Hi guys,
we inject a DLL via a hook. The code is pretty simple and self explained. Our DLL need a exported function to set the hook to. Mine looks something like this.
extern "C" DLLINJECTIONTEST_API LRESULT CALLBACK DLLInjectionTestFunction(int nCode, WPARAM wParam, LPARAM lParam)
{
MessageBoxA(NULL, "TEST", "TEST", MB_OK);
return CallNextHookEx(0, nCode, wParam, lParam);
};
My DLL function name got mangled but i load it in IDA and just read the real name. 
I couldn’t get the .def file work propaly.
My function that sets the hook looks like this:
int SetHook(char* dllName, char* funcName, DWORD threadId)
{
HMODULE hDll;
FARPROC dllFunction;
hDll       = LoadLibraryA(dllName);
dllFunction = GetProcAddress(hDll, funcName);
printf("DLL %d Func %d\n", hDll, dllFunction);
hHook = SetWindowsHookEx(WH_KEYBOARD, (HOOKPROC) dllFunction, hDll, threadId);
if(hHook==NULL)
{
return GetLastError();
}
return 0;
}
And a call looks like this:
if(SetHook("C:\\DLLInjectionTest.dll", "_DLLInjectionTestFunction@12", (DWORD) pi.dwThreadId) != 0)
{
printf("Error Hook! %d", GetLastError());
return 0;
}
We use the dwThreadId instead of the hThreadId. I don’t know why but now windows wants the Id and not the handle. Rest is pretty much the same as in DLL Injection Method 1. Execute a exe and get ThreadId (There are other ways todo that, for example if you want to hook into a running process and so on). The hook calles the DLL Main Attach and Detach function and if a keystroke is pressed our MessageBox is printed (you could create a hotkey for something ).
The Code should be pretty much self explained. A good comment in Method 1 showed another way. Now you got 3 ways to inject DLLs.
Stay tuned,
KDSBest
Leave a Reply