dll注入 - 简单主要

Question

I'm tring to inject a dll to an .exe, i code this simple main but my file isn't created. I inject it with a cpp code, but i don't think the injector is the problem.

DWORD WINAPI Main_thread( LPVOID lpParam)
{
  std::ofstream myfile;
  myfile.open ("C:\\Users\\root\\Desktop\\example.txt");
  myfile << "success" << std::endl;
  myfile.close();
  return S_OK;
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  _reason, LPVOID lpReserved)
{
  if (_reason == DLL_PROCESS_ATTACH)
     CreateThread(0, 0x1000, &Main_thread, 0, 0, NULL);
  return true;
}

the injector code:

#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>

using namespace std;
bool InjectDLL(DWORD ProcessID);

char dllPath[250] = "C:\\Users\\root\\Desktop\\testdll\\bin\\Debug\\testdll.dll";
char ProcessName[] = "chrome.exe";
typedef HINSTANCE (*fpLoadLibrary)(char*);

int main()
{
DWORD processId = NULL;
PROCESSENTRY32 pe32 = {sizeof(PROCESSENTRY32)};
HANDLE hProcSnap;
hProcSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(Process32First(hProcSnap, &pe32))
{
    do{
         if(!strcmp(pe32.szExeFile, ProcessName))
        {
            processId = pe32.th32ProcessID;
            break;
        }
    }while(Process32Next(hProcSnap, &pe32));
}
if (!InjectDLL(processId))
        cout << "DLL failed to inject" << endl;
}

bool InjectDLL(DWORD ProcessID)
{
HANDLE hProc;
LPVOID paramAddr;
HINSTANCE hDll = LoadLibrary("KERNEL32");
fpLoadLibrary LoadLibraryAddr = (fpLoadLibrary)GetProcAddress(hDll, "LoadLibraryA");
hProc = OpenProcess (PROCESS_ALL_ACCESS, false, ProcessID);
paramAddr = VirtualAllocEx(hProc, 0, strlen(dllPath)+1, MEM_COMMIT, PAGE_READWRITE);
bool memoryWritten = WriteProcessMemory(hProc, paramAddr, dllPath, strlen(dllPath)+1, NULL);
CreateRemoteThread(hProc, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryAddr, paramAddr, 0, 0);
CloseHandle(hProc);
return memoryWritten;
}

the dll don't seem to be injected or he could'nt write, I didn't launch the injector as root

Answer 1

You can diagnose your problem from Task Manager, add the PID column. Or use SysInternals' Process Explorer. You'll see that Chrome.exe starts up many instances of itself. The primary one just display the UI and is not involved in browsing web pages. You'll see the other ones, one each for each tab you have opened in the browser.

Those other instances are special, they run the add-ons and scripting code in a sandbox . Designed to make Chrome resilient to web pages or script that can crash or hang the browser. But especially to run code in a runtime environment that removes all privileges so it cannot mess with the user's machine. Like the kind of code that you are trying to write.

So your Process32First/Next() iterator is way too simple, it will pick off whatever instance of Chrome.exe it finds first. With a high likelihood that it is a sandboxed one, the kind that won't let you mess with it. You could only inject the instance that the user started, the one that only displays the UI. Which is usually where the usefulness of this kind of hacking ends, there just isn't anything interesting to mess with in that instance.