Wednesday, December 9, 2009

StartLibraryFunction (Calling Injected Library Function With Multiple Parameters Support)

Well, this is my first post in this blog so firstly i'm sorry if my english isn't good enough for you all programmer to understand. This time, I'm gonna share with you my code on how to start a library (dll) function after you've injected it to a process.


I then research in many places and my choice of search engine is Mr. Google. Suddenly, i ended up finding these two link that was quite good for giving me the things i want :

Enhanced CreateRemoteThreadEx() :
http://www.rohitab.com/discuss/index.php?showtopic=31453

Calling An Exported Function In An Injected Dll Library :
http://www.digitalise.net/2009/01/02/calling-an-exported-function-in-an-injected-dll-library/

But still, the two links above doesn't really have the thing i want since i wanted a function that can remotely call a dll function that have multiple arguments or as the second link said with some extra words "calling an exported function that have a multiple arguments in an injected dll library".

The first link is really really really good but after i tried to build the code and run it, an unexpected assembly error come out. I used the binary (.exe) that was included in the archive, the binary run flawlessly but after showing a MessageBox in a notepad or calculator, the notepad or calculator immediately crashed.

As for the second link, there's no errors found here, it run flawlessly, i give the creator a really good job and thank you for releasing it as a open source. Just one thing, the function called can only support one parameter.

Since both link doesn't have what i REALLY want, i tried to create my own function and both links being a really good reference for me.

Appreciation :
In this section i would like to say thanks to both poster / creator in the link above for giving me a really good reference to start my project.

Why do i need this ?

Well just imagine if we want to show a MessageBox function that have more than 1 parameter. We can use the CreateRemoteThread function but with it, you can only pass one parameter. With StartLibraryFunction, you can fully customize the MessageBox to show what you want. This could also be useful if we want to create a dll that need a function more than 1 parameter parsing.

Pros :
Function with more than one parameter can be called.

Cons :
x86 Only (Thanks Irwin)
Can only call stdcall type calling convention.
No Calling Convention Support (Thanks Irwin)

This is the list of what i think i should tell you all about what i've done in my project :
  • Since i am too lazy to create my own injection class from scratch, i used the injection class from the second link. I did not copy paste the whole code. Even though i am using them, i re-typed the whole class to understand it since from the moment i started this project, i don't even know how to do library injection.

  • The first link is only as a reference and my StartLibraryFunction() function, i did it all by myself from scratch.I never understand any of the first link ASM code format, so i studied ASM language from the beginning and come out with my own ASM format.

  • It took me about 3 days excluding the day i publish this post to finish this project.

  • My function currently only support %d and %s as the format.

  • By understanding the library injection method, i managed to create my own library ejection method. So, the EjectLibrary function is also did by me from scratch.
There's no need for me to tell you how to use it since the code is already too self-explanation. Just download the archive, extract and open the main.cpp to see how to use the code. Calculator must be opened before running the code to prevent from compiler error.

To try the code, simply extract the archive, open the release folder and click the StartLibraryFunction.exe.

Here is the link to the file for everyone who want to use/try it:
Revision :
002
Source Format
: Microsoft Visual Studio 2008
Archive Name : StartLibraryFunction-REV002.zip
Archive Size : 16.05kb
Download Link : MediaFire

That's it for now, please report any bugs back to me. Your comments are welcome. Thank you for reading this ugly post. Hope you all enjoy!

No comments:

Post a Comment