CodeProject: DLL Injection and function interception tutorial. Free source code and programming help

Report Article

Discuss

Send to a friend

19 votes for this Article.

Popularity: 4.45 Rating: 3.48 out of 5

Download source files - 328 Kb

Revision 4

Introduction

The source files depend a lot on function pointers. Overview is recommended.

DLL Injection is similar to 'Injecting' code into an already running process. Many things have been taken from Matt Pietrek's book 'Secrets of Windows 95'.

Function interception means 'intercepting' an API function that was loaded by a statically linked DLL by modifying the address of the beginning of the function's code, resulting in the application to call your 'intercepting' function instead of the original 'intercepted' function. This is similar to the idea in "APIHijack - A Library for easy DLL function hooking" article posted by Wade Brainerd.

DLL Injection

"DLL Injection" is not an accurate name for what my content will actually be. My code will 'inject' a series of assembled assembly language instructions [Code] into some available space in the running process and alters the registers to point at the offset of the 'injected' [code]. The process will of course execute the instructions which will load a certain DLL, which is the DLL that is being injected. Note that this code 'Injects' [code]. The code can be anything, it doesn't necessarily have to load a DLL. Hence, the inaccurate title.

There are two ways to 'Inject' a series of bytes into an already running process. VirtualAllocEx() - which isn't supported in Win9x/ME - will allow a process to reserve or commit a region of memory within the virtual address space of a separate specified process. Use WriteProcessMemory() to write the data in the reserved/committed area of the target process' memory. The other way is to directly use ReadProcessMemory() and WriteProcessMemory() - which is supported in all versions of Windows - to search for some accessible area of the target process' memory and replace the bytes within the area size equal to the size of the code. Of course, you will be saving a backup of the replaced bytes in order to put them all back later on.

(Of course, you can use CreateRemoteThread() instead of all this, but it's not supported in all versions of Windows.)

One good yet slow method of injecting the code is using Windows' debugging functions. Suspend the threads of the running process (using the debugging functions) and use GetThreadContext() and SetThreadContext() to save a backup of all the registers and then modify the EIP register, which is the register that contains the offset of the current to-be-executed code, to point it to the 'Injected' code. The injected code block will have a breakpoint set at the end of it (Interrupt 3h -int 3h-). Again, use the debugging functions to resume the threads, which will then continue executing till the first breakpoint is reached. Once your application receives the notification, all you have to do is restore the modified bytes and/or un-allocate any allocated space in memory, and finally restore the registers (SetThreadContext()). That's all there is to it. The application has no idea of what has happened! The code was executed, and probably loaded a DLL. As you know, loaded DLLs are in an application's address space, therefore, the DLLs can access all memory and control the whole application. Very interesting.

Lookup the MSDN library for more information (MSDN).

Useful points to lookup:

Memory management...you need to know how Windows manages its memory.
How DLLs tick - MSDN - I suggest you read it. Might help in inspirations. Revising isn't bad.
PE/COFF Headers specifications... The most important thing if you're doing this in Win9x/ME - MSDN.
Basic debugging APIs...those are some APIs that allow you to debug certain applications. Lookup the section "Debugging and Error Handling" in MSDN.
Enough knowledge of ASM is required of course...and OPCODES of instructions.

Have a look at the accompanied files: Injector_src.zip.

---

Google Groups - A Message board thread on CreateRemoteThread()'s method.

Function Interception

Notice the DLL project in the zip file. This function is in HookApi.h.

// Macro for adding pointers/DWORDs together without C arithmetic interfering 

// -- Taken from Matt Pietrek's book

// Thought it'd be great to use..

#define MakePtr( cast, ptr, addValue ) (cast)( (DWORD)(ptr)+(DWORD)(addValue))

//This code is very similar to Matt Pietrek's, except that it is written 

//according to my understanding...

//And Matt Pietrek's also handles Win32s 

//--(Because they it has some sort of a problem)

PROC WINAPI HookImportedFunction(HMODULE hModule,
			         //Module to intercept calls from

     PSTR FunctionModule, //The dll file that contains the function you want to 

			  //hook(ex: "USER32.dll")

     PSTR FunctionName,   //The function that you want to hook 

			  //(ex: "MessageBoxA")

     PROC pfnNewProc)     //New function, this gets called instead

{
    PROC pfnOriginalProc; //The intercepted function's original location

    IMAGE_DOS_HEADER *pDosHeader; 
    IMAGE_NT_HEADERS *pNTHeader;
    IMAGE_IMPORT_DESCRIPTOR *pImportDesc;
    IMAGE_THUNK_DATA *pThunk;

    // Verify that a valid pfn was passed


    if ( IsBadCodePtr(pfnNewProc) ) return 0; 

    pfnOriginalProc = GetProcAddress(GetModuleHandle(FunctionModule), 
                                                         FunctionName);
    if(!pfnOriginalProc) return 0;

    pDosHeader = (PIMAGE_DOS_HEADER)hModule; 
    //kindly read the ImgHelp function reference 

    //in the Image Help Library section in MSDN

    //hModule is the Process's Base address  (GetModuleHandle(0)) 

    //even if called in the dll, it still gets the hModule of the calling process

    //---That's you should save the hInstance of the DLL as a global variable, 

    //in DllMain(), because it's the only way to get it(I think)

    // Tests to make sure we're looking at a module image (the 'MZ' header)

    if ( IsBadReadPtr(pDosHeader, sizeof(IMAGE_DOS_HEADER)) )
        return 0;
    if ( pDosHeader->e_magic != IMAGE_DOS_SIGNATURE ) 
	//Image_DOS_SIGNATURE is a WORD (2bytes, 'M', 'Z' 's values)

        return 0;

    // The MZ header has a pointer to the PE header

    pNTHeader = MakePtr(PIMAGE_NT_HEADERS, pDosHeader, pDosHeader->e_lfanew); 
    //it's like doing pDosHeader + pDosHeader->e_lfanew

    // e_lfanew contains a RVA to the 'PE\0\0' Header...An rva means, offset,

    // relative to the BaseAddress of module 

    // -pDosHeader is the base address..and e_lfanew is the RVA, 

    // so summing them, will give you the Virtual Address..

    // More tests to make sure we're looking at a "PE" image

    if ( IsBadReadPtr(pNTHeader, sizeof(IMAGE_NT_HEADERS)) )
        return 0;
    if ( pNTHeader->Signature != IMAGE_NT_SIGNATURE ) 
	//IMAGE_NT_SIGNATURE is a DWORD (4bytes, 'P', 'E', '\0', '\0' 's values)

        return 0;

    // We now have a valid pointer to the module's PE header. 

    // Now get a pointer to its imports section

    pImportDesc = MakePtr(PIMAGE_IMPORT_DESCRIPTOR, 
      pDosHeader, //IMAGE_IMPORT_DESCRIPTOR *pImportDesc;

      pNTHeader->OptionalHeader.DataDirectory
       [IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

    //What i just did was get the imports section by getting the RVA of it

    //(like i did above), then adding the base addr to it.

    //// pNTHeader->OptionalHeader.DataDirectory

    ///     [IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress

    //// IMAGE_DIRECTORY_ENTRY_IMPORT==1 -- Look at that PE documentation. 

    //// Pietrek's articles in MSJ and MSDN Magazine will be real helpful!

    //Go out if imports table doesn't exist

    if ( pImportDesc == (PIMAGE_IMPORT_DESCRIPTOR)pNTHeader )
        return 0; //pImportDesc will ==pNTHeader. 

	//if the RVA==0, cause pNTHeader+0==pNTHeader -> stored in pImportDesc

	//Therefore, pImportDesc==pNTHeader

    // Iterate through the array of imported module descriptors, looking

    // for the module whose name matches the FunctionModule parameter

    while ( pImportDesc->Name ) //Name is a DWORD (RVA, to a DLL name)

    {
        PSTR pszModName = MakePtr(PSTR, pDosHeader, pImportDesc->Name);

        if ( stricmp(pszModName, FunctionModule) == 0 ) 
	    //str"i"cmp,,, suggest you to ignore cases when comparing,

            break; //or strcmpi() in some compilers

        pImportDesc++;  // Advance to next imported module descriptor

    }

    // Get out if we didn't find the Dll name. 

    // pImportDesc->Name will be non-zero if we found it.

    if ( pImportDesc->Name == 0 )
        return 0;

 // Get a pointer to the found module's import address table (IAT)

 //           =====IMAGE_THUNK_DATA *pThunk;

    pThunk = MakePtr(PIMAGE_THUNK_DATA, pDosHeader, pImportDesc->FirstThunk);
 //This is what i was talkin about earlier...

 //In pThunk, if it was image loaded in memory, you'll get the address to 

 //entry point of functions

 //but in a disk file, It's a function name


 // Look through the table of import addresses, of the found 

 // DLL, looking for the function's entry point that matches 

 // the address we got back from GetProcAddress above.

    while ( pThunk->u1.Function )
    {
       if ( (DWORD)pThunk->u1.Function == (DWORD)pfnOriginalProc )
        {
       // We found it!  Overwrite the original address with the

       // address of the interception function.  Return the original

       // address to the caller so that they can chain on to it.

            pThunk->u1.Function = (PDWORD)pfnNewProc; 
	    // pfnNewProc is in the parameters of the function

	    //pfnOriginalProc = (PROC)(DWORD)pdw1;

            return pfnOriginalProc;
        }

        pThunk++;   // Advance to next imported function address

    }

    return 0; //function not found!!!!!

}

Also notice:

HANDLE OpenLog(char *Filename)
BOOL CloseLog(HANDLE h)
DWORD AppendLog(char *str, DWORD uSize, HANDLE h)

They are the functions to write to the LOG file. What the whole project does is inject a DLL into an already running process (mIRC.exe - mIRC chatting program (mIRC)) [in my case]. It then creates a Log file of all the intercepted Winsock functions. Have a look at Successlog.txt. It is highly recommended that you apply the program on mIRC only, since it has been created for it. Have fun coding your own :)

I think you got the idea. I hope this is useful.

Regards,

CrankHank

Nasser R. Rowhani - nrowhani9@hotmail.com

License

This article has no explicit license attached to it but may contain usage terms in the article text or the download files themselves. If in doubt please contact the author via the discussion board below.

A list of licenses authors might use can be found here

About the Author

CrankHank

Nasser R. Rowhani
Programming simply pumps my adrenaline..

Okay... I like people critisizing me...
Let me fix this article...

Location:

Qatar

Other popular DLLs & Assemblies articles:

PasswordSpy - Retrieving lost passwords using Windows hooks
A practical application of setting Windows hooks
Step by Step: Calling C++ DLLs from VC++ and VB - Part 1
This series of articles is a step-by-step guide to constructing C++ DLLs that include C++ functions and C++ classes, and then calling the DLL functions and classes from VC++ and VB programs.
Hooks and DLLs
There is a lot of confusion about how to set up and use global hook functions. This essay attempts to clear up some of these issues.
DLLs are simple: Part 2
This article describes how to export classes from a DLL.
DLLs are Simple! Part 3
This article describes how to create a DLL with a DEF file and use it.

Article Top

You must Sign In to use this message board.

Msgs 1 to 25 of 33 (Total in Forum: 33) (Refresh)

FirstPrevNext

Subject

Author

Date

why do you call your method 'good yet slow'?

code_discuss

21:07 4 Dec '07

is it slow?
Sign In·View Thread·PermaLink

Re: why do you call your method 'good yet slow'?

AndrewWood

23:43 7 Jan '08

Concepts are good but the code is zorked. When I get a break, I'll load it up and give a few outputs of the original source as it is. It plain just doesn't work and DllMain never gets called, you have to tweak stuff. Personally, I have better results with IMAGE_IMPORT_BY_NAME
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

Intercept functions from kernel32.dll

Higginz

9:13 6 Sep '06

Hi,

I changed your code to work for functions like CreateFileA, DeleteFileA and so on from kernel32.dll.
It works fine with "easy" applications. But when I try to intercept functions from e.g. notepad.exe or calc.exe I get this error:

Runtime Error!

R6031 - Attempt to initialize the CRT more than once. This indicates a bug in your application.

What can I do to clear this thing?

Thanks,
Martin

2.75/5 (4 votes)

W32SKRNL.DLL

vmelkon

21:03 7 Jun '05

What is this dll and where does it come from? It's being referenced in DWORD GetModuleBaseFromWin32sHMod(HMODULE hMod) Thanks
Sign In·View Thread·PermaLink

Winsock functions hooking doesn't work !!

Wessam Fathi

13:04 28 Apr '05

I tried ur code, it works great for the MessageBoxA function only, when I tried other functions like CreateProcessA or winsock functions it won't work. It would be very kind of u to help me on this problem. Thanks in advance Wessam Fathi
Sign In·View Thread·PermaLink	1.83/5 (3 votes)

CreateWindowEx & CreateWindow

dj0

11:14 13 Feb '05

here is what i've added to the project[dll];


#define WinsockDll "user32.dll"
....
typedef unsigned long (_stdcall *CreateWindowPROC)(...);
typedef unsigned long (_stdcall *CreateWindowExPROC)(...);
....
CreateWindowPROC	CreateWindowORG;
CreateWindowExPROC	CreateWindowExORG;
....
unsigned long _stdcall _CreateWindow(...);
unsigned long _stdcall _CreateWindowEx(...);

and inside "hookwinsockproc()" i also added


int HookWinsockProcs()
{
	Hooked=false;

	Append("Hooking...");

	Append("\r\n\t createwindowex() -> ");
	IfCantHook(CreateWindowExORG, CreateWindowExPROC, "CreateWindowEx", _CreateWindowEx)
		SendCheck;

	Append("\r\n\t createwindow() -> ");
	IfCantHook(CreateWindowORG, CreateWindowPROC, "CreateWindow", _CreateWindow)
		SendCheck;
....
}

and the actual function


unsigned long _stdcall _CreateWindowEx(...)
{
	Append("\r\n\tCreateWindowEx!");
	return CreateWindowExORG(...)
}

unsigned long _stdcall _CreateWindow(...)
{
	Append("\r\n\tCreateWindow!");
	return _CreateWindow(...
}

can someone show me what i'm doing wrong? the log file shows that i'm not hooking the functions as where the winsock functions hook just fine.

Protect NET

Anonymous

3:44 8 Nov '04

Hi, Can this be used to protect .NET dll's? The Idea is to commpile .NET MSIL. Then with external utility overwrite all the code except an entry func in the file with zeros. Then In the entry utility put the loader (unmanaged) which copies the original encripted code in the appropriate memory space. Do you see problems? With best regards Juli
Sign In·View Thread·PermaLink

Re: Protect NET

Anonymous

13:29 9 Nov '04

I see dead people.
Sign In·View Thread·PermaLink

Hooked function address is replaced by Original one

keenalex

21:03 23 Sep '04

I m hooking Direct3dCreate8() of d3d8.dll. In some cases it is hooked succefully while in other after hooking, hooked function address is somehow replaced with original function address.


while ( pThunk->u1.Function )
    {
       if ( (DWORD)pThunk->u1.Function == (DWORD)pfnOriginalProc )
        {
           
	//DLL will simply unload if an unalowed byte was modified.
			if(IsBadWritePtr(&pThunk->u1.Function, 4))
			{
				B = VirtualProtect(&pThunk->u1.Function, 4, 
					PAGE_EXECUTE_READWRITE, &dwOld);
				pThunk->u1.Function = (DWORD)pfnNewProc;

				B = VirtualProtect(&pThunk->u1.Function, 4, 
					dwOld, &dw);
			}else
			pThunk->u1.Function = (DWORD)pfnNewProc;            			

			//pfnOriginalProc = (PROC)(DWORD)pdw1;
            return pfnOriginalProc;
        }
        
        pThunk++;   // Advance to next imported function address
    }

Here pThunk->u1.Function = (DWORD)pfnNewProc; is succesfully assigned without any exception. but after While loop when i recheck the address by
GetProcAddress( GetModuleHandle("d3d8.dll"), "Direct3dCreate8" );

it gives original Function address. Does any body knows abt it?

Re: Hooked function address is replaced by Original one

Tarmo

2:24 26 Jan '05

You must also hook "Direct3dCreate8" in export table of the d3d8.dll.
Sign In·View Thread·PermaLink

Has anyone solved the NT/XP Issue?

dj0

20:38 18 Dec '03

has anyone found the reason and a solution as to why the dll is never injectied on NT/XP machines?
Sign In·View Thread·PermaLink

Re: Has anyone solved the NT/XP Issue?

CrankHank

23:02 18 Dec '03

If you'de kindly give more time to the rest of the threads in this board, I think your answer is yes. Regards, -CrankHank Nasser R. Rowhani
Sign In·View Thread·PermaLink

Re: Has anyone solved the NT/XP Issue?

dj0

9:48 19 Dec '03

well what is the fix? i guess i should have asked that from the start. =) i'm not too savvy in c++ yet so i'm coming back to the soruce for help.
Sign In·View Thread·PermaLink	2.00/5 (2 votes)

question

Brandon Sneed

6:37 24 Oct '03

would this work in cases where a DLL made a call to a function it contained internally? i suspect its just a jump and the injected routine wouldn't get called, but i'm not certain. Something that would do both would be a god send for sure. great article btw! --- __/\__ Brandon Sneed \ oO / http://www.lokai.net /_/\_\ bsneed@nospam.lokai.net
Sign In·View Thread·PermaLink	5.00/5 (1 vote)

Re: question

CrankHank

5:23 28 Dec '03

Appologies for late reply..

You'll need to kindly provide a little more elaboration as to whether what you want is to intercept a function in that mentioned DLL? Or is there something I'm missing?

My method modifies the import table only. There are many other ways and methods that you could logically bring out. I shall be posting more ideas as soon as I find time and get my projects done.

Regards,

-CrankHank
Nasser R. Rowhani

Re: question

Brandon Sneed

11:07 28 Dec '03

For instance, user32.dll contains the DefWindowProc function. If another function inside user32.dll calls DefWindowProc it would make a local jump instead of going through the export table? This would bypass the function interception method i think. Is that the case? If so, how would one get around that? --- __/\__ Brandon Sneed \ oO / http://www.lokai.net /_/\_\ bsneed@nospam.lokai.net
Sign In·View Thread·PermaLink

Re: question

CrankHank

3:08 29 Dec '03

Ah yes.. That is an interesting question.

It really depends on the DLL file itself and the compiler that it has been compiled with. Logically speakin, I don't see any reason for why a DLL file would call one of its internal functions through the export table. Unless someone was bored of life and thought of twisting things a bit..

One solution that I have adapted and polished personally was to either modify the binary it self, or its image by injecting/invoking a jmp instruction, at the entry point of the original function, to another internally defined function's location by myself which will -in my case- log the parameters passed to the original function through the stack, and allow execution to continue by restoring the modified bytes and using the call instruction back to the beggining of the original function.

Problems with C++ functions are the prolog and epilog parts. Since they cause stack modifications, and thus cause trouble. We need to be clean. That's what Naked functions are made for. A naked function, is a function that does not have any of epilog or prolog.

Use __declspec( naked ) void Function_Name, in VC++.

Back to the subject. After the original function has returned execution, it will return the to instruction after the call instruction of the created function. There happens the logging of the return values of the function. Normal execution is then resumed by reinjecting the jmp instructions to the beginning of the function and returning in a way that the stack and registers remain the same as they must originally be if there were no interception.

Hope I was descriptive enough. I can provide a better explanation if you'de like.

It is hard work, yet fun. Remember that different applications differ according to the programmer him/her self. Also, don't forget that functions differ alot too. Alot of assembly knowledge is required in order to be good at it. Care must be taken. In my case, my problem was over what i must do if the to-be-intercepted DLL file was called dynamically rather than statically. Very similar. GetProcAddress() is always very helpful. Love that function!

Hope that was helpful, any more help? Elaboration?
Regards,

-CrankHank
Nasser R. Rowhani

Finally! Problem solved..

CrankHank

21:33 23 Oct '03

It is only a silly security problem.. IsBadWritePtr() returns true upon attempt to modify the import table. Problem solved by VirtualProtect() .. Not necesarily supported in win9x/ME (Source code modified) Use your smart mind to let your code run on both winXP/2k and win9x/ME win32s Happy coding.. Regards, -CrankHank Nasser R. Rowhani
Sign In·View Thread·PermaLink

Re: Finally! Problem solved..

yuxc

20:26 25 Oct '03

you only modify hookapi.h,but I can not inject dll to another process on win2000 without error .
in a exe.cpp,I add a statement "VirtualProtectEx(hProcess,mySec,sizeofCP,PAGE_READWRITE,&oldFlg)" on a exist statement " B = WriteProcessMemory( hProcess, mySec,
CodePage, sizeofCP, &written);
",but inject dll not successed yet.
Can you tell me Why?
I hope you test it successed on win2000,and repost correct code to me.thank you veru much.

2.00/5 (2 votes)

Win98 is successed but win2000 is faliure!

yuxc

17:56 19 Oct '03

Win98 is successed but win2000 is faliure!
Sign In·View Thread·PermaLink

Re: Win98 is successed but win2000 is faliure!

CrankHank

4:26 20 Oct '03

Alright, sorry for any inconveniences.
I'll repost the source as soon as possible. I just need some free time. D'Oh!

One fast solution I can give (without testing) is switching all CONTEXT_CONTROLs with CONTEXT_FULL. I'm speaking of the exe part.

Might not really be of much help..
Administrative privileges might also be an issue. I'll be doing tests soon anyway. Patience is a virtue Wink

Regards,

-CrankHank
Nasser R. Rowhani

3.50/5 (2 votes)

DllMain never got called?

Peter Leng

10:13 17 Oct '03

I am on Windows 2000. InjectDLL was called successfully but DllMain never got called. I only changed the name of the EXE/LOG files in your code (just to see if it works on Windows 2k). Lunching the EXE file was fine but no Log file was created.
Sign In·View Thread·PermaLink

Re: DllMain never got called?

CrankHank

6:17 18 Oct '03

Has anyone else encountered this problem..? It's better if you code everything on your own since enough explanation is there... -CrankHank Nasser R. Rowhani
Sign In·View Thread·PermaLink

Re: DllMain never got called?

yuxc

22:47 18 Oct '03

I am same as you , I think the function DllInject has problem!
Sign In·View Thread·PermaLink	2.00/5 (1 vote)

No Error but inject dll faliure

yuxc

22:11 15 Oct '03

No Error but inject dll faliure,
Sign In·View Thread·PermaLink

Last Visit: Thursday, July 24, 2008 6:17 PM Last Update:Thursday, July 24, 2008 6:17 PM

1 Next »

General News Question Answer Joke Rant Admin