How do I write basic DLL injection file?

[sysop1911]

I'm just starting to learn Windows API. I can program a window to open, to be full screen, change colors, etc. I want to program the most basic type of DLL injection using a windows hook. Let's say I want the code to tell me when notepad is open, then inject the DLL into Notepad, then re-direct the text entered in Notepad into my other program. Can someone point me in the right direction? I realize I should use SetWindowsHookEx and CallNextHookEx. I want to use WH_CBT hook. I don't want someone to write up the code, just help me out a bit. How do I create the DLL? Would I have the main executable be the program that injects the DLL into notepad while the DLL itself if the program that sends the Notepad messages to the main program? Thanks.

[spacewarp]

First of all, I'd recommend you be careful with hooks. Because if you make a mistake more than your program may crash, though if you're only going to hook a single notepad process there's not much of a risk.

Yes, you need to have the main program load the DLL to inject it into the notepad process. The DLL would then do whatever you want it to do from inside that process.

I'd very much recommend reading the MSDN documentation on hooks. There's a decent amount of sample code and explanations of what needs to be done.

[sysop1911]

Thanks for the reply. I read all the stuff at that link you provided. Let's say I want the DLL to capture what is typed in Notepad and send it to my program. In the DLL, would I use the StringCcpCopy function to capture this data? How exactly would I go about do this? Thanks.

So far, my algorithm will be something like this:

1. Main WinAPI program

2. LRESULT CALLBACK CBTProc (int nCode, Wparam, Lparam)

3. LoadLibrary (path to DLL file)

4. SetWindowsHookEx

5. UnhookWindowsEx


What would the DLL code look like?

Thanks.

[Igor Vartanov]

I'm just starting to learn Windows API.

Sorry, there's no intention to offend, but I always wonder why almost every single beginner starts with dll injection, controlling other programs and the stuff. I just cannot get this. There are lots of things to learn instead, so many APIs, and libraries, and techniques... Networking, multithreading, graphics, professional-looking applications (diloag-based, multi-document, skinned, featured with tool bars, ribbons and dockable panes), dlls, inter-process communication, inter-language communication, COM/COM+/ActiveX controls, database access, web programming, service applications, debugging... And this is only the top of the iceberg!

After going this untraditional for beginners way you realize some day that dll injection... is a piece of cake. Just because you already know how applications work inside, what dll is, how it should integrate with the victim process and communicate the collected information back to parent.

[spacewarp]

Hehe, I second the above. But being a Win32 programmer myself I know how curious about this kind of stuff I was in the beginning

So far, my algorithm will be something like this:

1. Main WinAPI program

2. LRESULT CALLBACK CBTProc (int nCode, Wparam, Lparam)

3. LoadLibrary (path to DLL file)

4. SetWindowsHookEx

5. UnhookWindowsEx


What would the DLL code look like?

Number 2, the callback procedure, is what goes inside the DLL along with the DllMain function. What the main program does is provide a function pointer to SetWindowsHookEx, which is aquired using GetProcAddress.

On another note, you will also need to learn how to do interprocess communication. Sending data back and forth between the DLL and the main program isn't as easy as it may appear.

[sysop1911]

Sorry, there's no intention to offend, but I always wonder why almost every single beginner starts with dll injection, controlling other programs and the stuff. I just cannot get this. There are lots of things to learn instead, so many APIs, and libraries, and techniques... Networking, multithreading, graphics, professional-looking applications (diloag-based, multi-document, skinned, featured with tool bars, ribbons and dockable panes), dlls, inter-process communication, inter-language communication, COM/COM+/ActiveX controls, database access, web programming, service applications, debugging... And this is only the top of the iceberg!

After going this untraditional for beginners way you realize some day that dll injection... is a piece of cake. Just because you already know how applications work inside, what dll is, how it should integrate with the victim process and communicate the collected information back to parent.

No offense taken. I know how to do some basic stuff, like getting a window to come up, so I know the APIs required for that. DLL injection is just something that interests me, so I want to figure it out. Perhaps you could suggest a simple Win32 program for me to do to get some practice in.

[sysop1911]

Hehe, I second the above. But being a Win32 programmer myself I know how curious about this kind of stuff I was in the beginning



Number 2, the callback procedure, is what goes inside the DLL along with the DllMain function. What the main program does is provide a function pointer to SetWindowsHookEx, which is aquired using GetProcAddress.

On another note, you will also need to learn how to do interprocess communication. Sending data back and forth between the DLL and the main program isn't as easy as it may appear.

Ok, I'll give it a shot. Of course, I'll probably be back here with more questions in the near future.

[Igor Vartanov]

No offense taken. I know how to do some basic stuff, like getting a window to come up, so I know the APIs required for that. DLL injection is just something that interests me, so I want to figure it out. Perhaps you could suggest a simple Win32 program for me to do to get some practice in.

First of all, it might happen that with Notepad you never need to inject, as its edit box should respond to WM_GETTEXT alright. And for capturing keyboard input non-intrusive WH_KEYBOARD_LL hook is enough after you make sure the Notepad process is a foreground one and edit box possesses the focus.

Okay, you might still wanna that dll to be injected. Are you good at dll programming? Any knowledge of what dll export is? How dll client uses the exposed dll function? You might need to start with some dll tutorials (there are tons of them around, including CG and its forums) to obtain certain experience before you step forward with injection.

Okay, injection is the least complex topic. You just set a hook, and that's it. But now, when you have it injected, what would be your plan about the dll behavior? How it's gonna live inside the remote process? How it decides whether to catch the text from Notepad edit box? On some event? Internal or external? From what? On pause between keyboard inputs? Or on signal from parent process? What signal?

Okay, somehow you decide about catching the text. What would be the way of sending it to parent? WM_COPYDATA? Mapped file? Data exchange over socket or pipe? Or just dumping it to a file? Of a predefined name? Or you should communicate now the file name to parent?

And so on... And you know what, all the answers will depend on what you're good at. Now you see my point about gaining experience first? Every step in decision chain, every need in choice makes your simple Win32 program to get some practice in. Dissect your task, prototype every sub-task separately, understand pros and contras of the alternatives, and only then mold everything together in a working application.

Sorry for the very long answer to your "how do I write basic..."

[sysop1911]

Good stuff, Igor. I'll get to work.

[Igor Vartanov]

Just a footnote. In programming world design is the king. And every decent design starts with analysis. That precisely means "dissect your task..." and the rest.

[sysop1911]

So I have more questions about creating a DLL:

I know I need to create a header file for the DLL along with the source code for the DLL.

Header would look something like this:

#ifdef NOTEPAD2_EXPORTS
#define NOTEPAD2_API __declspec(dllexport)
#else
#define NOTEPAD2_API __declspec(dllimport)
#endif

extern "C" NOTEPAD2_API bool InstallHook(LPCWSTR NotepadPath, bool installCBTHook);
extern "C" NOTEPAD2_API void UninstallHook();

Would the source code for the DLL simply define the functions "InstallHook" and "UninstallHook"? Would that be enough to create the DLL and it's libraries?

The following code would simply use the DLL file, correct, but would *not* be included in the DLL?:

LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam)

Thanks.

[Igor Vartanov]

The following code would simply use the DLL file, correct, but would *not* be included in the DLL?:

LRESULT CALLBACK CBTProc(int nCode, WPARAM wParam, LPARAM lParam)

The code must be inside the DLL. Actually all the fuzz is about this: DLL injection ultimately is the hook code injection into the remote process.

[Igor Vartanov]

Would the source code for the DLL simply define the functions "InstallHook" and "UninstallHook"? Would that be enough to create the DLL and it's libraries?

The DLL source code may implement InstallHook and UninstallHook, or may not.

I have to warn you: you use the terms some weird way or in a weird context. What would be the meaning of "simply define functions"? Or "DLL and it's libraries"? Or "The following code would simply use the DLL file"?

[Igor Vartanov]

Besides why don't you benefit from seeing a hook sample?