Metasploit mailing list archives

DLL Process Injection

From: danuxx at gmail.com (Danux)
Date: Fri, 14 Sep 2007 14:44:05 -0500

Wonderfulllllllll!!!! thats what i was looking for

Thanks friends

On 9/14/07, Pusscat <pusscat at metasploit.com> wrote:

Try this:

#include <windows.h>
#include <stdlib.h>
#include <stdio.h>

int main(int argc, char **argv) {
    HRESULT     Status;
    HANDLE      process;
    DWORD       pid;
    HANDLE processHandle = 0;
    HANDLE threadHandle = 0;
    LPVOID stringAddress = NULL;
    LPCSTR dllName = NULL;
    ULONG64     funcAddr64;
    ULONG       *funcAddr, i;

    if (argc < 3) {
        printf("injectDLL <dll to inject> <pid to inject into>\n\n");
        return (0);
    }

    pid = strtoul(argv[2], NULL, 10);
    dllName = argv[1];
    printf("Injecting DLL %s into pid %d... ", argv[1],  pid);

    if(!(processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid))){
        printf("OpenProcess() failed\n");
        return (-1);
    }
    if(!(stringAddress = VirtualAllocEx(processHandle, NULL,
            strlen(dllName), MEM_COMMIT, PAGE_EXECUTE_READWRITE))) {
        printf("VirtualAllocEx() failed.\n");
        CloseHandle(processHandle);
        return (-1);
    }
    if(!WriteProcessMemory(processHandle, (LPVOID)stringAddress, dllName,
strlen(dllName), NULL)) {
        printf("WriteProcessMemory() failed.\n");
        VirtualFreeEx(processHandle, stringAddress, strlen(dllName),
MEM_DECOMMIT);
        CloseHandle(processHandle);
        return (-1);
    }
    printf("DLL Injected.\n");

    if(!(threadHandle = CreateRemoteThread(processHandle, NULL, 0,

(LPTHREAD_START_ROUTINE)GetProcAddress(LoadLibrary("kernel32.dll"),
                "LoadLibraryA"), (LPVOID)stringAddress, 0, NULL))) {
        printf("CreateRemoteThread() failed.\n");
        VirtualFreeEx(processHandle, stringAddress, strlen(dllName),
MEM_DECOMMIT);
        CloseHandle(processHandle);
        return (-1);
    }
    CloseHandle(threadHandle);
    CloseHandle(processHandle);

    return (0);
}

~ Puss


-----Original Message-----
From: Danux [mailto:danuxx at gmail.com]
Sent: Friday, September 14, 2007 1:24 PM
To: framework at metasploit.com
Subject: [framework] DLL Process Injection

Hi, i dont know if this is the right place to ask, but i know you have
the skill to help me.

Recently i was trying to reporduce a new exploit, i mean: MSN
messenger 7.x (8.0?) VIDEO Remote Heap Overflow Exploit,

But following the instructions on milw0rm:
http://www.milw0rm.com/sploits/08292007-exp_msn.rar

They say i need to: "inject the dll to msn messenger .... process.

I know metasploit already works that way but i would like to learn how
to do it manually.

I have no skill about DLL programming nor injection, do you have a
tutorial or something like that to understand it?

Thanks in advance.

--
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com



-- 
Danux, CISSP
Chief Information Security Officer
Macula Security Consulting Group
www.macula-group.com

Current thread:

DLL Process Injection Danux (Sep 14)
- DLL Process Injection H D Moore (Sep 14)
- DLL Process Injection Pusscat (Sep 14)
  - DLL Process Injection Danux (Sep 14)
- <Possible follow-ups>
- DLL Process Injection Michael Brandt asmael () att net (Sep 14)
- Fwd: Re: DLL Process Injection H D Moore (Sep 14)