Wednesday, May 28, 2008

Inject Dlls

Hi,
today i'll explain how inject dlls into another process.

To inject external dlls into the processes we need to use some functions exported from coredll.dll. These functions are documented in Platform Builder but not in SDK so we need to declare them as extern:
extern "C"
{
BOOL __stdcall SetKMode(BOOL fMode);
DWORD __stdcall SetProcPermissions(DWORD);
LPVOID __stdcall MapPtrToProcess (LPVOID lpv, HANDLE hProc);
struct CALLBACKINFO
{
HANDLE m_hDestProcess;
FARPROC m_pFunction;
PVOID m_pFirstArgument;
};
DWORD __stdcall PerformCallBack4(CALLBACKINFO *pcbi, DWORD dw1, DWORD dw2, DWORD dw3);
}


After declared the undocumented functions we need to write code to use them to inject dlls, so:

//change the kernelmode and the permission for our code
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);

CALLBACKINFO cbi;
cbi.m_hDestProcess = hProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"LoadLibraryW"), hProcess);
cbi.m_pFirstArgument = (LPVOID)MapPtrToProcess(lpszFullPathDll, GetCurrentProcess());
HINSTANCE hInst = (HINSTANCE)PerformCallBack4(&cbi, 0,0,0); //returns the HINSTANCE from LoadLibraryW

//restore kernelmode and permission
SetKMode(bMode);
SetProcPermissions(dwPerm);


Some details:
hProcess: is the handle of the process where the dll will be injected;
lpszFullPathDll: is the full path to the dll which must be injected;

After a dll is injected into the hProcess we can call every exported function with the same method:

//get the proc address
FARPROC pHook = GetProcAddress(hInst, (LPCTSTR)L"ExportedFunction");
cbi.m_hDestProcess = hProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(pHook, hProcess);
cbi.m_pFirstArgument = NULL; //here we can pass any argument for our 'ExportedFunction'
DWORD dw = PerformCallBack4(&cbi, 0, 0, 0);//returns the same value of 'ExportedFunction'


And finally, as we loaded the dll, we can unload it calling 'FreeLibrary':

cbi.m_hDestProcess = hProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcess);
cbi.m_pFirstArgument = hInst; //HINSTANCE returned by LoadLibrary
DWORD dw = PerformCallBack4(&cbi, 0,0,0); //returns 1 if correctly unloaded


Enjoy!
:)

2 comments:

Hyeon-Cheol Park said...

Hi!

Thank you for your post.

I trying to use your inject dlls blog into my project running on Windows CE 4.2(Pocket PC 2003)

But I have fail to use. it's make "Unhandled exception in myapp.exe: 0xC000000D : invalid parameter.

I know, it is my fault. but I don't know what is my fault. because Inject DLL is first time in my life.

I just following procesure step by step. please let me know what is my fault.

1. Get Handle from GetWindow() and GetClassName() becasue Windows CE does not support GetWindowEx()
2. Use Spy++ for check Handle for SYSLISTVIEW32.DLL which is I want to hook. and I have that value is right value.
3. I set CALLBACKINFO value for PerformCallBack4()
5. and I have exception violation.

So, How Can I do? Please help me.

Thank you

Hyeon-Cheol Park.

following procedure is in my injectdll.cpp
--------------------------------
__declspec(dllexport) int _stdcall installHook(HWND hProcess)
{
//hProcess: is the handle of the process where the dll will be injected;
//lpszFullPathDll: is the full path to the dll which must be injected;

//change the kernelmode and the permission for our code
BOOL bMode = SetKMode(TRUE);
DWORD dwPerm = SetProcPermissions(0xFFFFFFFF);

CALLBACKINFO cbi;

cbi.m_hDestProcess=hProcess;
cbi.m_pFunction=(FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"coredll.dll"),L"LoadLibraryW"),hProcess);
cbi.m_pFirstArgument=(LPVOID)MapPtrToProcess(L"syslistview32.dll",GetCurrentProcess());

Sleep(500);
HINSTANCE hInst=(HINSTANCE) PerformCallBack4(&cbi,0,0,0); //returns the HINSTANCE from LoadLibraryW

//restore kernelmode and permission
SetKMode(bMode);
SetProcPermissions(dwPerm);

return 0;
}

__declspec(dllexport) int _stdcall uninstallHook(HWND hProcess)
{
CALLBACKINFO cbi;

cbi.m_hDestProcess = hProcess;
cbi.m_pFunction = (FARPROC)MapPtrToProcess(GetProcAddress(GetModuleHandle(L"COREDLL"), L"FreeLibrary"), hProcess);
cbi.m_pFirstArgument = hInst; //HINSTANCE returned by LoadLibrary
DWORD dw = PerformCallBack4(&cbi, 0,0,0); //returns 1 if correctly unloaded

return 0;
}
--------------------------------

GetClassName(hWndChild2, (LPTSTR) &lpClassName, MAX_LOADSTRING); if(wcsncmp(lpClassName, _T("SysListView32"),13)==0)
{
hWndList=hWndChild2;
break;
}

lResult=installHook(hWndList);

crino said...

hi,
if i'm not wrong you need of a subclass and not of an inject :)
To spy a window just get the handle of window and subclassing with SetWindowLong.

here (http://msdn.microsoft.com/en-us/library/ms997565.aspx) you can find an example ;)