dnsi Posted October 1, 2007 Posted October 1, 2007 Is it possible to inject a dll into a program? My Programs:Flip-Flop File Encryption SysyemMULTIPLAYER-SOCKETSERVERHide An Archive In A Picture
tAKTelapis Posted October 1, 2007 Posted October 1, 2007 Erm.. I will assume you want to compile your script to a .exe file, and when it runs, have it place that dll somewhere on the computer for use? If so, then you want: FileInstall()
Sardith Posted October 1, 2007 Posted October 1, 2007 Outshynd's updated UDF: expandcollapse popup#include-once Func _InjectDll($a, $dllpath, $hWnd_or_pid=0) ;make sure the user passed valid parameters If $a <= 0 Then SetError(-1) Return False ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then SetError(-2) Return False EndIf Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread ;open dll that we'll be using Local $kernel32 = DllOpen("kernel32.dll") If $hWnd_or_pid = 0 Then ;get the pid from the window provided $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $a, "int_ptr", 0) If IsArray($pid) Then $pid = $pid[2] Else SetError(-3) Return False EndIf Else $pid = $a EndIf ;open the process for writing $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid) If IsArray($pHandle) And $pHandle[0] > 0 Then $pHandle = $pHandle[0] Else SetError(-4) Return False EndIf $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4) If IsArray($pLibRemote) Then If $pLibRemote[0] > 0 Then ;debug ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR) $pLibRemote = $pLibRemote[0] Else SetError(-5) Return False EndIf Else SetError(-6) Return False EndIf For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll") If IsArray($modHandle) Then If $modHandle[0] > 0 Then $modHandle = $modHandle[0] ConsoleWrite($modHandle & @CRLF) Else SetError(-9) Return False EndIf Else SetError(-10) Return False EndIf $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA") If IsArray($LoadLibraryA) Then If $LoadLibraryA[0] > 0 Then $LoadLibraryA = $LoadLibraryA[0] ConsoleWrite($LoadLibraryA & @CRLF) Else SetError(-11) Return False EndIf Else SetError (-12) Return False EndIf $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0) If IsArray($hThread) Then ConsoleWrite($hThread[0] & @CR) If $hThread[0] > 0 Then $hThread = $hThread[0] Else SetError(-13) Return False EndIf Else SetError(-14) Return False EndIf DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000) DllCall($kernel32, "int", "CloseHandle", "int", $hThread) DllCall($kernel32, "int", "CloseHandle", "int", $pHandle) DllClose($kernel32) Return True EndFunc [font="Verdana"]Valik:Get it straight - I'm not here to say please, I'm here to help - if my help's not appreciated then lotsa luck, gentlemen.[/font]
Sardith Posted October 1, 2007 Posted October 1, 2007 dnsi, is this what you wanted or? [font="Verdana"]Valik:Get it straight - I'm not here to say please, I'm here to help - if my help's not appreciated then lotsa luck, gentlemen.[/font]
Caption Posted May 19, 2008 Posted May 19, 2008 (edited) Outshynd's updated UDF: expandcollapse popup#include-once Func _InjectDll($a, $dllpath, $hWnd_or_pid=0) ;make sure the user passed valid parameters If $a <= 0 Then SetError(-1) Return False ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then SetError(-2) Return False EndIf Local $pid, $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread ;open dll that we'll be using Local $kernel32 = DllOpen("kernel32.dll") If $hWnd_or_pid = 0 Then ;get the pid from the window provided $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $a, "int_ptr", 0) If IsArray($pid) Then $pid = $pid[2] Else SetError(-3) Return False EndIf Else $pid = $a EndIf ;open the process for writing $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid) If IsArray($pHandle) And $pHandle[0] > 0 Then $pHandle = $pHandle[0] Else SetError(-4) Return False EndIf $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4) If IsArray($pLibRemote) Then If $pLibRemote[0] > 0 Then ;debug ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR) $pLibRemote = $pLibRemote[0] Else SetError(-5) Return False EndIf Else SetError(-6) Return False EndIf For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll") If IsArray($modHandle) Then If $modHandle[0] > 0 Then $modHandle = $modHandle[0] ConsoleWrite($modHandle & @CRLF) Else SetError(-9) Return False EndIf Else SetError(-10) Return False EndIf $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA") If IsArray($LoadLibraryA) Then If $LoadLibraryA[0] > 0 Then $LoadLibraryA = $LoadLibraryA[0] ConsoleWrite($LoadLibraryA & @CRLF) Else SetError(-11) Return False EndIf Else SetError (-12) Return False EndIf $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0) If IsArray($hThread) Then ConsoleWrite($hThread[0] & @CR) If $hThread[0] > 0 Then $hThread = $hThread[0] Else SetError(-13) Return False EndIf Else SetError(-14) Return False EndIf DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000) DllCall($kernel32, "int", "CloseHandle", "int", $hThread) DllCall($kernel32, "int", "CloseHandle", "int", $pHandle) DllClose($kernel32) Return True EndFunc DE-INJECTION? I messed around adding new features to Explorer.exe and other apps. BUT, sometimes when i make a mistake i have to restart the app to make it good again. I wonder how i can de-inject the dll properly (remove any trace of the dll) Would this be enough? (i mean adding it in to the code above?) For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", 0x00, "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next I mean just by overwriting the DLL with 0x00's? Edited May 19, 2008 by Caption
Caption Posted May 19, 2008 Posted May 19, 2008 DE-INJECTION? I messed around adding new features to Explorer.exe and other apps. BUT, sometimes when i make a mistake i have to restart the app to make it good again. I wonder how i can de-inject the dll properly (remove any trace of the dll) Would this be enough? (i mean adding it in to the code above?) For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", 0x00, "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next I mean just by overwriting the DLL with 0x00's? I noticed that they are not 0x00 but 0x?? But how do i write that? I mean turn it to "nodata"?
CyRius Posted May 19, 2008 Posted May 19, 2008 @Sardith Func _InjectDll($a, $dllpath, $hWnd_or_pid=0) What's the $a variable's value here? I didn't get that. Is that the PID or what? [font="Courier New"][size="3"]CyRius Developments[/size][/font][list][*]CO Proxy[*]CO Assembly tool[*]CO PacketSniffer[*]Larkinor proxy[*]BoIM Messenger[*]Encrypt/Decrypt[*]Hashtables[*]Slowest, but greatest skins ever xD[/list]
H5O20H Posted July 1, 2008 Posted July 1, 2008 Please answer cyRius's question,I need help too. Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):
AdmiralAlkex Posted July 1, 2008 Posted July 1, 2008 It looks like it should be a window handle or pid. .Some of my scripts: ShiftER, Codec-Control, Resolution switcher for HTC ShiftSome of my UDFs: SDL UDF, SetDefaultDllDirectories, Converting GDI+ Bitmap/Image to SDL Surface
H5O20H Posted July 1, 2008 Posted July 1, 2008 $hWnd_or_pid should be the pid in my opinion,i thought $a is the name of the dll that i want to inject,but it gives me error -1 ,so my theory is not going to work out. Please help! Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):
AdmiralAlkex Posted July 1, 2008 Posted July 1, 2008 You got it all wrong! $a= should be a window handle or pid $hWnd_or_pid= should be 1 if $a is a pid or 0 if $a is a window handle .Some of my scripts: ShiftER, Codec-Control, Resolution switcher for HTC ShiftSome of my UDFs: SDL UDF, SetDefaultDllDirectories, Converting GDI+ Bitmap/Image to SDL Surface
H5O20H Posted July 1, 2008 Posted July 1, 2008 Then where should the name of my dll be placed? Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):
AdmiralAlkex Posted July 1, 2008 Posted July 1, 2008 In the second variable, $dllpathMaybe you should read the thread _InjectDll originates from .Some of my scripts: ShiftER, Codec-Control, Resolution switcher for HTC ShiftSome of my UDFs: SDL UDF, SetDefaultDllDirectories, Converting GDI+ Bitmap/Image to SDL Surface
H5O20H Posted July 1, 2008 Posted July 1, 2008 (edited) expandcollapse popupFunc _InjectDllByPid($pid, $dllpath) ;make sure the user passed valid parameters If $pid = 0 Then SetError(-1) Return False ElseIf StringLen($dllpath) <= 4 Or StringRight($dllpath, 4) <> ".dll" Then SetError(-2) Return False EndIf Local $pHandle, $pLibRemote, $modHandle, $LoadLibraryA, $hThread ;open dll that we'll be using Local $kernel32 = DllOpen("kernel32.dll") ;open the process for writing $pHandle = DllCall($kernel32, "int", "OpenProcess", "int", 0x1F0FFF, "int", 0, "int", $pid) If IsArray($pHandle) And $pHandle[0] > 0 Then $pHandle = $pHandle[0] Else SetError(-4) Return False EndIf $pLibRemote = DllCall($kernel32, "int", "VirtualAllocEx", "int", $pHandle, "short", 0, "int", 0x1000, "int", 0x1000, "int", 4) If IsArray($pLibRemote) Then If $pLibRemote[0] > 0 Then ;debug ConsoleWrite("0x" & Hex($pLibRemote[0], 8) & @CR) $pLibRemote = $pLibRemote[0] Else SetError(-5) Return False EndIf Else SetError(-6) Return False EndIf For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next $modHandle = DllCall($kernel32, "long", "GetModuleHandle", "str", "kernel32.dll") If IsArray($modHandle) Then If $modHandle[0] > 0 Then $modHandle = $modHandle[0] Else SetError(-9) Return False EndIf Else SetError(-10) Return False EndIf $LoadLibraryA = DllCall($kernel32, "long", "GetProcAddress", "long", $modHandle, "str", "LoadLibraryA") If IsArray($LoadLibraryA) Then If $LoadLibraryA[0] > 0 Then $LoadLibraryA = $LoadLibraryA[0] Else SetError(-11) Return False EndIf Else SetError (-12) Return False EndIf $hThread = DllCall($kernel32, "int", "CreateRemoteThread", "int", $pHandle, "int", 0, "int", 0, "long", $LoadLibraryA, "long", $pLibRemote, "int", 0, "int", 0) If IsArray($hThread) Then ConsoleWrite($hThread[0] & @CR) If $hThread[0] > 0 Then $hThread = $hThread[0] Else SetError(-13) Return False EndIf Else SetError(-14) Return False EndIf DllCall($kernel32, "int", "VirtualFreeEx", "int", $pHandle, "int", $pLibRemote, "int", 0x1000, "int", 0x8000) DllCall($kernel32, "int", "CloseHandle", "int", $hThread) DllCall($kernel32, "int", "CloseHandle", "int", $pHandle) DllClose($kernel32) Return True EndFunc I used to inject it by PID ,but It gives me -7 error no matter what process/dll I use to inject Edited July 2, 2008 by H5O20H Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):
H5O20H Posted July 2, 2008 Posted July 2, 2008 bump Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):
H5O20H Posted July 2, 2008 Posted July 2, 2008 bump Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):
Moderators SmOke_N Posted July 2, 2008 Moderators Posted July 2, 2008 (edited) bump bump again within the next 24 hours and you'll lose posting privileges for that 24 hours. Let's show a little respect to your fellow forum members that are also trying to receive support. Every time you post, you knock their support question down from its rightful position.Your question can not be answered (well, not without taking a hell of a lot of guesses). You have your error code, spend some time on MSDN and see what that specific function that is giving it to you would be causing it the way you are trying to use it.http://msdn.microsoft.com/en-us/library/ms681674(VS.85).aspxThat is what is throwing your error, time to do some homework.Edit:Also, look at the SciTe console, it might tell you that "int_ptr" could be throwing the exception. Try just using "ptr" there. Edited July 2, 2008 by SmOke_N Common sense plays a role in the basics of understanding AutoIt... If you're lacking in that, do us all a favor, and step away from the computer.
Sardith Posted July 2, 2008 Posted July 2, 2008 (edited) Smoke is right. You have to update the UDF a bit with the 'recent' changes to AutoIt. Func _InjectDll($a, $dllpath, $hWnd_or_pid=0) $A = Process ID variable name or Window Handle name. $dllpath = Path to your .dll (IE. "C:\Test.dll") $hWnd or pid = Inject dll by default excepts a window handle. In the UDF, later you'll see $pid = DllCall("user32.dll", "int", "GetWindowThreadProcessId", "hwnd", $a, "int_ptr", 0) It calls user32 to retrieve a PID for the handle you passed to the function. In the end it will end up as a PID. You can set $hWnd or pid = 1, then pass a PID. Other wise you need to pass a Window Handle to the function, which it will later end up as a PID. Some programs you may also need to set Debug privileges Edited July 2, 2008 by Sardith [font="Verdana"]Valik:Get it straight - I'm not here to say please, I'm here to help - if my help's not appreciated then lotsa luck, gentlemen.[/font]
H5O20H Posted July 3, 2008 Posted July 3, 2008 I've got that working,problem is -7 error That code needs to be updated,why don't you update your post muttley For $i = 0 To StringLen($dllpath) $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0) If IsArray($ret) Then If $ret[0] = 0 Then SetError(-7) Return False EndIf Else SetError(-8) Return False EndIf Next I tried everything I could do Valik, The Legendary programmer!Will be using that signature for 2 months due to my loss on a bet ):
rasim Posted July 3, 2008 Posted July 3, 2008 (edited) In this string $ret = DllCall("kernel32.dll", "int", "WriteProcessMemory", "int", $pHandle, "int", $pLibRemote + $i, "int_ptr", Asc(StringMid($dllpath, $i + 1, 1)), "int", 1, "int", 0) change the int_ptr to int* Edited July 3, 2008 by rasim
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now