
	}
	oEIP = ctx.Eip;
	ctx.Eip = (DWORD)addrStub;
	ct*****ntextFlags = CONTEXT_CONTROL;
	VirtualProtect(stub, stubLen, PAGE_EXECUTE_READWRITE, &oldprot); 
	memcpy((void *)((unsigned long)stub + 0x1), (void*)&oEIP, 4);   
	memcpy((void *)((unsigned long)stub + 0x8), (void*)&addrDllPath, 4);
	memcpy((void *)((unsigned long)stub + 0xD), (void*)&dwLoadLibrary, 4);
	if(WriteProcessMemory(hProcess, addrStub, (LPCVOID)stub, stubLen, NULL) == 0)
	{
		out("WPM fail");
		return;
	}
	if(SetThreadContext(hThread, &ctx) == NULL)
	{
		out("unable to setthreadcontext");
	}
	if(ResumeThread(hThread) == 0xFFFFFFFF)
	{
		out("unable to resume the thread!");
	}
}

[0xB4DF00D]

Check if Kernel32.dll is loaded at the target process cause if it's not it'll crash when LoadLibraryA is called.
You can do this by RPM read 1 byte of dwLoadLibrary and cmp with 0x8B, remember 8BFF = mov edi,edi standard in APIs.

Check if it is returning to the original EIP in the stub.
And at last check if the main thread is resuming.

[kibbles18]

I added the check but it is still crashing. Kernel32.dll is loaded because the DLL is injected successfully and LoadLibrary'd. The EIP is always correctly changed and restored. What seems to be crashing it is another thread trying to write to a memory location that it cannot write to. That memory location for some reason is the start of the injected dll module. Must be a problem with a register being overwritten?

[0xB4DF00D]

What seems to be crashing it is another thread trying to write to a memory location that it cannot write to. That memory location for some reason is the start of the injected dll module. Must be a problem with a register being overwritten?

Well then it must be a Deadlock, try load a blank dll with only DllMain and see if the problem continues.

You could stop all threads if it has more than one and resume after loadlib, but first see if a blank dll crash too.

[kibbles18]

It works fine with a blank DLL.

[0xB4DF00D]

It works fine with a blank DLL.

Best Practices for Creating DLLs something in your DllMain is causing deadlock or maybe u are trying to read/write an addr that is not yet loaded.

[kibbles18]

Code:

BOOL WINAPI DllMain(HINSTANCE hinst, DWORD reason, LPVOID reserved) 
{ 
    if (reason == DLL_PROCESS_ATTACH) 
    {
		CreateThread(0, 0, (LPTHREAD_START_ROUTINE)hook, 0, 0, 0);
    } 

    else if (reason == DLL_PROCESS_DETACH) 
    { 
    }
    return true; 
}

Just your standard dllmain.

[kibbles18]

Edit: Issue fixed, was a small mistake in the DLL