search

KooroshRZ / Windows-DLL-Injector

Some DLL Injection techniques in C++ implemented for both x86 and x64 windows OS processes
326 stars 56 forks source link
cpp dll-injection educational-project memory-hacking process-injection system-hacking windows

readme

WindowsDLLInjector

Some DLL Injection techniques written in C++ for both 32bit and 64bit windows OS

Intro

There are several ways for injecting a dll or generally a process in another target process\ It has many advantages such as accessing that process memory address and extending it's functionality\ In abuse cases it can be used to hide malicious activity in another process and somehow bypass antivirus detection

each one has it's pros and cons

Here we have implemented 5/7 techniques

CreateRemoteThread

Maybe it's the first google search result for dll injection\ This API is mapped to NtCreateThread native API Very well documented and easy to code!

Pros.\        Easy to implement (maybe just 5 lines of code)\        well documented on internet

Cons.\        Easy to detect\        not possible on all processes (specially windows NT native processes)

NtCreateThread

Acually not as easy as CreateRemoteThread method\ It needs some header definitin and function pointer casting to get the address of NtCreateThread in ntdll.dll\ A little hard to implement but very effective against windows native system processes

Pros.\        Can be used for windows native NT processes (like : svchost, smss, ...)\        Harder to be detected

Cons.\        A little hard to implement and debug\        no official documentation

QueueUserAPC

This method is about hijacking and using a thread in target process\ As documented in msdn, the function call QueueUserAPC() adds user-mode asychronous procedure call(APC) object to the APC queue of specified thread\ Actually we don't create our own thread and just use the target process's threads for loading our dll into the process address space\ Notice that to make this method work, The remote target thread should be in suspended state and with alertable flag (Example SleepEx() in TargetProgram.cpp)

Pros.\        No need for creating new Threads\        It adds some stealthy abilities for injection (cause no new thead would be created)

Cons.\        Not always possible on all threads (just suspended threads with alertable flag)

SetWindowsHookEx

This method actually is for setting Windows Hook for specific events like keyboard or mouse event\ But since the hook procedure should be in form of exported function in a dll file in the target process,\ This makes it possible to use it as a dll injection method\ This one is kinda different one because neither thread nor APC is created but A hook is set in target process for a specific thread

Pros.\        No need for creating new Threads or APC call\        Easy to use spcially with thread ID equals 0 :)

Cons.\        Too suspicious for antivirus detection because of using hooks

RtlCreatUserThread

Same as NtCreateThread with some possible wrapping

Pros.\        Can be used for windows native NT processes (like : svchost, smss, ...)\        Harder to be detected

Cons.\        A little hard to implement and debug\        no official documentation



Credit

Many thanks for fdiskyou and his InjectAllTheThings (nice name) repository\ His Repo : https://github.com/fdiskyou/injectAllTheThings \ His website : http://deniable.org