65.9K
CodeProject is changing. Read more.
Home

Subclassing using DLL Injection

Babu_Abdulsalam
starIconstarIconstarIconstarIcon
emptyStarIcon
starIcon

4.95/5 (11 votes)

Jan 15, 2013

CPOL

4 min read

viewsIcon

49493

downloadIcon

1419

Subclassing a window using the DLL Injection technique.

Introduction

There are several articles presented on DLL Injection. But still I wanted to do a simple example which will be easy for a novice programmer.

Background

As you know there are several uses of DLL injection like hot patching, logging, subclassing, etc. This article focuses on subclassing a window using DLL injection. Subclassing is redefining the behavior of the window by changing the window procedure. To change the window procedure, the window procedure should reside in the process which created the window. I planned to mimic the hacking by scrambling the window behavior without the knowledge of the process which created the window. There are three modules involved in this article.

  1. Injectee: This is a target process which created the window. I call this "Injectee" to which the DLL ("Injection" ) is being injected. This is a simple Win32 application which has a window and whenever the left mouse button is pressed, a circle is being drawn. That's all!!!!
  2. Injection: This is a DLL which has the new window procedure to be hooked to the window of the Injectee.
  3. Injector: This is the process which actually injects the injection into the injectee. This is a simple console application.

Using the code

As mentioned earlier, the source code has three modules.

  1. Make sure to build the Injection first so that the DLL is ready to be injected. Once the Injection module is built successfully, the resulting DLL is copied to the x86 directory.
  2. Then build the Injectee and launch it. Now when you do left click on the screen using mouse, circles are drawn on the click location and it will continue to work fine. When the injector is built, the DLL is copied from the x86 directory to the Debug/Release directory of the Injectee project.
  3. Build the Injector and launch it. The injector will inject the injection DLL into the injectee's process and terminates.
  4. Now if you left click on the screen, you won't see the circle, rather a bizarre message "UR HACKED".
  5. The source code for the Injetee is nothing special. It's just a plain vanilla code to create a window using the SDK.

Let's see the source code for the Injection. As we know, the Injection is a simple DLL and when DllMain is called with reason as DLL_PROCESS_ATTACH, I'm doing the hack.

//
case DLL_PROCESS_ATTACH:
{
   //Find the window of the Injectee using its title
   HWND hwnd = ::FindWindow(NULL,TEXT("Injectee") );
 
   //If the window found, then change it's window proc
   if( hwnd )
   {
    oldWindowProc = ::SetWindowLongPtr( hwnd, GWL_WNDPROC, (LONG_PTR) HackingWndProc );
   }
   break;
}

The new window procedure looks something like this:

LRESULT CALLBACK HackingWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
 switch( message ) 
 {
  case WM_LBUTTONDOWN:
   {
    int x = GET_X_LPARAM(lParam);
    int y = GET_Y_LPARAM(lParam);
    HDC hDC = ::GetDC( hWnd );
    //::Rectangle(  hDC,x,y,(x+50),(y+50) );
    DrawText( hDC,x,y);
    break;
   }
  case WM_RBUTTONDOWN:
   {
     int x = GET_X_LPARAM(lParam);
     int y = GET_Y_LPARAM(lParam);
     HDC hDC = ::GetDC( hWnd );
     ::Ellipse( hDC,x,y,(x+50),(y+50));
     break;
   }
  case WM_DESTROY:
   {
    PostQuitMessage(0);
    break;
   }
  default:
   return DefWindowProc(hWnd, message, wParam, lParam);
 }
 return 0;
}

Next let's see the source code for the Injector.

This code is simple. First we should know the name of the DLL (injection) to be injected in the target process (injectee).

  • This DLL name should be known by the target process. So this has to be written in the target process' address space.
  • Find out the window of the Injectee using its window title.
  • Next get the handle of the process which created the window using GetWindowThreadProcessId.
  • Open the injectee's process using its handle.
  • Then allocate memory in the injectee's address space to write the name of the DLL to be injected.
  • Write the name of the DLL to be injected.
  • Get the address of the LoadLibrary method. This is the method to be invoked by the thread which is going to be created in the the injectee's address space.
  • Then call CreateRemoteThread to create a thread inside the injectee's address space. This thread is going to execute the LoadLibrary function with the library name as the injection DLL.
  • As the thread calls the LoadLibrary method to load the DLL, DllMain is called with reason as DLL_PROCESS_ATTACH. Refer the Injection's code to see what happens when DllMain is called.
  • Wait for the remote thread to execute before calling the VirtualFree method, otherwise when the remote thread looks for the name of the DLL, the name of the address block which holds the DLL name is already freed by the injector process which may cause a crash!
int _tmain(int argc, _TCHAR* argv[])
{
 //Name of the dll to be injected into the target process [ hereafter "Injectee" ] 
 char* szInjectionDLLName  = TEXT("Injection.dll");

 DWORD dwProcessID;
 
 //Find the main window of the Injectee
 HWND hwnd = ::FindWindow(NULL,TEXT("Injectee") );

 //Get the process hanlde of injectee
 GetWindowThreadProcessId(hwnd, &dwProcessID ); 

 //Open the process
 HANDLE hProcess = ::OpenProcess(  PROCESS_ALL_ACCESS,false, dwProcessID);

 //Allocate the memory in the Injectee's address space
 void* baseAddress =  VirtualAllocEx( hProcess,NULL,
   strlen(szInjectionDLLName), MEM_COMMIT, PAGE_READWRITE );

 //Write the name of the dll to be injected into the Injectee
 SIZE_T nbBytesWritten = 0;
 WriteProcessMemory( hProcess,baseAddress,szInjectionDLLName,
   strlen(szInjectionDLLName),&nbBytesWritten );

 //Get the load libraries address
 FARPROC pLoadLib = GetProcAddress( GetModuleHandle(TEXT("kernel32.dll") ), "LoadLibraryA");

 //Create the remote thread in the target process
 DWORD dwThreadID = 0;
 HANDLE hRemoteThread = CreateRemoteThread(hProcess,NULL,0,
   (LPTHREAD_START_ROUTINE)pLoadLib, baseAddress,0, &dwThreadID );

 //Wait for the remote thread till it finish its job.
 //Otherwise, the next statement [ VirtualFreeEx ] will be called
 //which release the address in the target process
 //and when remote thread refers the address it leads to crashing!!!
 WaitForSingleObject( hRemoteThread,INFINITE );

 //Now free the memory allocated in the injectee's address space
 VirtualFreeEx( hProcess, baseAddress,0, MEM_RELEASE );

 //DONE!!!!!!!!!!!.
 return 0;
}

History

Version1: [ 02/13/2013 ]

This is the first version of the article. Will keep updated based on the viewer's comments.

Version2: [ 09/18/2015 ]

There was an issue/bug with the files uploaded in the first version. I have fixed the issues and uploading the files as version2.

Note: When you want to run in debug mode,make sure to build the Injection (dll)  in debug mode and run the Injector as well as the Injectee in debug mode. The same applies to release mode as well.