How do I get a programs windows from an injected DLL?
https://stackoverflow.com/questions/11124079
-
15-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I've injected a DLL into a program to implement a chat UI over the applications main window. I figured I can get the applications main window handle, then get it's DC, and draw onto it. The window has a predictable title, which means I can use FindWindow to get the handle. The only problem is, the DLL is injected when the process starts. At that time, the window hasn't been created. Which means FindWindow finds nothing!
What are some solutions to this? Could I create a thread in the DLL and sleep for a while until I know the window is created? This seems very unstable so I'd rather not do it.
What I tried to do was use SetWindowsHookEx in the DLL to hook the global WndProc. I could scan the messages until I find one from my window (which means it was created). Then I could save the handle and go on with my program. I'm not too worried about there being multiple windows with the same name at the time. The only problem is that my hook never gets called.
I create the hook like this:
m_hWndProcHook = SetWindowsHookEx(WH_CALLWNDPROC, (HOOKPROC)WndProc, m_hModule, 0);
if(!m_hWndProcHook)
{
oss << "Failed to set wndproc hook. Error code: " << GetLastError();
Log(oss.str().c_str());
return false;
}
Which returns a valid hook. The WndProc look like this:
LRESULT CALLBACK CChatLibrary::WndProc(int code, WPARAM wParam, LPARAM lParam)
{
CWPSTRUCT* pData;
ostringstream oss;
char wndName[256];
gChatLib->Log("WNDPROC");
if(code < 0)
return CallNextHookEx(gChatLib->GetWndProcHookHandle(), code, wParam, lParam);
else
{
//Get the data for the wndproc
pData = (CWPSTRUCT*)lParam;
//Log the message
GetWindowText(pData->hwnd, wndName, 256);
oss << "Message from window \"" << wndName << "\"";
gChatLib->Log(oss.str().c_str());
return CallNextHookEx(gChatLib->GetWndProcHookHandle(), code, wParam, lParam);
}
}
But no "WNDPROC" messages are logged into my log file... Earlier, I had a MessageBox instead of a log to see if it worked, which turned out to be a terrible idea. All the programs froze because they were waiting for me to click "OK", and I had to do a hard reset... When I turned my computer back on and replaced the MessageBox with a log command, it didn't work. I know my log works, though, because it works everywhere else. I'm extremely confused with whats happening with this.
Are there any other methods of obtaining the main window (preferably when it is created)? Or is my hook method good, but just executed wrong? Thank you for any feedback.
Solution
You can always inject the DLL when application has already started. It's quite complicated nowadays because of ASLR in Windows Vista/7, but not impossible. You would have to write a short application which would inject selected DLL into the process with given PID. Here is what should be done in order to inject DLL into the running process:
Write a shellcode which would find address of the kernel32.dll library. Here is my old code in NASM:
[BITS 32]
_main:
xor eax, eax
mov esi, [FS:eax+0x30] ; ESI points at PEB
mov esi, [esi+0x0C] ; ESI points at PEB->Ldr
mov esi, [esi+0x1C] ; ESI points at PEB->Ldr.InInitOrder
mov edx, -1 ; EDX is now the current letter pointer
check_dll:
mov ebp, [esi+0x08] ; EBP points at base address InInitOrder[i]
mov edi, [esi+0x20] ; EDI points at InInitOrder[X] name
mov esi, [esi] ; ESI points at flink
mov edx, -1 ; set letter pointer at InInitOrder name
mov ebx, 0 ; set pattern letter pointer to null
check_small_name:
inc edx ; go to the next letter in InInitOrder name
cmp ebx, 0x7 ; check if we have checked all letters
je library_found ; if so and no error kernel32.dll found
mov al, BYTE[edi+edx] ; load byte to EAX from InInitOrder name
cmp al, 0x0 ; check if unicode complement
je check_small_name ; ignore if so
jmp s_kernel32
back1:
pop ecx
cmp BYTE[ecx+ebx], al ; compare characters
jne check_big_name ; if not equal check upper size
inc ebx ; if equal then go to the next letter in pattern
jmp check_small_name ; loop
check_big_name:
jmp b_kernel32
back2:
pop ecx
cmp BYTE[ecx+ebx], al ; check characters
jne check_dll ; if not equal then go to the next module
inc ebx ; if equal go increment the pattern pointer
jmp check_small_name ; loop
library_found:
mov eax, ebp ; move kernel32 base address into ECX
loop:
jmp loop
s_kernel32:
call back1
db "kernel32",10,0
b_kernel32:
call back2
db "KERNEL32",10,0
- Load compiled shellcode into memory from file.
- Attach to the target process as a debugger. Stop all threads in application. Allocate some memory and set 'read, write, execute' permissions and inject shellcode there.
- Get main thread handle. Open thread, create thread context backup and then set new context with EIP register modified (set to the allocated memory - shellcode - address).
- Resume threads for some time (e.g. 5 s). Make sure that the process was activated and our shellcode had a chance to execute.
- Again attach as a debugger to the target process. Read the EAX register which should now store
kernel32.dllbase address in target process (thanks to the ASLR it might be not the same as in your injector process). - Check the offset of
LoadLibraryAfunction inkernel32.dllfrom your process. - The offset should be the same in target process so you have to add remote
kernel32.dllbase address to the offset in order to compute base address ofLoadLibraryAfunction in the remote process. - Call
CreateRemoteThreadfunction giving the computed address ofLoadLibraryAas a function to call and DLL path as it's parameter.
I had to figure this all on my own some time ago (I couldn't find any description), but recently I found something similiar: http://syprog.blogspot.com/2012/05/createremotethread-bypass-windows.html
Happy hacking!
