Inyeccion Dll básica

[dapz]

Como hacer una inyección básica de una dll en C

Código dll

Código (c) [Seleccionar] Expandir

#include <Windows.h>

BOOL APIENTRY DllMain(HMODULE hMod, DWORD callback, LPVOID Param)
{
switch(callback)
{
case DLL_PROCESS_ATTACH:
aqui ponemos el codigo que queremos que se ejecute en la dll
MessageBoxW(NULL, TEXT("Hola desde proceso injectado !"), TEXT("Test"), MB_ICONINFORMATION);
case DLL_PROCESS_DETACH:
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
default:
break;
}
return TRUE;
}

codigo de la aplicacion externa

Código (c) [Seleccionar] Expandir

#include <Windows.h>
#include <stdio.h>
#include <winternl.h>

#pragma comment(lib, "ntdll.lib")

typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;

extern "C" NTSTATUS NTAPI ZwOpenProcess(PHANDLE ProcessHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PCLIENT_ID ClientID);


int main(int argc, char *argv[]) {

char *ruta_dll = "C:\\Dlltest.dll";
ULONG pid;
OBJECT_ATTRIBUTES oa;
HANDLE hproc;
CLIENT_ID cid;
NTSTATUS status;


printf("\n pid -> ");
scanf("%d", &pid);


cid.UniqueProcess = (HANDLE)pid;
cid.UniqueThread = 0;
InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);
if(NT_SUCCESS(ZwOpenProcess(&hproc, PROCESS_ALL_ACCESS, &oa, &cid))) {
if(NT_SUCCESS(status)) {
HMODULE dll = GetModuleHandle(L"kernel32");
if(dll != NULL) {
FARPROC load = GetProcAddress(dll, "LoadLibraryA");
if(load != ERROR) {
LPVOID base = VirtualAllocEx(hproc, NULL, 256, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
if(base != ERROR) {
BOOL exito = WriteProcessMemory(hproc, base, ruta_dll, strlen(ruta_dll) + 1, NULL);
if(exito != 0) {
HANDLE thread = CreateRemoteThread(hproc, NULL, NULL, (LPTHREAD_START_ROUTINE)load, base, NULL, NULL);
if(thread != ERROR) {
printf("\n dll inyectada en proceso id: %d", pid);
}
}
}
}
}
}
}
return 0;

}

http://imgur.com/DsEoTz4
http://imgur.com/6HoVbVR
http://imgur.com/jD3CYTH