C++ DLL Injection: path with special characters

Question

I'm trying to solve this situation. I have win32 program, that waiting until specific process is started "Example.exe", then the program inject "my.dll" into process "Example.exe"

It works fine until the user have program under folder with specific, but allowed characters, for example in my country default folder name is "Nová složka" (New folder)

I tried to use relative path

"//my.dll"
"/my.dll"
"\\my.dll"
"\my.dll"

unsuccessfully... Also I tried different ways to convert string(QString) to char array.

Developed in Qt 5.1.1

Here is code where the program finding path of .dll

QString actualPath(QDir::currentPath() + "/my.dll");
ui->lblDebug->setText(actualPath);
const char* myChar = QString(actualPath.toUtf8()).toStdString().c_str();
QString q = QString::fromStdString(myChar);
ui->lblDebug->setText(q);

Here is the injection part

hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PE32.th32ProcessID);
hModule = (LPVOID)VirtualAllocEx(hProcess, NULL, 512, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, hModule, (LPVOID)myChar, 512, NULL);
CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryA"), hModule, NULL, NULL);
CloseHandle(hProcess);
CloseHandle(hSnapshot);
qDebug() << "INJECT:DONE!";
return true; ExitProcess(0);
break;

Do you have any ideas, How to pass to the function WriteProcessMemory right path with correct characters? Thanks.

Answer 1

You're using the ANSI version of LoadLibrary . You should then be using the local 8 bit encoding, not UTF-8. The gyrations that you go through to get the ANSI version of the path are unnecessary. You also shouldn't be using a fixed buffer size.

QString const actualPath(QDir::currentPath() + "/my.dll");
// This byte array must exist until the `WriteProcessMemory` call.
QByteArray const path = actualPath.toLocal8Bit();
int const bufLen = path.size() + 1;

hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PE32.th32ProcessID);
hModule = VirtualAllocEx(hProcess, NULL, bufLen, 
                         MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, hModule, (LPVOID)path.constData(), bufLen, NULL);
CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)
  GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryA"),
  hModule, NULL, NULL);
CloseHandle(hProcess);

What you should really be doing, though, is using the UCS-2 encoding with LoadLibraryW :

QString const path(QDir::currentPath() + "/my.dll");
int const bufLen = (path.length()+1) * 2;

hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, PE32.th32ProcessID);
hModule = VirtualAllocEx(hProcess, NULL, bufLen,
                         MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess, hModule, (LPVOID)path.constData(), bufLen, NULL);
CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)
  GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW"),
  hModule, NULL, NULL);
CloseHandle(hProcess);