Clever Geek Handbook

Debugging. DLL Injection Issue - A breakpoint for allegedly executing code that does not hit

I wrote a program (.DLL) that needs to be injected into process.exe.

DLL injector code:

Bool InjectDll(DWORD pID, const char* dllPath) {
    Proc = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pID);
    if (!Proc)
    {
        return false;
    }
    void* LoadLibAddr = (void*)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
    void* RemoteString = (void*)VirtualAllocEx(Proc, NULL, strlen(dllPath), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
    WriteProcessMemory(Proc, (LPVOID)RemoteString, dllPath, strlen(dllPath), NULL);
    HANDLE ret = CreateRemoteThread(Proc, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddr, (LPVOID)RemoteString, CREATE_SUSPENDED, NULL);
    if (ret) {
        return true;
    }
}

DllMain () function for .DLL for injection:

#include <Windows.h>

extern void vMain();

BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
    )
{
    switch (ul_reason_for_call) {
    case DLL_PROCESS_ATTACH:
        CreateThread(0, 0, (LPTHREAD_START_ROUTINE)&vMain, 0, 0, 0);
        return true;
    }
    return false;
}

vMain:

void vMain() {
    CreateConsole();        
    std::cout << "vMain() has executed!\n";
}

The .DLL to be injected works fine when I compile it in visual studio, but when I compile it in QT Creator it vMain()

never gets executed. The injector, DLL, and target process are all 32-bit. So I tried to debug the target process by making a .DLL injector call CreateRemoteThread()

with a flag CREATE_SUSPENDED

so that I can set a breakpoint on LoadLibraryA()

, resume the thread, execute from the breakpoint, and see the return value. However, my breakpoint is LoadLibraryA()

not hitting.

So, I debugged a .DLL injector application to make sure a remote thread was created. I confirmed that this was called GetThreadID()

on the return value CreateRemoteThread()

, outputs it, and scans that stream in the target process's thread list:

ThreadList

Be aware that the thread is still suspended. Upon further verification, EIP points to the first command in the _RtlUserThreadStart()

. I have set a breakpoint on this instruction. Then I resume the suspended thread by calling ResumeThread()

from my .DLL injector program. The breakpoint is not hit.

It should be noted that the target application does not have any breakpoint protection mechanism and breakpoints worked fine for me apart from this instance.

So how can I figure out what the problem is? Is there any reason why my breakpoints weren't hit? Is there a better way to debug the problem?

+3


source to share


1 answer


When doing console output from a DLL, you may need to redirect stdout

to the console:

// AllocConsole() instead of CreateConsole()
AllocConsole();
freopen("CONOUT$", "w", stdout); // <====
std::cout << "vMain() has executed!\n";

Also, it is not recommended to create threads internally DllMain()

and here's why:

Similar questions:



I remember that I had problems with it in the past and stopped doing things like creating threads / windows inside DllMain()

as recommended.

However, there are times when it works, but I would not trust it.

If you said that if the above doesn't work, try calling directly vMain()

without a stream and see what happens.

0


source






More articles:


All Articles