3

I saw a similar, but still different question to this, so just to clarify this is not a dupe of 13428881 (Calling a function in an injected DLL).

What I have at the minute: A DLL, injected into a target process, displaying a message box and fiddling around doing math.

What I want in the future: A DLL which can manipulate and toy with the internals of the target process.

The next step towards achieving the desired manipulation is to call a method in a remote thread within the process I'm injecting into.

Let's take an example: I have a C++ application, which has int main, let's say it looks like this:

int PrintText(string text)
{
    cout << text;
    return 1;
}

int main()
{
    while (true)
    {
        PrintText("From the DLL");
    }
}

Ok, so that's lovely, my target application is currently printing some text, and it seems to be doing so very happily. It's spamming it at an unbelievable rate, but I can slow it down using threads and sleeps etc if I need to. The fact is this isn't an issue, the code here hasn't been compiled or tested, and I've no intention of using this exact code. I'm actually working with a game.

Now, let's say I create a pointer to the method, PrintText, and that I know the address of it within that process. How do I go about calling it, externally, passing in arguments?

Locally, I believe it would look something like this:

int i;
int (*PrintSomeText)(string) = PrintText;

I could then call this function using a reference, like so:

i = operation("Text to be printed", PrintSomeText);

This should, by my theory, declare an integer called i, then define a pointer to a method which returns int, takes one string as a parameter, and the pointer stores the value of the pointer which was in PrintText. (Or something of that nature).

Very nice, so I can call my own functions via pointer, that's great, cracking in fact. I've truly astonished myself with this ability, and I do now feel like superman. I'll go save some babies or something, brb.

Back, so now I want to continue a little further, and take that next step. Let's say I know that the the method is at the address 100 in the target process (decimal, I will likely do it in hexadecimal, as I'm using CheatEngine / OllyDBG to find methods in the target process, but for this example we'll stay simple).

I presume that my injected DLL gets its own space entirely, does it have any higher access to the target process? How can I find this out?

Thanks for your time, Josh

Edit: A small note, I'm going through the C++ tutorial book, and it's proven so far to be very useful. I've noticed that I forgot to include my operation method, so apologies for that being missing. If it's required, let me know. Thanks!

Edit nr 2: I've just made some compilable code to test this out, since I wrote most of this free hand reading from the book without an IDE, and the IDE has finally configured itself, so here is the code I'm currently working with

#include "stdafx.h"
#include <iostream>

using namespace std;

int PrintText(char * Text)
{
    cout << Text << endl;
    return 1;
}

int _tmain(int argc, _TCHAR* argv[])
{
    int (*Print)(char*) = PrintText;
    char Text[] = "Hello, world!";
    PrintText(Text);
    int x = (*Print)("Oh my word, it really works!");
    cin.get();
    return 0;
}

Note I haven't yet made it run indefinitely, so yeah, please excuse that, I'll add it shortly.

XtrmJosh
  • 889
  • 2
  • 14
  • 33
  • 2
    Your injected DLL has full access to the process it was injected to. – Collin Dauphinee Nov 05 '13 at 21:06
  • Can you define that with a little more clarity for me please? Sorry to be... Not sure what I'm being, maybe noob? But I'm in need of more of a shove than a push in this instance. Am I able to simply specify the pointer to point to an address? I guess I need to add the target modules base address, and add the method address I'm acquiring to that in order to call the method? Thanks by the way, you've given me at least some inspiration to continue! – XtrmJosh Nov 05 '13 at 21:14

1 Answers1

6

Dauphic is pretty much bang on, I have full control, as wildly was I'd like, to the target process. So, here's what I'm doing to call the target processes method (for any future readers interest):

  1. Locate the method in memory. To do this, I first disabled ASLR (Address space layout randomization), then created a pointer to my method locally within the target program, before using the iostream to dump the pointer to screen, now I know the address of the method.

  2. Create a typedef in the dll to be injected. This is where I got kinda stuck, but I know some guys who do this quite a lot, so I've managed to get it out of them. In my case, this is how the typedef looks:

    typedef int __printPrototype(char* text);

  3. Bind the address of the method in the target application, to a reproduction of it in the injected dll:

    int (*Print)(char*);
Print = (__printPrototype*)0x0041121C;
Print("I'm injecting myself into you.");

Perfect!

Thanks to dauphic and a good friend named DarkstaR.

vallentin
  • 23,478
  • 6
  • 59
  • 81
XtrmJosh
  • 889
  • 2
  • 14
  • 33