DLL Injection: Make an application dance at your fingertips

Adhokshaj Mishra
Do you want to make Windows Calculator to log all strokes? Or play your favorite song in some text editor? Follow the article, and boast to your friends about what you can do..... Disclaimer: I will not be liable for any misuse of it! Use it at your own risk. Prerequisites MS VC++ 2010 (Express edition will suffice) Windows SDK for your current Windows OS It is assumed that you have some experience in C++/Win32 programming. Introduction DLL injection is the process of loading your own DLL in some other process, and let it do the work in context of that victim process. What are its possible uses, anyway? You can keep an eye on some functions of target application by intercepting them, force some clean process do the work that would seem suspicious otherwise (like key-logging etc). In simple words, you can force an application to do some work that it was not intended to do! As a clean example, I will show how I played mp3 songs in notepad when I first learned this trick. Basically, the process is as follows: Get handle to target process reserve some space in its memory Write some data about DLL Call LoadLibrary() from its context and that's all. Now your DLL is loaded in target process. Please note that you need to process DLL_PROCESS_ATTACH in DllMain(). Let Us Start... We will start from developing a DLL which will play MP3 for us. You will need a header file, which can be downloaded from http://code4k.blogspot.com/2010/05/playing-mp3-in-c-using-plainwindows.html After you have included the file in your C++ project, playing mp3 is straightforward: MP3Player player; player.OpenFromFile(_T("C:\\song.mp3")); player.Play(); Sleep((DWORD)player.GetDuration()+1);

Now we should write some code to start playback automatically. Insert the following code snippet in DllMain() switch (ReasonToCall) { case DLL_PROCESS_ATTACH: CreateThread(NULL, NULL, (LPTHREAD_START_ROUTINE) Play, NULL, NULL, NULL); break; } return true; Here, Play() is the function to play mp3 (defined above). That's all we need in our DLL. Compile it in release mode.... Since we have our DLL ready, it is time to inject it into some process, say, notepad... At first, we need handle of our target process. Steps are straightforward: get handle to main window process id handle to process. Code for the same is as follows: HWND windowHandle = FindWindowW(NULL, _T("Untitled - Notepad")); DWORD *pid = new DWORD; GetWindowThreadProcessId(windowHandle, pid); HANDLE hproc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, *pid); Now, let us reserve some memory space to write data about our DLL. const char* DLL = "C:\\inject.dll"; LPVOID baseaddr = VirtualAllocEx(hproc, NULL, strlen(DLL), MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); Here we have reserved 14 bytes because we will write full path to our DLL (it will be needed by CreateRemoteThread()). Now write path to our DLL... WriteProcessMemory(hproc, baseaddr, DLL, strlen(DLL), NULL); Load LoadLibraryA() from kernel32.dll, and call it via CreateRemoteThread(). FARPROC addr = GetProcAddress(GetModuleHandleA("kernel32.dll"), "LoadLibraryA"); CreateRemoteThread(hproc, NULL, NULL, (LPTHREAD_START_ROUTINE)addr, baseaddr, NULL, NULL); And that's all! Launch notepad, start your program, and enjoy the song.....:D Note: Target process and DLL to be injected should target same processor architecture!! Enjoy C++!!