Re: Injected DLL causes process termination - occasionally

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

I would recommend debugging the child process (`.childdbg 1' in WinDbg to debug child processes) in order to get a better feel for why your attempt is failing.

--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net
<kdn01003@xxxxxxxxxxxxxx> wrote in message news:1181348045.529128.197920@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hi,

I'm trying to inject a DLL into a process that I create with
CreateProcess(). The technique is described here:
http://www.codeproject.com/system/api_spying_hack.asp)

My injected code is indeed called, but certain executables seem to
detect that something has been changed, and terminate. My question is:
How do I prevent this? I have a feeling we are simply dealing with a
checksum of the entrypoint or similar. Any ideas?

Thanks!

// Code! :-D

void InjectDLL(LPCSTR szExecutable, LPCSTR szDirectory, LPSTR
szParameters, LPCSTR szDLL)
{
// Get the address of target application's entry point
DWORD bytes = 0;
char buff[4096];
HANDLE file = CreateFileA(szExecutable, GENERIC_READ |
GENERIC_WRITE, 0, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0);
ReadFile(file, buff, 1024, &bytes, 0);
CloseHandle(file);

IMAGE_DOS_HEADER *pDosheader = (IMAGE_DOS_HEADER*)buff;
IMAGE_OPTIONAL_HEADER *optionalheader = (IMAGE_OPTIONAL_HEADER*)
((BYTE*)buff + pDosheader->e_lfanew + 24);
DWORD entryPtr = optionalheader->AddressOfEntryPoint +
optionalheader->ImageBase;

// Create target process
STARTUPINFO si = { 0 };
si.cb = sizeof (STARTUPINFO);
PROCESS_INFORMATION pi = { 0 };
CreateProcessA(szExecutable, szParameters, NULL, NULL, FALSE,
CREATE_SUSPENDED, 0, szDirectory, &si, &pi);

// Allocate memory in the target process
LPBYTE pWriteBuffer = (LPBYTE)VirtualAllocEx(pi.hProcess, 0, 4096,
MEM_RESERVE, PAGE_EXECUTE_READWRITE);
pWriteBuffer = (LPBYTE)VirtualAllocEx(pi.hProcess, pWriteBuffer,
4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

// Get the address of LoadLibraryA
DWORD pfnLoadLibrary =
(DWORD)GetProcAddress(GetModuleHandle("kernel32.dll"),
"LoadLibraryA");

// Fill the array with the machine instructions

DWORD stringPtr = (DWORD)&pWriteBuffer[20];
strcpy(&buff[20], szDLL);
DWORD funcPtr = (DWORD)&pWriteBuffer[16];
memmove(&buff[16], &pfnLoadLibrary, 4);
buff[0] = 0x68;
memmove(&buff[1], &stringPtr, 4);
buff[5] = 0x68;
memmove(&buff[6], &entryPtr, 4);
buff[10] = 0xFF;
buff[11] = 0x25;
memmove(&buff[12], &funcPtr, 4);

// Copy the above array into the memory that we have allocated in
the target process
WriteProcessMemory(pi.hProcess, pWriteBuffer, buff, 4096, &bytes);

// Change the execution context of the the primary thread of the
target process
CONTEXT context;
context.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(pi.hThread, &context);
context.Eip = (DWORD)pWriteBuffer;
SetThreadContext(pi.hThread, &context);
ResumeThread(pi.hThread);

CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
}


.

Relevant Pages