[C] Dll Injection Using SetWindowsHookEx()

Nytro · January 13, 2011

/////////////////////////////////////////////////////////////////

// R00TSECURITY.ORG - YOUR SECURITY COMMUNITY

// - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

// [2009-10-03] Dll Injection Using SetWindowsHookEx()

// r00tsecurity -> Source Code Center :: Dll Injection Using SetWindowsHookEx()

// - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

// GENERATED ON: 2011-01-13 | 17:34:45

/////////////////////////////////////////////////////////////////

CODE INFO

The SetWindowsHookEx method

The SetWindowsHookEx method is a little bit more intrusive than the first, and creates more of a commotion in the injected process, which we normally don\'t want. However, it is a little bit easier to use than the first, and does have it\'s own advantages (like being able to inject into every process on the system in one shot). The SetWindowsHookEx() function is designed to allow you to \"hook\" windows messages for a given thread. This requires that you inject a dll into that process\'s address space, so SetWindowsHookEx() handles all that for us. The dll must have a function for the hook that it created though, otherwise it will crash.

SOURCE CODE

#define PROC_NAME \"target.exe\" 
#define DLL_NAME \"injected.dll\" 

void LoadDll(char *procName, char *dllName); 
unsigned long GetTargetThreadIdFromProcname(char *procName); 

int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nCmdShow) 
{ 
    LoadDll(PROC_NAME, DLL_NAME); 

    return 0; 
} 

void LoadDll(char *procName, char *dllName) 
{ 
    HMODULE hDll; 
    unsigned long cbtProcAddr; 

    hDll        = LoadLibrary(dllName); 
    cbtProcAddr = GetProcAddress(hDll, \"CBTProc\"); 

    SetWindowsHookEx(WH_CBT, cbtProcAddr, hDll, GetTargetThreadIdFromProcName(procName)); 

    return TRUE; 
} 

unsigned long GetTargetThreadIdFromProcname(char *procName) 
{ 
   PROCESSENTRY32 pe; 
   HANDLE thSnapshot, hProcess; 
   BOOL retval, ProcFound = false; 
   unsigned long pTID, threadID; 

   thSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); 

   if(thSnapshot == INVALID_HANDLE_VALUE) 
   { 
      MessageBox(NULL, \"Error: unable to create toolhelp snapshot\", \"Loader\", NULL); 
      return false; 
   } 

   pe.dwSize = sizeof(PROCESSENTRY32); 

    retval = Process32First(thSnapshot, &pe); 

   while(retval) 
   { 
      if(StrStrI(pe.szExeFile, procName) ) 
      { 
         ProcFound = true; 
         break; 
      } 

      retval    = Process32Next(thSnapshot,&pe); 
      pe.dwSize = sizeof(PROCESSENTRY32); 
   } 

   CloseHandle(thSnapshot); 

   _asm { 
      mov eax, fs:[0x18] 
      add eax, 36 
      mov [pTID], eax 
   } 

   hProcess = OpenProcess(PROCESS_VM_READ, false, pe.th32ProcessID); 
   ReadProcessMemory(hProcess, (const void *)pTID, &threadID, 4, NULL); 
   CloseHandle(hProcess); 


   return threadID; 
}

// r00tsecurity -> Source Code Center :: Dll Injection Using SetWindowsHookEx()

Sign In

[C] Dll Injection Using SetWindowsHookEx()

Recommended Posts

Nytro

Join the conversation

Browse

Activity

Pages