Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1540
  • Last Modified:

ActiveX DLL Injection In VB6

Im trying to learn application injection, so i created an "ActiveX DLL" that is named prjSecurity and has a class name clsSecurity with a function thats as follows

Function MyMessageBox()
MsgBox "Testing"
End Function

and i want to to make an application that injects and executes the MyMessageBox function, so i made a program that looks like this

(warning im a sloppy home-taught coder :-P)

Private Declare Function GetWindowThreadProcessId Lib "user32.dll" (ByVal hwnd As Long, ByRef lpdwProcessId As Long) As Long
Private Declare Function FindWindow Lib "user32.dll" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Private Declare Function GetModuleHandle Lib "kernel32.dll" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32.dll" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function VirtualAllocEx Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lPAddress As Any, ByRef dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lpBaseAddress As Any, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal ProcessHandle As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Any, ByVal lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
Private Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As Long, ByRef lPAddress As Any, ByRef dwSize As Long, ByVal dwFreeType As Long) As Long
Private Declare Function CloseHandle Lib "kernel32.dll" (ByVal hObject As Long) As Long
Private Declare Function LoadLibrary Lib "kernel32.dll" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF
Private Const MEM_COMMIT As Long = &H1000
Private Const PAGE_READWRITE As Long = &H4
Private Const WAIT_TIMEOUT As Long = 258&
Private Const INFINITE = &HFFFF
Private Const MEM_RELEASE As Long = &H8000
Dim pID As Long, nhWnd As Long, nThreadID As Long, DllPath As String, hRemoteMem As Long, numBytesWritten As Long, hRemoteThread As Long, SubClassed As Long
Dim lLoadLibrary As Long, Inject As Long


Private Sub Form_Load()
Dim lPAddress As Long, lexecute As Long, secLibrary As Long
lLoadLibrary = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA")
nhWnd = FindWindow(vbNullString, "My Program Lol")
If nhWnd <> 0 Then
GetWindowThreadProcessId nhWnd, nThreadID
pID = OpenProcess(PROCESS_ALL_ACCESS, False, nThreadID)
DllPath = App.Path & "\MySecurity.dll"
hRemoteMem = VirtualAllocEx(pID, ByVal 0, Len(DllPath), MEM_COMMIT, ByVal PAGE_READWRITE)
Inject = WriteProcessMemory(pID, ByVal hRemoteMem, ByVal DllPath, Len(DllPath), vbNull)
DoEvents
hRemoteThread = CreateRemoteThread(pID, vbNull, 0, lLoadLibrary, hRemoteMem, 0, 0)
If hRemoteThread Then Text1.Text = "K Do It!"
VirtualFreeEx pID, ByVal hRemoteMem, Len(DllPath), MEM_RELEASE
CloseHandle pID
End If
End Sub

and the first createremotethread works so i assume the dll is injected... i then try to execute the MyMessageBox function in it, by doing

lPAddress = GetProcAddress(GetModuleHandle(App.Path & "\MySecurity.dll"), "prjSecurity")

and lPAddress always returns 0... i can't figure out what im doing wrong... i also tryed changing prjSecurity to MyMessageBox, clsSecurity, and all got the same results, 0, any help would be appriciated as im brand new to this
0
Hipposaver
Asked:
Hipposaver
1 Solution
 
ArkCommented:
Hi
ActiveX dll can not be injected into remote process this way (via LoadLibrary API) - it use absolutelly different approach then standard dll do. As for remote api calling (include famous msgbox :) take a look on my sample at http://www.freevbcode.com/ShowCode.Asp?ID=8389
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now