Function call in nested DLL?

Question

Function call in nested DLL?

Using C ++, I have an application that creates a remote process and inserts a DLL into it. Is there a way to force a remote application to execute a function exported from a DLL from the application that created it? And is it possible to send the parameters of this function? Please note that I try to avoid doing anything in DllMain.

+4

c ++ function process dll inject

RectangleEquals Nov 17 '12 at 8:15

source share

2 answers

Note:
For a better answer, please see My update published below !

So here is how I was able to do this:

 BOOL RemoteLibraryFunction( HANDLE hProcess, LPCSTR lpModuleName, LPCSTR lpProcName, LPVOID lpParameters, SIZE_T dwParamSize, PVOID *ppReturn ) { LPVOID lpRemoteParams = NULL; LPVOID lpFunctionAddress = GetProcAddress(GetModuleHandleA(lpModuleName), lpProcName); if( !lpFunctionAddress ) lpFunctionAddress = GetProcAddress(LoadLibraryA(lpModuleName), lpProcName); if( !lpFunctionAddress ) goto ErrorHandler; if( lpParameters ) { lpRemoteParams = VirtualAllocEx( hProcess, NULL, dwParamSize, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); if( !lpRemoteParams ) goto ErrorHandler; SIZE_T dwBytesWritten = 0; BOOL result = WriteProcessMemory( hProcess, lpRemoteParams, lpParameters, dwParamSize, &dwBytesWritten); if( !result || dwBytesWritten < 1 ) goto ErrorHandler; } HANDLE hThread = CreateRemoteThread( hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpFunctionAddress, lpRemoteParams, NULL, NULL ); if( !hThread ) goto ErrorHandler; DWORD dwOut = 0; while(GetExitCodeThread(hThread, &dwOut)) { if(dwOut != STILL_ACTIVE) { *ppReturn = (PVOID)dwOut; break; } } return TRUE; ErrorHandler: if( lpRemoteParams ) VirtualFreeEx( hProcess, lpRemoteParams, dwParamSize, MEM_RELEASE ); return FALSE; } //... CStringA targetDll = "injected.dll" // Inject the target library into the remote process PVOID lpReturn = NULL; RemoteLibraryFunction( hProcess, "kernel32.dll", "LoadLibraryA", targetDll.GetBuffer(MAX_PATH), targetDll.GetLength(), &lpReturn ); HMODULE hInjected = reinterpret_cast<HMODULE>( lpReturn ); // Call our exported function lpReturn = NULL; RemoteLibraryFunction( hProcess, targetDll, "Initialize", NULL, 0, &lpReturn ); BOOL RemoteInitialize = reinterpret_cast<BOOL>( lpReturn );

It can also be used to send parameters to a remote function using a pointer to a structure or union, and it is necessary to write something to DllMain.

+5

RectangleEquals Nov 19 '12 at 3:19

source share

RectangleEquals · Accepted Answer · 2015-04-27T13:26:44+0000

So, after some rigorous testing, it would seem that my previous answer is something like flawless
(or even 100% functional, for that matter), and is prone to crashes. After I thought, I decided to use a completely different approach to this ... using Interprocess Communication .

Know ... this method uses code in DllMain .
Therefore, do not go overboard and do not follow safe methods in order to prevent you from falling into deadlock ...

In particular, the Win32 API offers the following two functions that prove useful:

With their help, we can simply tell our Launcher process exactly where our remote init function is located, right from the most implemented dll ...

`dllmain.cpp` :

 // Data struct to be shared between processes struct TSharedData { DWORD dwOffset = 0; HMODULE hModule = nullptr; LPDWORD lpInit = nullptr; }; // Name of the exported function you wish to call from the Launcher process #define DLL_REMOTEINIT_FUNCNAME "RemoteInit" // Size (in bytes) of data to be shared #define SHMEMSIZE sizeof(TSharedData) // Name of the shared file map (NOTE: Global namespaces must have the SeCreateGlobalPrivilege privilege) #define SHMEMNAME "Global\\InjectedDllName_SHMEM" static HANDLE hMapFile; static LPVOID lpMemFile; BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { TSharedData data; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: DisableThreadLibraryCalls(hModule); // Get a handle to our file map hMapFile = CreateFileMappingA(INVALID_HANDLE_VALUE, nullptr, PAGE_READWRITE, 0, SHMEMSIZE, SHMEMNAME); if (hMapFile == nullptr) { MessageBoxA(nullptr, "Failed to create file mapping!", "DLL_PROCESS_ATTACH", MB_OK | MB_ICONERROR); return FALSE; } // Get our shared memory pointer lpMemFile = MapViewOfFile(hMapFile, FILE_MAP_ALL_ACCESS, 0, 0, 0); if (lpMemFile == nullptr) { MessageBoxA(nullptr, "Failed to map shared memory!", "DLL_PROCESS_ATTACH", MB_OK | MB_ICONERROR); return FALSE; } // Set shared memory to hold what our remote process needs memset(lpMemFile, 0, SHMEMSIZE); data.hModule = hModule; data.lpInit = LPDWORD(GetProcAddress(hModule, DLL_REMOTEINIT_FUNCNAME)); data.dwOffset = DWORD(data.lpInit) - DWORD(data.hModule); memcpy(lpMemFile, &data, sizeof(TSharedData)); case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; case DLL_PROCESS_DETACH: // Tie up any loose ends UnmapViewOfFile(lpMemFile); CloseHandle(hMapFile); break; } return TRUE; UNREFERENCED_PARAMETER(lpReserved); }

< / "> Then, from our Launcher application, we will do the usual CreateProcess + VirtualAllocEx + CreateRemoteThread trick to enter our Dll , making sure to pass the pointer to the correct SECURITY_DESCRIPTOR as the third parameter to CreateProcess , and also pass the CREATE_SUSPENDED flag in the 6th parameter .

This will help ensure that your child process has the proper read and write permissions to the global shared memory namespace, although there are other ways to achieve this (or you can test without a global path at all).

The CREATE_SUSPENDED flag ensures that the dllmain entry point function will complete writing to our shared memory before loading other libraries, making it easier to connect locally later ...

`Injector.cpp` :

 SECURITY_ATTRIBUTES SecAttr, *pSec = nullptr; SECURITY_DESCRIPTOR SecDesc; if (InitializeSecurityDescriptor(&SecDesc, SECURITY_DESCRIPTOR_REVISION) && SetSecurityDescriptorDacl(&SecDesc, TRUE, PACL(nullptr), FALSE)) { SecAttr.nLength = sizeof(SecAttr); SecAttr.lpSecurityDescriptor = &SecDesc; SecAttr.bInheritHandle = TRUE; pSec = &SecAttr; } CreateProcessA(szTargetExe, nullptr, pSec, nullptr, FALSE, CREATE_SUSPENDED, nullptr, nullptr, &si, &pi);

<h / "> After injecting the DLL into the target process, all you have to do is use the same (more or less) file mapping code from your DLL project to the Launcher project (except for the part where you set the contents of shared memory, of course )

Then calling your remote function is just a question:

 // Copy from shared memory TSharedData data; memcpy(&data, lpMemFile, SHMEMSIZE); // Clean up UnmapViewOfFile(lpMemFile); CloseHandle(hMapFile); // Call the remote function DWORD dwThreadId = 0; auto hThread = CreateRemoteThread(hProcess, nullptr, 0, LPTHREAD_START_ROUTINE(data.lpInit), nullptr, 0, &dwThreadId);

You can ResumeThread in the main thread of the target process or from your remote function.

As an added bonus ... Using this form of communication can also open several doors for our Launcher process, as it can now directly communicate with the target process.
But again, make sure you don't do too much in DllMain and, if at all possible, just use your remote init function (where it is also safe use named mutexes , for example) to create a separate shared memory card and continue communication from there.

Function call in nested DLL?

`dllmain.cpp` :

`Injector.cpp` :

Hope this helps someone! =)

More articles:

Function call in nested DLL?

dllmain.cpp :

Injector.cpp :

Hope this helps someone! =)

More articles:

`dllmain.cpp` :

`Injector.cpp` :