-2

I try to write dll injector with nativeApi. For this reason, i wrote this code. NtReadFile function reads something but i cant see anything except for the first value of FileReadBuffer. Also, i dont know anything about how does dll look into buffer.

(1)How can i compare buffer and dll file?

(2)How can i be sure the code runs correct.

(3)And please tell me my mistake in the code.

bool Injector::initiationDll(const std::string& dllPath)
{
    if (!isDllExist(dllPath))
    {
        printf("Dll not found!\n");
        return false;
    }
    else
    {
        printf("LibraryPath: %s\n", dllPath);

        NTSTATUS status; HANDLE lFile;

        OBJECT_ATTRIBUTES objAttribs = { 0 }; UNICODE_STRING unicodeString;
        std::string dllPathWithprefix = "\\??\\" + dllPath;

        std::wstring wString = std::wstring(dllPathWithprefix.begin(), dllPathWithprefix.end()); PCWSTR toPcwstr = wString.c_str();
        RtlInitUnicodeString(&unicodeString, toPcwstr);
        InitializeObjectAttributes(&objAttribs, &unicodeString, OBJ_CASE_INSENSITIVE, NULL, NULL);
        objAttribs.Attributes = 0;

        const int allocSize = 2048;
        LARGE_INTEGER largeInteger;
        largeInteger.QuadPart = allocSize;

        IO_STATUS_BLOCK ioStatusBlock;

        status = NtCreateFile(
            &lFile,
            GENERIC_READ | FILE_READ_DATA | SYNCHRONIZE,
            &objAttribs,
            &ioStatusBlock,
            &largeInteger,
            FILE_ATTRIBUTE_NORMAL,
            FILE_SHARE_READ | FILE_SHARE_WRITE,
            FILE_OPEN,
            FILE_NON_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT,
            NULL,
            0);

        if (!NT_SUCCESS(status)) {
            printf("CreateFile failed..\n");
            return false;
        }
        else {
            printf("Library Handle : %p\n", lFile);

            DWORD fileSize = getDllSize(dllPath);

            if (fileSize == 0)
            {
                printf("File size is zero.\n");
                return false;
            }
            else
            {
                printf("File size : %d byte.\n", fileSize);

                PVOID FileReadBuffer = VirtualAlloc(NULL, fileSize, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

                if (!FileReadBuffer)
                {
                    printf("\nError: Unable to allocate memory(%d)\n", GetLastError());

                    status = NtClose(lFile);
                    return false;
                }
                else {
                    printf("Allocate %d byte for buffer.\n", fileSize);

                    status = NtReadFile(
                        lFile,
                        NULL,
                        NULL,
                        NULL,
                        &ioStatusBlock,
                        FileReadBuffer,
                        sizeof(FileReadBuffer),
                        0, // ByteOffset
                        NULL);

                    if (!NT_SUCCESS(status))
                    {
                        printf("Unable to read the dll...  : %d\n", GetLastError());
                        return false;
                    }
                    else {
                        status = NtClose(lFile);
                        for (int i = 0; i < sizeof(fileSize); i++)
                        {
                            //wprintf(L"%p   :   %s\n", FileReadBuffer, FileReadBuffer);
                        }
                    }
                }
            }
        }
    }
}

enter image description here enter image description here

Burak Kocaman
  • 81
  • 1
  • 10
  • 2
    The right tool to solve such problems is your debugger. You should step through your code line-by-line *before* asking on Stack Overflow. For more help, please read [How to debug small programs (by Eric Lippert)](https://ericlippert.com/2014/03/05/how-to-debug-small-programs/). At a minimum, you should \[edit] your question to include a [Minimal, Complete, and Verifiable](http://stackoverflow.com/help/mcve) example that reproduces your problem, along with the observations you made in the debugger. – πάντα ῥεῖ Sep 07 '16 at 00:43
  • @πάνταῥεῖ Your `[edit]` thing is somehow broken. – Baum mit Augen Sep 07 '16 at 01:16
  • @BaummitAugen It can't be don in a generic way IIRC – πάντα ῥεῖ Sep 07 '16 at 05:08

1 Answers1

0
status = NtReadFile(
                        lFile,
                        NULL,
                        NULL,
                        NULL,
                        &ioStatusBlock,
                        FileReadBuffer,
                        sizeof(FileReadBuffer), // !!!!!
                        0, // ByteOffset
                        NULL);

so you read sizeof(FileReadBuffer) - 4 or 8 bytes only. i view you use my advice from here

Community
  • 1
  • 1
RbMm
  • 31,280
  • 3
  • 35
  • 56