C++ Intermediate Lessons: EP 5: DLL Injection

Welcome back, to the 5th ( ? ) episode of our intermediate C++ series.

Today we're going to talk about a very popular topic: DLL Injection

One of the first things you notice when coming into the roblox exploiting community is "Injection". What is an injection? What is a DLL? We're going to get in all of that now.

So, what's a DLL? A DLL is a dynamically linked library. This means that it's a library which is linked with our process at runtime ( while it's already executing ).

Dynamically linked libraries go by the extension ( on windows ) .dll. How are they used?

A process can dynamically link/load a library through the winapi function: LoadLibrary/LoadLibraryA ( there are other versions of this function but I'm going to keep it simple for this thread ): 

https://learn.microsoft.com/en-us/windows/win32/api/libloaderapi/nf-libloaderapi-loadlibrarya

So what does LoadLibrary do? It loads / links / maps a module into our process and returns a handle to it, this allows it to run on our process and we can even get functions from it using GetProcAddress ( it will return a  function pointer and allows us to call it and use it as normal )

So now that we know what LoadLibrary and what a DLL is, what is DLL Injection?

Let's say you want to execute your code within a process, you can do this externally( by allocating a buffer in a process and writing code to it then starting a thread on that buffer to execute its code ) or internally, but doing it internally has its advantages such as speed and ease ( also has its disadvantages because of detection ).

The way to do this internally is by injecting our DLL the target process, allowing our code inside the DLL to be executed.

So how do you inject a DLL? There's 2 main ways, manual mapping, and using LoadLibrary ( but exprssn, how are we going to use LoadLibrary in another process which isn't ours?!!??! We'll get to that in a second ).

Manual mapping is much harder and requires you to understand the format of native binaries, so for this tutorial I won't touch it and we'll be instead using LoadLibrary.

So, how do we use LoadLibrary in order to inject our DLL into another process? It's quite simple if you know some C++:

#include <Windows.h>
#include <iostream>
constexpr auto sleep_time = 250;


int main( )
{
	
	HWND window_handle{ nullptr }; // handle to the window of the target process
	DWORD proc_id{ 0 }; // process id of the target process

	constexpr auto dll_path = "DLL Path"; // path to the DLL that we have previously made. If you haven't made a DLL how would you inject it?!?
	const auto dll_path_len = strlen( dll_path ) + 1;
	std::cout << "Waiting for target window.\n";

	do // In this loop we are calling FindWindow to find the window of our target process and get a handle to it.
	{
		window_handle = FindWindowA( nullptr, "target_window" );
		Sleep( sleep_time ); // wait for 250 seconds. this is purely for performance as while loops with no pause are expensive.
	} while ( !window_handle );

	std::cout << "Found target window.\n";
	GetWindowThreadProcessId( window_handle, &proc_id ); // from our thread handle, we can call GetWindowThreadProcessId and return its process id
        // which we can use to gain permissions to write into the process.

	const auto proc_handle = OpenProcess( PROCESS_VM_OPERATION | PROCESS_VM_WRITE, false, proc_id ); // we are calling openprocess with permissions that
       // that will allow us to write into the target process, and we provide the process id that we retrieved.
	if( !proc_handle )
	{
		std::cout << "Failed to open process object.\n";
		return 0;
	}
	const auto dll_path_mem = VirtualAllocEx( proc_handle, nullptr, dll_path_len, MEM_COMMIT, PAGE_EXECUTE_READWRITE ); // remember how LoadLibrary
       // takes in a path to modules to be loaded into the process? Since we are going to be calling LoadLibrary within the process, we can't just pass in a string that is coming from another process, we need to give it a string which it can actually access. here we're allocating the memory for that string
	if( !dll_path_mem )
	{
		std::cout << "Failed to allocate memory for DLL path string\n";
		CloseHandle( proc_handle );
		return 0;
	}
	WriteProcessMemory( proc_handle, dll_path_mem, dll_path, dll_path_len, nullptr ); // writing the path to our dll into the memory we allocated for it
	CreateRemoteThread( proc_handle, nullptr, 0, reinterpret_cast< PTHREAD_START_ROUTINE >( &LoadLibraryA ), dll_path_mem, 0, nullptr ); // creating a thread to call LoadLibrary, and passing in the memory we allocated for our string ( this is equivalent to calling LoadLibraryA from within our process with our own path to the DLL, here we're just doing it in another process )

	VirtualFreeEx( proc_handle, dll_path_mem, 0, MEM_RELEASE ); // releasing the memory for the DLL path that we allocated.
	CloseHandle( proc_handle ); // closing the handle to the process since we no longer need it
	std::cout << "Injected into process id: " << proc_id;
	std::cin.get();
	return 0;
}

We do this by replicating a call to LoadLibraryA in the target process.

We gain permissions to the process and then allocate memory for our dll path string within it ( since obviously If we pass in a string of our own, it won't be able to access that string since it's in entirely different process ).

In the allocated memory for the string, we write the actual string into that allocated memory and boom - we have the path to our dll within the target process

Then we create a thread that calls LoadLibraryA with the memory we allocated for our string as the parameter.