Answer the question
In order to leave comments, you need to log in
Why does an application with an embedded DLL crash?
Good day
I decided to write my first injector with a library, the library is injected by CreateRemoteThread and passing the LoadLibraryW address as an input function and passing the address of pre-allocated memory with an argument for this function:
//Инжектор
LPTHREAD_START_ROUTINE lpThreadSR = (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32")),"LoadLibraryW");
HWND hwnd = FindWindow(NULL, TEXT("cpp"));
DWORD pID;
GetWindowThreadProcessId(hwnd, &pID);
HANDLE hProcess = OpenProcess(
PROCESS_CREATE_THREAD | // для CreateRemoteTnread
PROCESS_VM_OPERATION | // для VirtualAllocEx/VirtualFreeEx
PROCESS_VM_WRITE, // для WriteProcessMemory
FALSE, pID);
LPCWSTR path = L"C:\\cpp\\dll\\mydll";
DWORD sizeP = (lstrlenW(path)+1)*sizeof(wchar_t);
PVOID addr_VP = VirtualAllocEx(hProcess, NULL, sizeP, MEM_COMMIT, PAGE_READWRITE);
SIZE_T t;
if(WriteProcessMemory(hProcess, addr_VP, (LPCVOID)path, sizeP, &t)){
cout<<t<<endl;
}
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, lpThreadSR, addr_VP, 0, NULL);
WaitForSingleObject(hRemoteThread, INFINITE);
cout<<"Ready!"<<endl;
//lpThreadSR = //(LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(TEXT("kernel32")),"FreeLibrary");
//hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, lpThreadSR, addr_VP, 0, NULL); //С этим плохо работало - закоментил
VirtualFreeEx(hProcess, addr_VP, sizeP, MEM_RELEASE);
cout<<hRemoteThread;
cin.get();
BOOL WINAPI DllMain(HINSTANCE hH, DWORD fdwReason, PVOID){
if(fdwReason==DLL_PROCESS_ATTACH){
HWND hwnd = FindWindow(NULL, TEXT("cpp"));
MessageBoxW(hwnd, L"э", L"э?", MB_OK);
}
return TRUE;
}
Answer the question
In order to leave comments, you need to log in
GetProcAddress -- returns the address from the current injector process.
And in the structure you must have an address in the injected process, respectively, as an option, we calculate the offset from the beginning of image in the injector and then add this offset to the base address of the injected process.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question