Tuesday, September 28, 2010

DLL Injection in PureBasic

API Injection will never going to be fun without the way on how to insert it in a DLL and then inject the DLL into the process you wanna try. So, here is an example of code which you can use it to inject your DLL in PureBasic. It's fun! You should try it out!.

Only the injection method:
Procedure.i InjectLibrary(ProcessID.l, DLLPath.s)
  Define ProcessHandle.l
  Define StartAddress.l
  Define BufferSize.i
  Define ParamAddress.l
  Define ThreadHandle.l
  
  ProcessHandle = OpenProcess_(#PROCESS_ALL_ACCESS,#False,processID)
  
  If ProcessHandle = 0
    ProcedureReturn -1
  EndIf
  
  StartAddress = GetProcAddress_(GetModuleHandle_("kernel32.dll"), "LoadLibraryA")
  
  If StartAddress = 0
    ProcedureReturn -1
  EndIf
  
  BufferSize = Len(DLLPath) + 1
  
  ParamAddress = VirtualAllocEx_(ProcessHandle, 0, BufferSize, #MEM_COMMIT, #PAGE_READWRITE)
  
  If ParamAddress = 0
    ProcedureReturn -1
  EndIf
  
  If Not WriteProcessMemory_(ProcessHandle, ParamAddress, DLLPath, BufferSize, 0)
    ProcedureReturn -1
  EndIf
  
  ThreadHandle = CreateRemoteThread_(ProcessHandle, 0, 0, StartAddress, ParamAddress, 0, 0)
  
  WaitForSingleObject_(ThreadHandle, #INFINITE)
  
  If ParamAddress <> 0
    VirtualFreeEx_(ProcessHandle, ParamAddress, 0, #MEM_RELEASE)
  Else
    ProcedureReturn -1
  EndIf
  
  CloseHandle_(ProcessHandle)
  
  ProcedureReturn 0
EndProcedure

Complete with Example:
injector.pb
Procedure.i InjectLibrary(ProcessID.l, DLLPath.s)
  Define ProcessHandle.l
  Define StartAddress.l
  Define BufferSize.i
  Define ParamAddress.l
  Define ThreadHandle.l
  
  ProcessHandle = OpenProcess_(#PROCESS_ALL_ACCESS,#False,processID)
  
  If ProcessHandle = 0
    ProcedureReturn -1
  EndIf
  
  StartAddress = GetProcAddress_(GetModuleHandle_("kernel32.dll"), "LoadLibraryA")
  
  If StartAddress = 0
    ProcedureReturn -1
  EndIf
  
  BufferSize = Len(DLLPath) + 1
  
  ParamAddress = VirtualAllocEx_(ProcessHandle, 0, BufferSize, #MEM_COMMIT, #PAGE_READWRITE)
  
  If ParamAddress = 0
    ProcedureReturn -1
  EndIf
  
  If Not WriteProcessMemory_(ProcessHandle, ParamAddress, DLLPath, BufferSize, 0)
    ProcedureReturn -1
  EndIf
  
  ThreadHandle = CreateRemoteThread_(ProcessHandle, 0, 0, StartAddress, ParamAddress, 0, 0)
  
  WaitForSingleObject_(ThreadHandle, #INFINITE)
  
  If ParamAddress <> 0
    VirtualFreeEx_(ProcessHandle, ParamAddress, 0, #MEM_RELEASE)
  Else
    ProcedureReturn -1
  EndIf
  
  CloseHandle_(ProcessHandle)
  
  ProcedureReturn 0
EndProcedure

NotePad = RunProgram("notepad", "", "", #PB_Program_Open|#PB_Program_Read)

Debug(NotePad)

If NotePad
  ProcessID = ProgramID(NotePad)
  
  If ProcessID
    InjectLibrary(ProcessID, "dll01.dll")
  EndIf
EndIf
dll.pb
ProcedureDLL AttachProcess(Instance)
  MessageRequester("", "This is the first DLL")  
EndProcedure

3 comments:

  1. PyroStrex, do you have a function for signature scanning? Thank you.

    ReplyDelete
  2. Hmm. Sorry, signature scanning. I never though of experiencing something like that. :). So, no, I don't.

    ReplyDelete
  3. Please, update you tutorial because its not working I tried that on Windows 8 and can't inject. :(

    ReplyDelete