[Source] InjectDLL function (ripped from my old MSBot src)

dveloper · #1 08-08-2008, 07:06 AM

So I was going through my GMail and I found the source to an old build of MSBot (0.1.4) that I sent to TiMBuS. So here's some useful code from the injector, to get all you DLL injection kiddies going.

Code:

bool InjectDLL(DWORD dwPID, const char *szDLL)
{
	HANDLE hProcess, hThread, hFile;
	void* pLibRemote;
	DWORD dwOldProtect;
	DWORD dwExitCode;

	hFile = CreateFile(szDLL, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);

	if (hFile == INVALID_HANDLE_VALUE)
		return false;

	hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID);

	pLibRemote = VirtualAllocEx(hProcess, NULL, strlen(szDLL), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);

	if (!VirtualProtectEx(hProcess, pLibRemote, strlen(szDLL), PAGE_EXECUTE_READWRITE, &dwOldProtect))
		return false;

	if (!WriteProcessMemory(hProcess, pLibRemote, (void*)szDLL, strlen(szDLL), 0))
		return false;

	VirtualProtectEx(hProcess, pLibRemote, strlen(szDLL), dwOldProtect, &dwOldProtect);

	hThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle("Kernel32"), "LoadLibraryA"), pLibRemote, 0, NULL);

	if (hThread == NULL)
		return false;

	WaitForSingleObject(hThread, INFINITE);
	GetExitCodeThread(hThread, &dwExitCode);

	VirtualFreeEx(hProcess, pLibRemote, strlen(szDLL), MEM_RELEASE);

	CloseHandle(hProcess);
	CloseHandle(hThread);

	return true;
}

Usage:

Code:

InjectDLL(dwProcessIDOfTargetProcess, "C:\mycode\mydll.dll");

Enjoy.

-d

ItsGreg · #2 08-08-2008, 07:08 AM

Wow! Nice! i'll try to make something outta that!

dveloper · #3 08-08-2008, 07:14 AM

No problem, I'm looking through the source for some other gems. Stay tuned.

kaswar · #4 08-08-2008, 08:05 AM

what does Alloc mean?

btw nice source, very useful! I might make it a DLL in C++ and use it for my Delphi thanks

dveloper · #5 08-08-2008, 08:25 AM

Allocate. That line allocates memory in the target process to hold the DLL's filename.

kaswar · #6 08-08-2008, 09:46 AM

lul can you try to explain a word without it in the explaination xD

anyway, I'll go search it up

wassssup34579 · #7 08-08-2008, 10:52 AM

would it still work if we took this out?

Code:

	WaitForSingleObject(hThread, INFINITE);
	GetExitCodeThread(hThread, &dwExitCode);

does that code make the program wait until the thread finished?

**Sean** · #8 08-08-2008, 04:37 PM

Quote:

Originally Posted by kaswar

lul can you try to explain a word without it in the explaination xD

anyway, I'll go search it up

...how can you not know what allocation means >.>

ok look, when a process is created, it takes up a certain amount of space in the memory of your computer. by allocating, you can "make" space within the space of that process for you to use for yourself. In this case, we are making space in that process so that we can write the path for the dll there. Next we are making more space which will be a thread that calls loadlibrary when it's created.

create remote thread is a very public injection method and doesn't work for all games - on rakion, gameguard hooks it and thus detects if its used.

dveloper · #9 08-08-2008, 11:38 PM

It all depends on when you inject, which is why I posted just the bare injection function. You can CreateProcess with CREATE_SUSPENDED if you like, inject, and then resume the process. I know there are multiple injection methods, this being the simplest.

kaswar · #10 08-21-2008, 07:07 PM

Can you create this in a DLL so i can call it with my Dephi?