Results 1 to 2 of 2

Thread: Execution of exported dll function in remote process

  1. #1

    Thread Starter
    Fanatic Member
    Join Date
    Nov 2013
    Posts
    658

    Execution of exported dll function in remote process

    Hi all

    I have a standard win32 dll ( not an ActiveX dll ) named Test.dll which exports a simple function called MyExportSub ... This is actually a Sub not a Function that simply displays a MsgBox for experimentation purposes.

    I can successfully run the dll export sub from the calling Process ( Using the Declare statement or LoadLibrary/GetProcAddress and CallWindowProc APIs ) but i am having difficuly executing the dll export sub from a a remote Process like Notepad.

    I have been trying to accoplish this by translating into VB6 the C ++ codes published in these two articles :
    http://blog.digitalise.net/2009/01/0...d-dll-library/
    http://stackoverflow.com/questions/1...n-injected-dll

    The following code does load the dll successfully into Notepad ( I can tell because the dll main gets executed ) but it fails to execute the MyExportSub Sub ... I think I am failing to get the exported function offset address right

    The code in red is the one that is supposed to execute the exported Sub.

    Code in a Bas Module:

    Code:
    Private Declare Function OpenProcess Lib "kernel32.dll" (ByVal dwDesiredAccessas As Long, ByVal bInheritHandle As Long, ByVal dwProcId As Long) As Long
    Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
    Private Const PROCESS_ALL_ACCESS = &H1F0FFF
    
    Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
    Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
    
    Private Declare Function GetCurrentProcess Lib "kernel32" () As Long
    Private Declare Function OpenProcessToken Lib "advapi32" (ByVal ProcessHandle As Long, ByVal DesiredAccess As Long, TokenHandle As Long) As Long
    Private Declare Function LookupPrivilegeValue Lib "advapi32" Alias "LookupPrivilegeValueA" (ByVal lpSystemName As String, ByVal lpName As String, lpLuid As LUID) As Long
    Private Declare Function AdjustTokenPrivileges Lib "advapi32" (ByVal TokenHandle As Long, ByVal DisableAllPrivileges As Long, NewState As TOKEN_PRIVILEGES, ByVal BufferLength As Long, PreviousState As Any, ReturnLength As Any) As Long
    
    Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal dwSize As Long, ByVal fAllocType As Long, ByVal flProtect As Long) As Long
    Private Declare Function VirtualFreeEx Lib "kernel32.dll" (ByVal hProcess As Long, lpAddress As Any, ByRef dwSize As Long, ByVal dwFreeType As Long) As Long
    Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
    
    Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal ProcessHandle As Long, ByRef lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, ByVal lpThreadID As Long) As Long
    Private Declare Function WaitForSingleObject Lib "kernel32" (ByVal hHandle As Long, ByVal dwMilliseconds As Long) As Long
    
    Private Declare Function GetCurrentProcessId Lib "kernel32" () As Long
    Private Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
    
    Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" _
    (ByVal lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    
    Private Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
    
    Private Declare Sub ExitThread Lib "kernel32" (ByVal dwExitCode As Long)
    Private Declare Function GetExitCodeThread Lib "kernel32" (ByVal hThread As Long, lpExitCode As Long) As Long
    
    Const MEM_COMMIT = &H1000
    Const MEM_RELEASE = &H8000
    Const PAGE_READWRITE = &H4
    
    Private Type LUID
       LowPart As Long
       HighPart As Long
    End Type
    
    Private Type TOKEN_PRIVILEGES
        PrivilegeCount As Long
        LuidUDT As LUID
        Attributes As Long
    End Type
    
    Const TOKEN_ADJUST_PRIVILEGES = &H20
    Const TOKEN_QUERY = &H8
    Const SE_PRIVILEGE_ENABLED = &H2
    Const INFINITE = &HFFFF
    
    
    Private Sub Test()
        Dim ret As Long
        Dim fPath() As Byte
        Dim ctr As Integer
        
        'Token Privileges
        Dim hToken As Long
        Dim hProcess As Long
        Dim tp As TOKEN_PRIVILEGES
        
        'Injection Params
        Dim FilePathLen As Integer
        Dim hProc As Long
        Dim procID As Long
        Dim dllPath As String
        Dim VirtAllocRet As Long
        Dim LoadLibAddress As Long
        Dim ModuleHandle As Long
        Dim RemoteThread As Long
        Dim ThreadID As Long
        Dim lXitCode As Long
        Dim hThread As Long
        Dim hLibrary As Long
        Dim pFunction As Long
        Dim getRelativeEntryAddress As Long
        Dim getAbsoluteAddress As Long
        
        'launch Notepad
        procID = Shell("notepad.exe")
        
        Sleep 3000
        
        'Change Privelages
        If OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES Or _
            TOKEN_QUERY, hToken) = 0 Then
            CloseHandle hToken
        End If
        If LookupPrivilegeValue("", "SeDebugPrivilege", tp.LuidUDT) = 0 Then
            CloseHandle hToken
        End If
        tp.PrivilegeCount = 1
        tp.Attributes = SE_PRIVILEGE_ENABLED
        If AdjustTokenPrivileges(hToken, False, tp, 0, ByVal 0&, ByVal 0&) = 0 Then
            CloseHandle hToken
        End If
        
        dllPath = "C:\Test.dll"
        
        'Injection Process
        FilePathLen = Len(dllPath)
        
        hProc = OpenProcess(PROCESS_ALL_ACCESS, False, procID)
        
        If hProc = 0 Then
            MsgBox "Error, no hProc"
            End
        End If
        
        VirtAllocRet = VirtualAllocEx(hProc, 0, FilePathLen, MEM_COMMIT, PAGE_READWRITE)
        
        If VirtAllocRet = 0 Then
            MsgBox "Error, no Alloc"
            End
        End If
        
        ReDim fPath(FilePathLen) As Byte
        For ctr = 1 To FilePathLen
            fPath(ctr - 1) = Asc(Mid$(dllPath, ctr, 1))
        Next ctr
            
        
        ret = WriteProcessMemory(hProc, VirtAllocRet, fPath(0), FilePathLen, vbNull)
        If ret = 0 Then
            MsgBox "Error, no MEM_Write"
            End
        End If
        
        'retrieve the DLL/module address
        ModuleHandle = GetModuleHandle("Kernel32")
        'retrieve the address of 'SetWindowTextA'
        LoadLibAddress = GetProcAddress(ModuleHandle, "LoadLibraryA")
         
        RemoteThread = CreateRemoteThread(hProc, 0, 9000, LoadLibAddress, VirtAllocRet, 0, ThreadID)
        If RemoteThread = 0 Then
            MsgBox "No RemoteThread"
            MsgBox Err.LastDllError
            End
        End If
        WaitForSingleObject RemoteThread, INFINITE
        
        ''important
        Call GetExitCodeThread(RemoteThread, lXitCode)
        
        
        'This is the part that doesn't work !!!!!!
        '**************************************************************************
        'load the dll into the current process to get the function address !!!!
        hLibrary = LoadLibrary("C:\Test.dll")
         pFunction = GetProcAddress(hLibrary, "MyExportSub")
         FreeLibrary hLibrary
        getRelativeEntryAddress = (pFunction) - (hLibrary)
        getAbsoluteAddress = getRelativeEntryAddress + (lXitCode) ' lXitCode obtained from the above GetExitCodeThread call
        'execute the MyExportSub sub from Notepad
        hThread = CreateRemoteThread(hProc, 0, 0, getAbsoluteAddress, 0, 0, 0)
        WaitForSingleObject hThread, INFINITE
        '**************************************************************************************
        
        'cleanup
        VirtualFreeEx hProc, VirtAllocRet, 0, MEM_RELEASE
        CloseHandle RemoteThread
        CloseHandle hProc
        FreeLibrary lXitCode
    
    End Sub
    Any help would be much appreciated

  2. #2

    Thread Starter
    Fanatic Member
    Join Date
    Nov 2013
    Posts
    658

    Re: Execution of exported dll function in remote process

    Bump !

    Any API knowledgeable people out there ?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width