this is a console app. what it is supposed to do is list the info for notepad.exe and then inject the .dll into the notepad.exe executable space.
it seems to list the program info correctly, but the injection does not work. (verified with ollydbg, the .dll isn't present)
anyone can help would be appreciated.
best,
Mike
here's the main code:
<br />
#include "stdafx.h"<br />
<br />
<br />
#include <windows.h><br />
#include <tlhelp32.h><br />
#include <tchar.h><br />
#include <stdio.h><br />
#include <string><br />
<br />
#define MAXWAIT 10000<br />
<br />
BOOL GetProcessList( );<br />
BOOL ListProcessModules( DWORD dwPID );<br />
BOOL ListProcessThreads( DWORD dwOwnerPID );<br />
void printError( TCHAR* msg );<br />
bool insertDll(DWORD procID, std::string dll);<br />
<br />
<br />
<br />
void main( )<br />
{<br />
GetProcessList( );<br />
<br />
<br />
}<br />
<br />
BOOL GetProcessList( )<br />
{<br />
HANDLE hProcessSnap;<br />
HANDLE hProcess;<br />
PROCESSENTRY32 pe32;<br />
DWORD dwPriorityClass;<br />
CHAR filename[260] = "notepad.exe";<br />
<br />
<br />
hProcessSnap = CreateToolhelp32Snapshot( TH32CS_SNAPPROCESS, 0 );<br />
if( hProcessSnap == INVALID_HANDLE_VALUE )<br />
{<br />
printError( TEXT("CreateToolhelp32Snapshot (of processes)") );<br />
return( FALSE );<br />
}<br />
<br />
pe32.dwSize = sizeof( PROCESSENTRY32 );<br />
<br />
if( !Process32First( hProcessSnap, &pe32 ) )<br />
{<br />
printError( TEXT("Process32First") );
CloseHandle( hProcessSnap );
return( FALSE );<br />
}<br />
<br />
do<br />
{<br />
<br />
if (!strcmp(pe32.szExeFile,filename))<br />
{<br />
<br />
<br />
printf( "\n\n=====================================================" );<br />
_tprintf( TEXT("\nPROCESS NAME: %s"), filename);
printf( "\n-----------------------------------------------------" );<br />
<br />
dwPriorityClass = 0;<br />
hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, pe32.th32ProcessID );<br />
if( hProcess == NULL )<br />
printError( TEXT("OpenProcess") );<br />
else<br />
{<br />
dwPriorityClass = GetPriorityClass( hProcess );<br />
if( !dwPriorityClass )<br />
printError( TEXT("GetPriorityClass") );<br />
CloseHandle( hProcess );<br />
}<br />
<br />
printf( "\n Process ID = 0x%08X", pe32.th32ProcessID );<br />
printf( "\n Thread count = %d", pe32.cntThreads );<br />
printf( "\n Parent process ID = 0x%08X", pe32.th32ParentProcessID );<br />
printf( "\n Priority base = %d", pe32.pcPriClassBase );<br />
if( dwPriorityClass )<br />
printf( "\n Priority class = %d", dwPriorityClass );<br />
<br />
<br />
insertDll(pe32.th32ParentProcessID, "C:\Caliber.dll");
<br />
ListProcessModules( pe32.th32ProcessID );<br />
ListProcessThreads( pe32.th32ProcessID );<br />
<br />
}<br />
<br />
} while( Process32Next( hProcessSnap, &pe32 ) );<br />
<br />
CloseHandle( hProcessSnap );<br />
return( TRUE );<br />
}<br />
<br />
<br />
BOOL ListProcessModules( DWORD dwPID )<br />
{<br />
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;<br />
MODULEENTRY32 me32;<br />
<br />
hModuleSnap = CreateToolhelp32Snapshot( TH32CS_SNAPMODULE, dwPID );<br />
if( hModuleSnap == INVALID_HANDLE_VALUE )<br />
{<br />
printError( TEXT("CreateToolhelp32Snapshot (of modules)") );<br />
return( FALSE );<br />
}<br />
<br />
me32.dwSize = sizeof( MODULEENTRY32 );<br />
<br />
if( !Module32First( hModuleSnap, &me32 ) )<br />
{<br />
printError( TEXT("Module32First") );
CloseHandle( hModuleSnap );
return( FALSE );<br />
}<br />
<br />
do<br />
{<br />
_tprintf( TEXT("\n\n MODULE NAME: %s"), me32.szModule );<br />
_tprintf( TEXT("\n Executable = %s"), me32.szExePath );<br />
printf( "\n Process ID = 0x%08X", me32.th32ProcessID );<br />
printf( "\n Ref count (g) = 0x%04X", me32.GlblcntUsage );<br />
printf( "\n Ref count (p) = 0x%04X", me32.ProccntUsage );<br />
printf( "\n Base address = 0x%08X", (DWORD) me32.modBaseAddr );<br />
printf( "\n Base size = %d", me32.modBaseSize );<br />
<br />
} while( Module32Next( hModuleSnap, &me32 ) );<br />
<br />
CloseHandle( hModuleSnap );<br />
return( TRUE );<br />
}<br />
<br />
BOOL ListProcessThreads( DWORD dwOwnerPID ) <br />
{ <br />
HANDLE hThreadSnap = INVALID_HANDLE_VALUE; <br />
THREADENTRY32 te32; <br />
<br />
hThreadSnap = CreateToolhelp32Snapshot( TH32CS_SNAPTHREAD, 0 ); <br />
if( hThreadSnap == INVALID_HANDLE_VALUE ) <br />
return( FALSE ); <br />
<br />
te32.dwSize = sizeof(THREADENTRY32 ); <br />
<br />
if( !Thread32First( hThreadSnap, &te32 ) ) <br />
{<br />
printError( TEXT("Thread32First") );
CloseHandle( hThreadSnap );
return( FALSE );<br />
}<br />
<br />
do <br />
{ <br />
if( te32.th32OwnerProcessID == dwOwnerPID )<br />
{<br />
printf( "\n\n THREAD ID = 0x%08X", te32.th32ThreadID ); <br />
printf( "\n Base priority = %d", te32.tpBasePri ); <br />
printf( "\n Delta priority = %d", te32.tpDeltaPri ); <br />
}<br />
} while( Thread32Next(hThreadSnap, &te32 ) ); <br />
<br />
CloseHandle( hThreadSnap );<br />
return( TRUE );<br />
}<br />
<br />
void printError( TCHAR* msg )<br />
{<br />
DWORD eNum;<br />
TCHAR sysMsg[256];<br />
TCHAR* p;<br />
<br />
eNum = GetLastError( );<br />
FormatMessage( FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS,<br />
NULL, eNum,<br />
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
sysMsg, 256, NULL );<br />
<br />
p = sysMsg;<br />
while( ( *p > 31 ) || ( *p == 9 ) )<br />
++p;<br />
do { *p-- = 0; } while( ( p >= sysMsg ) &&<br />
( ( *p == '.' ) || ( *p < 33 ) ) );<br />
<br />
_tprintf( TEXT("\n WARNING: %s failed with error %d (%s)"), msg, eNum, sysMsg );<br />
}<br />
<br />
<br />
<br />
<br />
bool insertDll(DWORD procID, std::string dll)<br />
{<br />
HMODULE hLocKernel32 = GetModuleHandle("Kernel32");<br />
FARPROC hLocLoadLibrary = GetProcAddress(hLocKernel32, "LoadLibraryA");<br />
<br />
<br />
HANDLE hProc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);<br />
<br />
dll += '\0';<br />
LPVOID hRemoteMem = VirtualAllocEx(hProc, NULL, dll.size(), MEM_COMMIT, PAGE_READWRITE);<br />
<br />
DWORD numBytesWritten;<br />
WriteProcessMemory(hProc, hRemoteMem, dll.c_str(), dll.size(), &numBytesWritten);<br />
<br />
HANDLE hRemoteThread = CreateRemoteThread(hProc, NULL, 0, (LPTHREAD_START_ROUTINE)hLocLoadLibrary, hRemoteMem, 0, NULL);<br />
<br />
ResumeThread(hRemoteThread);<br />
<br />
<br />
bool res = false;<br />
if (hRemoteThread)<br />
res = (bool)WaitForSingleObject(hRemoteThread, MAXWAIT) != WAIT_TIMEOUT;<br />
<br />
VirtualFreeEx(hProc, hRemoteMem, dll.size(), MEM_RELEASE);<br />
<br />
<br />
CloseHandle(hProc);<br />
<br />
return res;<br />
}
i included the project file for visual studio 2008 c++ in the linked Projects.rar and also the Caliber.dll that gets injected. (this .dll doesn't do anything at all, it's just for testing the injection.)
www.steveandmike.com/backup/Projects.rar
You must have notepad.exe running to see anything. probably best to build the application and then run the build in a console window.
thanks for any help!
best,
Mike
|