c++ injection does not work on windows 8.1

[mindjos]

Ok afternoon everyone

I decided to play around wit a c/c++ program today, I beeb trying to make an injection to inject into a file I made in c#
The dll is made in c++ the odesk.exe is in c#, it doesn't inject into it instead it returns my customised error, what could wrong?

My code looks like this

Code:

#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include <shlwapi.h>
#include <tlhelp32.h>
#include <conio.h>


//prototypes 

BOOL InjectDLL(DWORD ID, const char* dll);
DWORD GetProcessId(IN PCHAR szExeName);

//Main codes

int main()
	{
	  char dll[MAX_PATH];
		
	 GetFullPathName("DLLTest.dll",MAX_PATH,dll,NULL);
	  DWORD ID = GetProcessId("Odesk.exe");
		
	  if(!InjectDLL(ID,dll))
	  {
		printf("Injection Failed");
	       	Sleep(3000);
		exit(1);
	  }
	else
	{
		printf("Success!");
	       	Sleep(3000);
		exit(1);
	}
	return 0;	
     }

//Functions

DWORD GetProcessId(IN PCHAR szExeName)
{
	DWORD dwRet = 0;
	DWORD dwCount = 0;
	
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapshot !=INVALID_HANDLE_VALUE)
		{
		  PROCESSENTRY32 pe = {0};
		  pe.dwSize = sizeof(PROCESSENTRY32);
		  
		  BOOL bRet = Process32First(hSnapshot, &pe);
		  
		  while(bRet)
		   {
		   if(!_stricmp(pe.szExeFile,szExeName))
			{
			  dwCount++;
			  dwRet = pe.th32ProcessID;
			}
			bRet = Process32Next(hSnapshot, &pe);
		  }
		  if(dwCount >1)
		   dwRet = 0XFFFFFFFF;
			CloseHandle(hSnapshot);
		}
	return dwRet;
}

BOOL InjectDLL(DWORD ID, const char* dll)
{
	HANDLE hProcess;
	LPVOID Memory;
	LPVOID LoadLibrary;
	
	if(!ID)
	  {
	    return false;
	  }

	hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,FALSE,ID );
	
	LoadLibraryA = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	
	Memory = (LPVOID)VirtualAllocEx(hProcess,NULL,strlen(dll)+1,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
	
	WriteProcessMemory(hProcess,(LPVOID)Memory, dll, strlen(dll)+1,NULL);
	
	CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibrary,(LPVOID)Memory,NULL,NULL);
	
	CloseHandle(hProcess);
	
	return true;

}

What could be wrong, keeps showing injection failed,im using windows 8.1. Kindly help

[Igor Vartanov]

You never test the results of any call in InjectDLL. When you do, you tell us what was wrong.

[mindjos]

I said I did. I put the 3 files together, I put the dll, the file I write in c# as well as the injector together in the same file, I then ran the injector, other than it to show me if the object was injected,it keeps showing me injection failed. What should be the problem? I am using windows 8.1 and I tested on visual c++ (visual studio) 2012!

[2kaud]

I said I did.

No. All you have said is that it failed. You haven't stated where it failed for what reason. For every call to a WIN32 API you need to test the result for success or failure and obtain the error code if a failure. The MSDN documentation states what is success/failure for every function. eg for your OpenProcess()

Code:

hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,FALSE,ID );

if (hProcess == NULL) {
   //deal with error
   cerr << "Problem with OpenProcess() Error " << GetLastError() << endl;
   return false;
}

I suspect the problem is with permissions as you don't seem to have coded obtaining token privileges. You can't just open a process and write to its memory! That is not allowed. See
https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx
https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx

[mindjos]

Meaning I have to enable privileges, from what you saying? Kindly advise, very new to this

[2kaud]

See https://msdn.microsoft.com/en-us/lib...=vs.85%29.aspx and enable SeDebugPrivilege

[VladimirF]

I decided to play around wit a c/c++ program today, I beeb trying to make an injection to inject into a file I made in c#
The dll is made in c++ the odesk.exe is in c#, it doesn't inject into it instead it returns my customised error, what could wrong?

If you explain why do you need to hack Odesk.exe and what are you trying to achieve, someone may have a better suggestion on how to do that.

[mindjos]

Lemme make something clear my brothers, I'm not learning dll injection for the purpose of stealing or whatsoever, I wonna learn it for game hacks. Nothing else

Here is my code for the odesk.exe

Code:

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
using System.Windows.Forms;

namespace Odesk
{
    public partial class Form1 : Form
    {
        public Form1()
        {
            InitializeComponent();
        }

        private void button1_Click(object sender, EventArgs e)
        {
            MessageBox.Show("HI am a c# MessageBox", "Info", MessageBoxButtons.OK, MessageBoxIcon.Information);
        }
    }
}

Now the code, revised for the dll injector is looking like this

Code:

#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include <shlwapi.h>
#include <tlhelp32.h>
#include <conio.h>


//prototypes 

BOOL InjectDLL(DWORD ID, const char* dll);
DWORD GetProcessId(IN PCHAR szExeName);

//Main codes

int main()
	{
	  char dll[MAX_PATH];
		
	 GetFullPathName("DLLTest.dll",MAX_PATH,dll,NULL);
	  DWORD ID = GetProcessId("Odesk.exe");
		
	  if(!InjectDLL(ID,dll))
	  {
		printf("Injection Failed");
	       	Sleep(3000);
		exit(1);
	  }
	else
	{
		printf("Success!");
	       	Sleep(3000);
		exit(1);
	}
	return 0;	
     }

//Functions

DWORD GetProcessId(IN PCHAR szExeName)
{
	DWORD dwRet = 0;
	DWORD dwCount = 0;
	
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapshot !=INVALID_HANDLE_VALUE)
		{
		  PROCESSENTRY32 pe = {0};
		  pe.dwSize = sizeof(PROCESSENTRY32);
		  
		  BOOL bRet = Process32First(hSnapshot, &pe);
		  
		  while(bRet)
		   {
		   if(!_stricmp(pe.szExeFile,szExeName))
			{
			  dwCount++;
			  dwRet = pe.th32ProcessID;
			}
			bRet = Process32Next(hSnapshot, &pe);
		  }
		  if(dwCount >1)
		   dwRet = 0XFFFFFFFF;
			CloseHandle(hSnapshot);
		}
	return dwRet;
}

BOOL setPriviledge(HANDLE hToken,LPCTSTR szPrivName, BOOL fEnable)
{
	TOKEN_PRIVILEGES tp;
	tp.PrivilegeCount = 1;
	LookupPrivilegeValue(NULL,szPrivName,&tp.Privileges[0].Luid);
	tp.Privileges[0].Attributes =  fEnable?SE_PRIVILEGE_ENABLED:0;
	AdjustTokenPrivileges(hToken,FALSE,&tp,sizeof(tp),NULL,NULL);
	return ((GetLastError()==ERROR_SUCCESS));
}

BOOL InjectDLL(DWORD ID, const char* dll)
{
	HANDLE hProcess;
	LPVOID Memory;
	LPVOID LoadLibrary;
	
	if(!ID)
	  {
	    return false;
	  }

	hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,FALSE,ID );
	
	LoadLibraryA = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	
	Memory = (LPVOID)VirtualAllocEx(hProcess,NULL,strlen(dll)+1,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
	
	WriteProcessMemory(hProcess,(LPVOID)Memory, dll, strlen(dll)+1,NULL);
	
	CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibrary,(LPVOID)Memory,NULL,NULL);
	
	CloseHandle(hProcess);
	
	return true;

}

I'm only trying to inject a message box which would show, hello I am injected inside the odesk.exe that's all. Not doing anything bad here

[2kaud]

Now the code, revised for the dll injector is looking like this

...and your tests for API function success/failure are where?

[mindjos]

In the main function, looking like this

Code:

	  if(!InjectDLL(ID,dll))
	  {
		printf("Injection Failed");
	       	Sleep(3000);
		exit(1);
	  }
	else
	{
		printf("Success!");
	       	Sleep(3000);
		exit(1);
	}

[mindjos]

@2kaud, no offence, still learning somethings about the app function test calls, I would appreciate if you show me how to inject it showing me the source code with this one here, no offence.

[VictorN]

Code:

...
BOOL InjectDLL(DWORD ID, const char* dll)
{
	HANDLE hProcess;
	LPVOID Memory;
	LPVOID LoadLibrary;
	
	if(!ID)
	  {
	    return false;
	  }

	hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,FALSE,ID );
	
	LoadLibraryA = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	
	Memory = (LPVOID)VirtualAllocEx(hProcess,NULL,strlen(dll)+1,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
	
	WriteProcessMemory(hProcess,(LPVOID)Memory, dll, strlen(dll)+1,NULL);
	
	CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibrary,(LPVOID)Memory,NULL,NULL);
	
	CloseHandle(hProcess);
	
	return true;

}

What could be wrong, keeps showing injection failed,im using windows 8.1. Kindly help

You obtain hProcessfrom OpenProcess call. Then you use the returned value in VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, CloseHandle. But what if OpenProcess failed and returned NULL?
In such a case you have to do what MSDN says:

Return value

If the function succeeds, the return value is an open handle to the specified process.
If the function fails, the return value is NULL. To get extended error information, call GetLastError.

The same you have to do for every other (with few exceptions - see the documentation for every API function you use!) Win32 API function call: check the return value!

[Arjay]

In the main function, looking like this

Code:

	  if(!InjectDLL(ID,dll))
	  {
		printf("Injection Failed");
	       	Sleep(3000);
		exit(1);
	  }
	else
	{
		printf("Success!");
	       	Sleep(3000);
		exit(1);
	}

Rather than returning a simple success/fail, do you think it would be more helpful to return the failure code from GetLastError()? Note: this is what the guys responding are trying to get you to do.

To make it really clear, you need to check all WinAPI returns and call GetLastError when appropriate (the msdn docs for each api will tell you what the returns mean and when to call GetLastError).

If you do this, you won't need us to help because the reason for the failure will be obvious.

[mindjos]

Ok Arjay I do it an get back to you asap

[mindjos]

Good evening,

Ok here is what, I did this evening, the code compiles but it crashes and doesn't inject the code still, did as you have said, still having problems

Goes like this

Code:

#include <stdio.h>
#include <windows.h>
#include <stdlib.h>
#include <shlwapi.h>
#include <tlhelp32.h>
#include <conio.h>


//prototypes 

BOOL InjectDLL(DWORD ID, const char* dll);
DWORD GetProcessId(IN PCHAR szExeName);
BOOL SetDebugPriviledge(BOOL State);

//Main codes

int main()
	{
		
		

	  char dll[MAX_PATH];
		
	 GetFullPathName("DLLTest.dll",MAX_PATH,dll,NULL);
	  DWORD ID = GetProcessId("Odesk.exe");

	  SetDebugPriviledge(TRUE);
		
	  if(!InjectDLL(ID,dll))
	  {
		printf("Injection Failed, Reason :%s", GetLastError());
	       	Sleep(3000);
		exit(1);
	  }
	else
	{
		printf("Success!");
	       	Sleep(3000);
		exit(1);
	}
	return 0;	
     }

//Functions

DWORD GetProcessId(IN PCHAR szExeName)
{
	DWORD dwRet = 0;
	DWORD dwCount = 0;
	
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
	if (hSnapshot !=INVALID_HANDLE_VALUE)
		{
		  PROCESSENTRY32 pe = {0};
		  pe.dwSize = sizeof(PROCESSENTRY32);
		  
		  BOOL bRet = Process32First(hSnapshot, &pe);
		  
		  while(bRet)
		   {
		   if(!_stricmp(pe.szExeFile,szExeName))
			{
			  dwCount++;
			  dwRet = pe.th32ProcessID;
			}
			bRet = Process32Next(hSnapshot, &pe);
		  }
		  if(dwCount >1)
		   dwRet = 0XFFFFFFFF;
			CloseHandle(hSnapshot);
		}
	return dwRet;
}

BOOL SetDebugPriviledge(BOOL State)
{
	HANDLE hToken;
	TOKEN_PRIVILEGES tp;
	DWORD dwSize;
	ZeroMemory(&tp,sizeof(tp));
	tp.PrivilegeCount =1;
	if(!OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS, &hToken))
	{
		return FALSE;
	}
	if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME,&tp.Privileges[0].Luid))
	{
		CloseHandle(hToken);
	}
	if(State)
	{
		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
	}else
	{
		tp.Privileges[0].Attributes = SE_PRIVILEGE_REMOVED;
	}
	if(!AdjustTokenPrivileges(hToken,FALSE,&tp, 0, NULL, &dwSize))
	{
		CloseHandle(hToken);
	}
	return CloseHandle(hToken);
}

BOOL InjectDLL(DWORD ID, const char* dll)
{
	HANDLE hProcess;
	LPVOID Memory;
	LPVOID LoadLibrary;
	
	if(!ID)
	  {
	    return false;
	  }

	hProcess = OpenProcess(PROCESS_CREATE_THREAD|PROCESS_QUERY_INFORMATION|PROCESS_VM_READ|PROCESS_VM_WRITE|PROCESS_VM_OPERATION,FALSE,ID);
	if(!hProcess)
	{
		printf("Error, Reason: %s",GetLastError());
	}

	LoadLibraryA = (LPVOID)GetProcAddress(GetModuleHandle("kernel32.dll"),"LoadLibraryA");
	if(!LoadLibraryA)
	{
		printf("Error, Reason: %s",GetLastError());
	}
	
	Memory = (LPVOID)VirtualAllocEx(hProcess,NULL,strlen(dll)+1,MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
	if(!Memory)
	{
		printf("Error, Reason: %s",GetLastError());
	}
	
	if(!WriteProcessMemory(hProcess,(LPVOID)Memory, dll, strlen(dll)+1,NULL))
	{
		printf("Error, Reason: %s",GetLastError());
	}
	
	if(!CreateRemoteThread(hProcess,NULL,NULL,(LPTHREAD_START_ROUTINE)LoadLibrary,(LPVOID)Memory,NULL,NULL))
	{
		printf("Error, Reason: %s",GetLastError());
	}
	
	if(!CloseHandle(hProcess))
	{
		printf("Error, Reason: %s",GetLastError());
	}
	
	return true;

}