ActiveX DLL Injection In VB6

Posted on 2007-07-23
Last Modified: 2008-02-01
Im trying to learn application injection, so i created an "ActiveX DLL" that is named prjSecurity and has a class name clsSecurity with a function thats as follows

Function MyMessageBox()
MsgBox "Testing"
End Function

and i want to to make an application that injects and executes the MyMessageBox function, so i made a program that looks like this

(warning im a sloppy home-taught coder :-P)

Private Declare Function GetWindowThreadProcessId Lib "user32.dll" (ByVal hwnd As Long, ByRef lpdwProcessId As Long) As Long
Private Declare Function FindWindow Lib "user32.dll" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function GetModuleHandle Lib "kernel32.dll" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32.dll" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lPAddress As Any, ByRef dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal ProcessHandle As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Any, ByVal lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lPAddress As Any, ByRef dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32.dll" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Private Const MEM_COMMIT As Long = &H1000
Private Const PAGE_READWRITE As Long = &H4
Private Const WAIT_TIMEOUT As Long = 258&
Private Const INFINITE = &HFFFF
Private Const MEM_RELEASE As Long = &H8000
Dim pID As Long, nhWnd As Long, nThreadID As Long, DllPath As String, hRemoteMem As Long, numBytesWritten As Long, hRemoteThread As Long, SubClassed As Long
Dim lLoadLibrary As Long, Inject As Long

Private Sub Form_Load()
Dim lPAddress As Long, lexecute As Long, secLibrary As Long
lLoadLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA")
nhWnd = FindWindow(vbNullString, "My Program Lol")
If nhWnd <> 0 Then
GetWindowThreadProcessId nhWnd, nThreadID
pID = OpenProcess(PROCESS_ALL_ACCESS, False, nThreadID)
DllPath = App.Path & "\MySecurity.dll"
hRemoteMem = VirtualAllocEx(pID, ByVal 0, Len(DllPath), MEM_COMMIT, ByVal PAGE_READWRITE)
Inject = WriteProcessMemory(pID, ByVal hRemoteMem, ByVal DllPath, Len(DllPath), vbNull)
hRemoteThread = CreateRemoteThread(pID, vbNull, 0, lLoadLibrary, hRemoteMem, 0, 0)
If hRemoteThread Then Text1.Text = "K Do It!"
VirtualFreeEx pID, ByVal hRemoteMem, Len(DllPath), MEM_RELEASE
CloseHandle pID
End If
End Sub

and the first createremotethread works so i assume the dll is injected... i then try to execute the MyMessageBox function in it, by doing

lPAddress = GetProcAddress(GetModuleHandle(App.Path & "\MySecurity.dll"), "prjSecurity")

and lPAddress always returns 0... i can't figure out what im doing wrong... i also tryed changing prjSecurity to MyMessageBox, clsSecurity, and all got the same results, 0, any help would be appriciated as im brand new to this
Question by:Hipposaver
    1 Comment
    LVL 27

    Accepted Solution

    ActiveX dll can not be injected into remote process this way (via LoadLibrary API) - it use absolutelly different approach then standard dll do. As for remote api calling (include famous msgbox :) take a look on my sample at

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Port V2 16 35
    Determine Range to Select 5 26
    Run code from text file in vb 1 17
    Access query that references subform 5 23
    Most everyone who has done any programming in VB6 knows that you can do something in code like Debug.Print MyVar and that when the program runs from the IDE, the value of MyVar will be displayed in the Immediate Window. Less well known is Debug.Asse…
    You can of course define an array to hold data that is of a particular type like an array of Strings to hold customer names or an array of Doubles to hold customer sales, but what do you do if you want to coordinate that data? This article describes…
    Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
    Show developers how to use a criteria form to limit the data that appears on an Access report. It is a common requirement that users can specify the criteria for a report at runtime. The easiest way to accomplish this is using a criteria form that a…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now