?
Solved

how can  i write my code in DLL  and embed it in exe  and how to  inject  it to  winlogon.exe

Posted on 2010-01-11
14
Medium Priority
?
645 Views
Last Modified: 2013-12-14
how can  i write my code in DLL  and embed it in exe  and how to  inject  it to  winlogon.exe
any help  can i get from  any one  
if C Security can solve  this Q  i will be thank
0
Comment
Question by:sa3q
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
14 Comments
 
LVL 1

Author Comment

by:sa3q
ID: 26288170
jkr   you can see this Q
http://www.experts-exchange.com/Programming/Languages/CPP/Q_25030345.html

i opend this question to solve the second problem that appear
0
 
LVL 17

Accepted Solution

by:
CSecurity earned 2000 total points
ID: 26288602
Ok. As you run at very startup and you use sc config to set it up, username of owner of your process will be SYSTEM. So you can inject your code into another SYSTEM users.

I'm not sure which processes are running on that time, but try svchost, csrss, winlogon, etc. You'll find one suitable.

For converting your EXE into DLL, that's easy, just convert your WinMain into DLLMain
Here is a sample DLLMain skeleton:

BOOL APIENTRY DllMain( HINSTANCE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                               )
{
switch (ul_reason_for_call)
    {
            case DLL_PROCESS_ATTACH:

      // HERE YOU START YOUR EXE JOB, Create A Thread and in created thread
      // DO ALL THINGS YOU WAS DOING IN EXE

Then put your DLL in somewhere like in System32 or Windows folder or in same folder as your EXE which you'll create for injecting this DLL.
Write an exe which will inject your DLL into another process, sample code is here:
http://www.dreamincode.net/code/snippet407.htm

If you needed more examples, simply google "C++ DLL Inject"

Basics of DLL injection is easy, open remote process and get it's handle (OpenProcess), allocate needed space for your DLL in remote process memory (VirtualAlloc), give it execute permission on the memory page you load your DLL (VirtualProtect), Write your DLL into recently created space (WriteProcessMemory), run your code (CreateRemoteThread)

That's it. After you created thread, write WaitForSingleObject(YourCreateThreadReturnedHandle, INFINITE);

then return and exit WinMain and exit your program, injected DLL will do the rest of job.
0
 
LVL 17

Expert Comment

by:CSecurity
ID: 26288604
Was my long article enough? If you got any question related to my comment don't hesitate to ask
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 17

Assisted Solution

by:CSecurity
CSecurity earned 2000 total points
ID: 26288625
An example.
As an example assume you had this in your EXE:

WinMain()
{
int i=0;
for (i=0;i<10;i++)
DoSomeStuff()
}

Now you put WinMain stuff in a simple VOID function, like

void Startup()
{

....

}

Now in DLL main do this:


BOOL APIENTRY DllMain( HINSTANCE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                               )
{
switch (ul_reason_for_call)
    {
            case DLL_PROCESS_ATTACH:
HANDLE rthread;
DWORD ret;
rthread = CreateThread(NULL, (DWORD)NULL,(LPTHREAD_START_ROUTINE)Startup,(LPVOID) NULL, (DWORD)NULL, &ret);
break;
}
return TRUE;
}


That's it. It's DLL port of your EXE. For injection, that's also so easy as I explained above. Too much sample code exists in internet.
0
 
LVL 17

Assisted Solution

by:CSecurity
CSecurity earned 2000 total points
ID: 26288639
Another sample injector.

That's all
 #include <windows.h>
#include <stdio.h>

#define dll "YOUREXEPORTDLLFILE.DLL" // put it in system32 or windows or in same folder of this exe or in %PATH%

// originally by C++Noob, refactored by KOrUPt
int InjDll(char *dllname, DWORD procID)
{
        char buf[MAX_PATH];
        LPVOID dllNameMem;
        HANDLE hProcess, hThread[2];
        LPVOID loadlibaddr, stringaddr;
        HMODULE findoff;
        DWORD exitcode, modfunc;
        int nStatus = 0;
        
        if((hProcess = OpenProcess(PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_CREATE_THREAD, FALSE, procID))){
                loadlibaddr = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
                if(loadlibaddr){
                        dllNameMem = (LPVOID)VirtualAllocEx(hProcess, NULL, strlen(dllname), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
                        WriteProcessMemory(hProcess, (LPVOID)dllNameMem, dllname, strlen(dllname), NULL);
                        hThread[0] = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadlibaddr, (LPVOID)dllNameMem, NULL, NULL);
                        if(hThread[0]){
                                WaitForSingleObject(hThread[0], INFINITE);
                                GetExitCodeThread(hThread[0], &exitcode);
                                findoff = LoadLibrary(dllname);
                                if(findoff){
                                        modfunc = (DWORD)GetProcAddress(findoff, (LPSTR)1);
                                        exitcode += modfunc - (DWORD)findoff;
                                        hThread[1] = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)exitcode, NULL, NULL, NULL);
                                        if(hThread[1]) nStatus = 1;
                                }
                        }
                }
                CloseHandle(hProcess);
        }
                
        return nStatus;
}


int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,LPSTR lpCmdLine, int nCmdShow)
{
        char processPath[MAX_PATH], *err;
        PROCESS_INFORMATION pi;
        STARTUPINFO si;
        TOKEN_PRIVILEGES tp;
        HANDLE hPrivToken;

        memset(&si, 0, sizeof(STARTUPINFO));
        memset(&pi, 0, sizeof(PROCESS_INFORMATION));
        GetSystemDirectory(processPath, MAX_PATH);
        strncat(processPath, "\\notepad.exe", MAX_PATH - sizeof("\\notepad.exe"));
        if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hPrivToken)){
                LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
                tp.PrivilegeCount = 1, tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
                AdjustTokenPrivileges(hPrivToken, 0, &tp, sizeof(tp), NULL, NULL);
                CloseHandle(hPrivToken);
        }

        si.cb = sizeof(STARTUPINFO), si.wShowWindow = SW_SHOW, si.dwFlags = STARTF_USESHOWWINDOW;
        if(CreateProcess(processPath, NULL, NULL, NULL, false, 0, NULL, NULL, &si, &pi)){
                if(InjDll(dll, pi.dwProcessId)){
                        err = "DLL Injected successfully";
                }else{
                        err = "Cannot inject DLL";
                        TerminateProcess(pi.hProcess, 0);
                }
                CloseHandle(pi.hProcess);
                CloseHandle(pi.hThread);
        }else err = "Cannot CreateProcess";
        MessageBox(0, err, "Info", MB_ICONINFORMATION);
        return 0;
}

Open in new window

0
 
LVL 17

Assisted Solution

by:CSecurity
CSecurity earned 2000 total points
ID: 26288647
Last code I gave you also raises your privilege in case you need using AdjustTokenPrivileges
0
 
LVL 1

Author Comment

by:sa3q
ID: 26288889
thanks thanks thank you i will use your code  and i will close this question after that

what is this AdjustTokenPrivileges?

0
 
LVL 1

Author Comment

by:sa3q
ID: 26293017
in your comment 11/01/10 03:03 PM, ID: 26288639

in the code line 23
it didn't run  because
 hThread[0] = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)loadlibaddr, (LPVOID)dllNameMem, NULL, NULL);

not run  and the injection  not happend
why?
----------------------------------
                       
the code you provide to  me in  http://www.dreamincode.net/code/snippet407.htm

it run  when  i test it to  notepad.exe

it open new notepad.exe and inject the dll  in  it  and  it run  perfect

but i didn't want to open new notepad   i want to  inject  the  proccess  that run only not creat new  one
 
because i try to use that with  winlogon  or any thing else it didn't  open  other  process or inject  dll

i suggest that it didn't make that because it create new process and i want to add my dll  to  running process

thank you  


0
 
LVL 17

Expert Comment

by:CSecurity
ID: 26293707
Instead of CreateProcess or WinExec it have to Open Notepad, change that with OpenProcess and find out target process's Process ID.

AdjustPrivilege gives you full permission and access to inject codes in some processes you can't.
0
 
LVL 1

Author Comment

by:sa3q
ID: 26297969
ok thank you for that   i inject the dll  to  winlogon.exe  but their big problem  

no function of the dll run  it run  one second and after that still  in memory but  not work ???

i try with  notepad.exe  it work  perfect  but in  winlogon.exe :|(    ???????
0
 
LVL 17

Expert Comment

by:CSecurity
ID: 26298038
That's again something new. Now you inject DLL in WinLogon and Ported your EXE to DLL. For those type of errors, you need DEBUG, find the exact source of problem, post a question and we'll look into it
0
 
LVL 1

Author Closing Comment

by:sa3q
ID: 31675786
thanks i will post new question  for the other problem
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Templates For Beginners Or How To Encourage The Compiler To Work For You Introduction This tutorial is targeted at the reader who is, perhaps, familiar with the basics of C++ but would prefer a little slower introduction to the more ad…
How to install Selenium IDE and loops for quick automated testing. Get Selenium IDE from http://seleniumhq.org Go to that link and select download selenium in the right hand column That will then direct you to their download page. From that p…
The viewer will learn how to use NetBeans IDE 8.0 for Windows to connect to a MySQL database. Open Services Panel: Create a new connection using New Connection Wizard: Create a test database called eetutorial: Create a new test tabel called ee…
The viewer will be introduced to the member functions push_back and pop_back of the vector class. The video will teach the difference between the two as well as how to use each one along with its functionality.
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question