Hi all
I have a standard win32 dll ( not an ActiveX dll ) named Test.dll which exports a simple function called MyExportSub ... This is actually a Sub not a Function that simply displays a MsgBox for experimentation purposes.
I can successfully run the dll export sub from the calling Process ( Using the Declare statement or LoadLibrary/GetProcAddress and CallWindowProc APIs ) but i am having difficuly executing the dll export sub from a a remote Process like Notepad.
I have been trying to accoplish this by translating into VB6 the C ++ codes published in these two articles :
http://blog.digitalise.net/2009/01/0...d-dll-library/
http://stackoverflow.com/questions/1...n-injected-dll
The following code does load the dll successfully into Notepad ( I can tell because the dll main gets executed ) but it fails to execute the MyExportSub Sub ... I think I am failing to get the exported function offset address right
The code in red is the one that is supposed to execute the exported Sub.
Code in a Bas Module:
Any help would be much appreciated
I have a standard win32 dll ( not an ActiveX dll ) named Test.dll which exports a simple function called MyExportSub ... This is actually a Sub not a Function that simply displays a MsgBox for experimentation purposes.
I can successfully run the dll export sub from the calling Process ( Using the Declare statement or LoadLibrary/GetProcAddress and CallWindowProc APIs ) but i am having difficuly executing the dll export sub from a a remote Process like Notepad.
I have been trying to accoplish this by translating into VB6 the C ++ codes published in these two articles :
http://blog.digitalise.net/2009/01/0...d-dll-library/
http://stackoverflow.com/questions/1...n-injected-dll
The following code does load the dll successfully into Notepad ( I can tell because the dll main gets executed ) but it fails to execute the MyExportSub Sub ... I think I am failing to get the exported function offset address right
The code in red is the one that is supposed to execute the exported Sub.
Code in a Bas Module:
Code:
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long
Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As Any, ReturnLength As Any) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal fAllocType As Long, ByVal flProtect As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As Long, lpAddress As Any, ByRef dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal ProcessHandle As Long, ByRef lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, ByVal lpThreadID As Long) As Long
Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" _
(ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Private Declare Sub ExitThread Lib "kernel32" (ByVal dwExitCode As Long)
Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long
Const MEM_COMMIT = &H1000
Const MEM_RELEASE = &H8000
Const PAGE_READWRITE = &H4
Private Type LUID
LowPart As Long
HighPart As Long
End Type
Private Type TOKEN_PRIVILEGES
PrivilegeCount As Long
LuidUDT As LUID
Attributes As Long
End Type
Const TOKEN_ADJUST_PRIVILEGES = &H20
Const TOKEN_QUERY = &H8
Const SE_PRIVILEGE_ENABLED = &H2
Const INFINITE = &HFFFF
Private Sub Test()
Dim ret As Long
Dim fPath() As Byte
Dim ctr As Integer
'Token Privileges
Dim hToken As Long
Dim hProcess As Long
Dim tp As TOKEN_PRIVILEGES
'Injection Params
Dim FilePathLen As Integer
Dim hProc As Long
Dim procID As Long
Dim dllPath As String
Dim VirtAllocRet As Long
Dim LoadLibAddress As Long
Dim ModuleHandle As Long
Dim RemoteThread As Long
Dim ThreadID As Long
Dim lXitCode As Long
Dim hThread As Long
Dim hLibrary As Long
Dim pFunction As Long
Dim getRelativeEntryAddress As Long
Dim getAbsoluteAddress As Long
'launch Notepad
procID = Shell("notepad.exe")
Sleep 3000
'Change Privelages
If OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or _
TOKEN_QUERY, hToken) = 0 Then
CloseHandle hToken
End If
If LookupPrivilegeValue("", "SeDebugPrivilege", tp.LuidUDT) = 0 Then
CloseHandle hToken
End If
tp.PrivilegeCount = 1
tp.Attributes = SE_PRIVILEGE_ENABLED
If AdjustTokenPrivileges(hToken, False, tp, 0, ByVal 0&, ByVal 0&) = 0 Then
CloseHandle hToken
End If
dllPath = "C:\Test.dll"
'Injection Process
FilePathLen = Len(dllPath)
hProc = OpenProcess(PROCESS_ALL_ACCESS, False, procID)
If hProc = 0 Then
MsgBox "Error, no hProc"
End
End If
VirtAllocRet = VirtualAllocEx(hProc, 0, FilePathLen, MEM_COMMIT, PAGE_READWRITE)
If VirtAllocRet = 0 Then
MsgBox "Error, no Alloc"
End
End If
ReDim fPath(FilePathLen) As Byte
For ctr = 1 To FilePathLen
fPath(ctr - 1) = Asc(Mid$(dllPath, ctr, 1))
Next ctr
ret = WriteProcessMemory(hProc, VirtAllocRet, fPath(0), FilePathLen, vbNull)
If ret = 0 Then
MsgBox "Error, no MEM_Write"
End
End If
'retrieve the DLL/module address
ModuleHandle = GetModuleHandle("Kernel32")
'retrieve the address of 'SetWindowTextA'
LoadLibAddress = GetProcAddress(ModuleHandle, "LoadLibraryA")
RemoteThread = CreateRemoteThread(hProc, 0, 9000, LoadLibAddress, VirtAllocRet, 0, ThreadID)
If RemoteThread = 0 Then
MsgBox "No RemoteThread"
MsgBox Err.LastDllError
End
End If
WaitForSingleObject RemoteThread, INFINITE
''important
Call GetExitCodeThread(RemoteThread, lXitCode)
'This is the part that doesn't work !!!!!!
'**************************************************************************
'load the dll into the current process to get the function address !!!!
hLibrary = LoadLibrary("C:\Test.dll")
pFunction = GetProcAddress(hLibrary, "MyExportSub")
FreeLibrary hLibrary
getRelativeEntryAddress = (pFunction) - (hLibrary)
getAbsoluteAddress = getRelativeEntryAddress + (lXitCode) ' lXitCode obtained from the above GetExitCodeThread call
'execute the MyExportSub sub from Notepad
hThread = CreateRemoteThread(hProc, 0, 0, getAbsoluteAddress, 0, 0, 0)
WaitForSingleObject hThread, INFINITE
'**************************************************************************************
'cleanup
VirtualFreeEx hProc, VirtAllocRet, 0, MEM_RELEASE
CloseHandle RemoteThread
CloseHandle hProc
FreeLibrary lXitCode
End Sub