DLL Injection

Foreword

Welcome once again to the next step up from our simple process injection! I've gone ahead and rewritten the code from the original blog post because I've learned a lot since then. I'd also like it to improve the code shown in the video; which if you haven't seen, goes into depth about , and this technique. You can find it below:

Dynamic Link Libraries

DLLs are crucial because they let programmers modularize their work and share similar code among several apps. This can lower the size and complexity of the codebase while also saving time and effort when creating new software. Pretty much any process that you open is going to have some DLL that it uses/needs in order to work properly. Let's take notepad.exe for example. Seemingly an incredibly simple program, right?

Even for a seemingly simple program like Notepad, the number of modules it loads is a considerable amount. By the way, the tool I'm using to view this is Process Hacker 2:

Creating Our First DLL

If you recall, when we first got started with malware development, more specifically, the prerequisites blog and video located below:

We had created a message box program that when run, would spawn a humble message box like the following:

Now, what if we wanted to create a DLL that did the exact same thing as this? More specifically, could we create a DLL that just creates a message box as a quick little DLL "hello world"? Of course, we can! It's not that difficult either! There are some slight differences but, it's not too bad at all. Firstly, we need to talk about the entry point of a DLL (DllMain).

Just as our standard executable applications have a main entry point i.e., the main function. So too, do DLLs. The DllMain for all intents and purposes is a standard program's "main" entry point equivalent. We need to set this up properly otherwise our DLL isn't going to work. Before making our DLL, let's quickly start dissecting how a DLL works when a process loads one. The documentation itself provides a really great overview of what happens:

Right-click on the project, and head to Properties. Once you get to the new window, you want to change the following settings:

We need to set our Configuration Type to Dynamic Library (.dll) since we're trying to create a DLL. While we're here, we might as well change the C++ language standard to C++20 although this is completely optional and won't matter for our DLL. With that done, let's add a source file and make sure to have the file extension set to .dll. Once we've added our source file, we can add in the Windows header and start codin':

We create a BOOL type function - but you might notice the presence of the WINAPI macro. What is that, you might ask? If we hover over the WINAPI macro, we can see that it just expands out to a __stdcall:

That's not of much help if you don't already know what "__stdcall" is in the first place, so let's quickly go over what that is just so we're all on the same page.

As we can see, the __stdcall calling convention is used to call Win32 API functions. If we want to create/use a function that uses this calling convention, it'll require a function prototype for that aforementioned function. Another cool little thing about this calling convention is that parameters are pushed on the stack in reverse order (right to left):

You can read more about this and the other keywords down below:

So, if you see certain functions during your time researching and they're defined like the following:

// Example of the __stdcall keyword
#define WINAPI __stdcall
// Example of the __stdcall keyword on function pointer
typedef BOOL (__stdcall *funcname_ptr)(void* arg1, const char* arg2, DWORD flags, ...);

You can lean back, flick your collar, and start smilin' smugly because you're now aware of what the __stdcall calling convention is, its little quirks, and how different macros like "WINAPI" are defined using them. Let's continue developing our DLL.

#include <Windows.h>

/* you can use the WINAPI macro if you want but since we learned about __stdcall, why not use it :> */
BOOL __stdcall DllMain(HINSTANCE hModule, ...) {

    return TRUE;

}

FARPROC GetProcAddress(
  [in] HMODULE hModule,
  [in] LPCSTR  lpProcName
);

The next parameter, fdwReason, is the "reason code that indicates why the DLL entry-point function is being called." Basically, it's a variable that tells us what's happened with the DLL, things like if it got loaded (attached) in a process/thread, or unloaded (detached) from the process/thread; and based on whatever happens, our DLL can do specific things in correspondence to the fdwReason. It can be one of the following values, as shown in the documentation:

So, with our code updated, we're currently here:

#include <Windows.h>

BOOL __stdcall DllMain(HINSTANCE hModule, DWORD dwReason, ...) {

    return TRUE;

}

The last parameter, lpvReserved is just a reserved parameter that we're required to supply to this function. Sometimes you might see some reserved arguments that need to be supplied to functions, that's perfectly normal and it's just something we have to include. If you're curious as to what they actually do and what it means, you can check the documentation:

That brings us to here:

#include <Windows.h>

BOOL __stdcall DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpvReserved) {

    return TRUE;

}

With the DllMain entry-point function created, we can start getting to the meat and bones of the DLL; the switch cases. Our cases are going to depend entirely on the dwReason parameter.

We really only care about the DLL_PROCESS_ATTACH reason, however, you can (and should) experiment with the other cases as well; maybe even use them in conjunction with each other. If we look at the documentation for the DLL_PROCESS_ATTACH value once again, we can see:

#include <Windows.h>

BOOL __stdcall DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpvReserved) {

    switch (dwReason) {

    case DLL_PROCESS_ATTACH:
        MessageBoxW(NULL, L"WHO GOES THERE", L"KAW KAW KAW", MB_ICONEXCLAMATION);
        break;
    }

    return TRUE;

}

PS C:\Users\crow> rundll32 your.dll,yourFunction 

In this case, we want to run our DllMain function, so let's try that and see if we get a message box.

Loading Our DLL

We see that this function will load a module into the address space of the calling process, and we know what happens when a DLL gets loaded by a process, remember? The entry-point function of the said DLL will automatically get run.

LoadLibrary is also of the HMODULE type because it will return a handle to the module (if it's able to get one). It takes in one (1) argument - lpLibFileName, that being the name of the library itself.

For this argument, we will submit the entire path of our DLL. However, as seen from the documentation, there are other searching methods (and considerations) you can take note of, like specifying a relative path:

Also, consider the little note about using backslashes (\) when specifying a path and not forward slashes (/). With this in mind, let's make another program that'll load our DLL, and once it does, it should run our message box.

#include <Windows.h>
#include <stdio.h>

#define okay(msg, ...) printf("[+] " msg "\n", ##__VA_ARGS__)
#define warn(msg, ...) printf("[-] " msg "\n", ##__VA_ARGS__)
#define info(msg, ...) printf("[i] " msg "\n", ##__VA_ARGS__)

int main(void) {

	HMODULE hCrowDLL = NULL;
	wchar_t dllPath[MAX_PATH] = L"C:\\path\\to\\crow.dll";

	info("trying to get a handle to %S", dllPath);
	
	hCrowDLL = LoadLibraryW(dllPath);

	if (hCrowDLL == NULL) {
		warn("couldn't get a handle to crow.dll, error: 0x%lx", GetLastError());
		return EXIT_FAILURE;
	}

	okay("got a handle to crow.dll!");
	info("---0x%p", hCrowDLL);

	info("freeing the module");
	FreeLibrary(hCrowDLL);
	okay("finished, press <enter> to exit");
	getchar();

	return EXIT_SUCCESS;

}

This program starts off by defining (and initializing) a variable of the HMODULE type called hCrowDLL. This will hold the base address of our DLL and it's the handle we get on our module. Then, we try to load the library using the LoadLibraryW function into the address space of the space.

If we compile this program and run it, we can see that the program will load our DLL with LoadLibrary and a message box will pop up, as planned!

It works! The only thing that kind of sucks is that our output will only be shown after we press okay, which is fine, this won't be the case when we inject it. After pressing okay, we can see the following output:

Awesome! We now have a much deeper understanding of how all of this loading stuff works, which is going to equip us adequately for the next section. Speaking of which, let's finally begin making our injection program.

Creating the Program

#include <Windows.h>
#include <stdio.h>

#define okay(msg, ...) printf("[+] " msg "\n", ##__VA_ARGS__)
#define warn(msg, ...) printf("[-] " msg "\n", ##__VA_ARGS__)
#define info(msg, ...) printf("[i] " msg "\n", ##__VA_ARGS__)

int main(int argc, char* argv[]) {

	/*------[SETUP SOME VARIABLES]------*/
	DWORD       TID               = NULL;
	DWORD       PID               = NULL;
	LPVOID      rBuffer           = NULL;
	HANDLE      hProcess          = NULL;
	HANDLE      hThread           = NULL;
	HMODULE     hKernel32         = NULL;
	wchar_t     dllPath[MAX_PATH] = L"C:\\path\\to\\crow.dll";
	size_t      pathSize          = sizeof(dllPath);
	size_t      bytesWritten      = 0;

	/*------[GET HANDLE TO PROCESS]------*/
	if (argc < 2) {
		warn("usage: %s <PID>", argv[0]);
		return EXIT_FAILURE;
	}

	PID = atoi(argv[1]);
	info("trying to get a handle to the process (%ld)", PID);
	hProcess = OpenProcess((PROCESS_VM_OPERATION | PROCESS_VM_WRITE), FALSE, PID);

	if (hProcess == NULL) {
		warn("unable to get a handle to the process (%ld), error: 0x%lx", PID, GetLastError());
		return EXIT_FAILURE;
	}

	okay("got a handle to the process!");
	info("\\___[ hProcess\n\t\\_0x%p]\n", hProcess);	

	/*------[GET HANDLE TO KERNEL32]------*/
(snip ...)
	
/* thank you @5pider for introducing me to this nifty lil cleanup! ily <3  */
CLEANUP:

	if (hThread) {
		info("closing handle to thread");
		CloseHandle(hThread);
	}
	
	if (hProcess) {
		info("closing handle to process");
		CloseHandle(hProcess);
	}
	
	okay("finished with house keeping, see you next time!");
	return EXIT_SUCCESS;

}

We can see just how many functions there are in this DLL. But, that's not all. If we look for some functions that we've already been using, like CreateRemoteThread, OpenProcess, VirtualAlloc, etc., we can see that all of them are in this library:

The function we're interested in, for the purposes of our DLL Injection, is the LoadLibrary function. As expected, it's here as well:

(snip...)

	/*------[GET HANDLE TO KERNEL32]------*/
	info("getting handle to Kernel32.dll");
	hKernel32 = GetModuleHandleW(...)
	
(snip...)

If we take a look at the syntax for the GetModuleHandleW function, we'll see that it returns a handle to our specified module. It takes in one (1) argument, lpModuleName, which is just the name of the module we want to get a handle on:

Let's supply in the name of the module, Kernel32 to this function, and then check to see if a valid handle to the module has been returned or not. If it has, we'll print out the value of the handle (which is just going to be the base address of the Kernel32 DLL).

(snip...)

	/*------[GET HANDLE TO KERNEL32]------*/
	info("getting handle to Kernel32.dll");
	hKernel32 = GetModuleHandleW(L"kernel32");

	if (hKernel32 == NULL) {
		warn("failed to get a handle to Kernel32.dll, error: 0x%lx", GetLastError());
		return EXIT_FAILURE;
	}

	okay("got a handle to Kernel32.dll");
	info("\\___[ hKernel32\n\t\\_0x%p]\n", hKernel32);

(snip...)

This function will get the address of an exported function (also known as a procedure) or variable from the specified DLL. The first parameter, hModule, is the handle to the module of the DLL that we'd like to get the function address from, in this case, it's the handle to Kernel32 which we've got tucked away within our hKernel32 variable:

(snip ...)

	/*------[GET ADDR OF LOADLIBRARY]------*/
	info("getting address of LoadLibraryW()");
	GetProcAddress(hKernel32, ...);
	
(snip ...)

The next parameter is the procedure name that we wish to get the address of, we want LoadLibraryW from Kernel32, so, let's supply that.

(snip ...)

	/*------[GET ADDR OF LOADLIBRARY]------*/
	info("getting address of LoadLibraryW()");
	GetProcAddress(hKernel32, L"LoadLibraryW");
	
(snip ...)

(snip ...)

	/*------[GET ADDR OF LOADLIBRARY]------*/
	info("getting address of LoadLibraryW()");
	LPTHREAD_START_ROUTINE kawLoadLibrary = (LPTHREAD_START_ROUTINE)GetProcAddress(hKernel32, "LoadLibraryW");
	okay("got address of LoadLibraryW()");
	info("\\___[ LoadLibraryW\n\t\\_0x%p]\n", kawLoadLibrary);

(snip ...)

I won't cover it much more here since you should know this from the previous blog post. If you don't, you can head over here to read more about it:

Performing the Injection

After finally compiling our program, we can now test it out by injecting it against a target process.

Awesome! We've finally injected a DLL into our target process. Let's cover some common pitfalls and caveats to injecting our DLLs in this way.

Common Pitfalls

One thing you'll notice is that if you try to inject the same process multiple times, your DLL won't be loaded again after the first time. An incredible blog post by Brad Antoniewicz mentions this:

Viewing the Memory

Let's appreciate all the 1337pwning we've been doing so far. However, it would also be nice to look at what's happening in the process memory when we exploit our target process. We'll see a lot of cool information here. After injecting into our target mspaint process, we can view all the modules that the process has loaded; like we did with the Notepad example a while ago. In the Modules tab:

Furthermore, if we look at the Memory tab, we can see all the references to our DLL here:

Another thing we can do is click on the Strings tab and filter (contains (case-insensitive)), and look for the lpText and lpThread parameters of our MessageBoxW function. What we'll find, is really cool:

If we go back to the Module tab, and double-click on our DLL, we can see some telling information about the library itself:

From here, we can see some things like the fact that it's UNVERIFIED, how it has High entropy, as well as some other information about the different sections of this DLL. In the Imports section of this new window, we can also see the presence of a bunch of functions, including our MessageBoxW "payload":

References