Tutorial DLL Injection without WriteProcessMemory Source Code

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

timb3r

Semi-Retired
Dank Tier VIP
Jul 15, 2018
767
22,668
47
Introduction:

This is going to be a quick tutorial on an idea I had.

I'm sure by now most people are familiar with the standard DLL injection method:
  1. Allocate memory in the target process.
  2. Write the dll path to target process.
  3. Call CreateRemoteThread.
However what if you don't want to or cannot write to the target process. How do we get our string into the process? The simplest way is by passing our DLL path as a command line argument to process:

For example:
Terminator-Win64-Shipping.exe D:\Code\CommandLineInjection\x64\Debug\TestDLL.dll
Now that the string is process's memory we can search for it by using a simple pattern scan routine:

[?] Searching for pattern: "TestDLL.dll"
[+] Found pattern at: 1ce417e3ef7
[?] Correct address should be: 1ce417e3ed0
We need to do a calculation on the address to point to the start of the string which we an easily do by subtracting the length of the DLL path.

Now we can call CreateRemoteThread like normal:

Capture.PNG


And that's it. No need to use VA or WPM at all.

Source:
C++:
#define _CRT_SECURE_NO_WARNINGS
#include <stdio.h>
#include <windows.h>
#include <TlHelp32.h>

uintptr_t* Scan(char* pattern, SIZE_T len, uintptr_t begin, uintptr_t end, HANDLE hProc)
{
    char* buffer = NULL;

    SIZE_T bytesRead = 0;
    MEMORY_BASIC_INFORMATION mbi = { 0 };

    uintptr_t curr = begin;

    for (uintptr_t curr = begin; curr < end; curr += mbi.RegionSize)
    {
        if (!VirtualQueryEx(hProc, (LPCVOID)curr, &mbi, sizeof(mbi))) continue;
        if (mbi.State != MEM_COMMIT || mbi.Protect == PAGE_NOACCESS) continue;

        buffer = new char[mbi.RegionSize];

        ReadProcessMemory(hProc, mbi.BaseAddress, buffer, mbi.RegionSize, &bytesRead);
       
        for (SIZE_T i = 0, j = 0; i < bytesRead; i++)
        {
            if (j >= len){
                delete[] buffer;
                return (uintptr_t*)((curr + i) - j);
            }
            if (buffer[i] == pattern[j]) {
                j++; continue;
            }
            j = 0;
        }
    }
    delete[] buffer;
    return 0;
}

int main(void)
{
    char appPath[] = "E:\\Games\\Terminator Resistance\\Terminator\\Binaries\\Win64\\Terminator-Win64-Shipping.exe";
    char dllPath[] = "D:\\Code\\CommandLineInjection\\x64\\Debug\\";
    char dllModName[] = "TestDLL.dll";

    STARTUPINFO si = { 0 };
    PROCESS_INFORMATION pi = { 0 };

    si.cb = sizeof(STARTUPINFO);

    SIZE_T appPathLen = lstrlen(appPath);
    SIZE_T dllPathLen = lstrlen(dllPath);
    SIZE_T dllModLen = lstrlen(dllModName);

    char* commandLine = (char*)calloc(1, dllPathLen + dllModLen + 3);

    sprintf(commandLine, "%s%s", dllPath, dllModName);

    printf("[+] Launching process %s\n[?] Cmdline: %s\n", appPath, commandLine);

    if (!CreateProcess(appPath, commandLine, NULL, NULL, false, 0, NULL, NULL, &si, &pi))
    {
        printf("[-] Unable to start process.\n");
        return -1;
    }

    printf("[+] Started process.\n[?] Waiting for initalisation to finish....\n");
    WaitForInputIdle(pi.hProcess, 5000);

    printf("[+] Starting scan\n[?] Searching for pattern: \"%s\"\n", dllModName);
    uintptr_t stringPtr = (uintptr_t)Scan(dllModName, dllModLen, 0x0,(uintptr_t)0x00007FFFFFFFFFFF, pi.hProcess);
    if (stringPtr == 0)
    {
        printf("[-] Unable to locate string in target process");

        TerminateProcess(pi.hProcess, -1);
        CloseHandle(pi.hThread);
        CloseHandle(pi.hProcess);

        free(commandLine);
        return -2;

    }
    else {
        printf("[+] Found pattern at: %llx\n",stringPtr);
        printf("[?] Correct address should be: %llx\n", stringPtr - dllPathLen);
    }

    uintptr_t loc = stringPtr - dllPathLen;

    HANDLE hThread = CreateRemoteThread(pi.hProcess, 0, 0, (LPTHREAD_START_ROUTINE)LoadLibraryA, (void*)loc, 0, 0);
    if (hThread)
    {
        printf("[+] Injection OK.");
        CloseHandle(hThread);
    }
    else {
        printf("[-] Injection failed.\n");
    }

    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
    free(commandLine);
    return 0;
I borrowed some of this code from @Rake, creds to him.
 
Last edited:

XdarionX

Dying Light Hacker
Dank Tier VIP
Dank Tier Donator
Mar 30, 2018
813
21,408
110
wow, pretty neat trick, seems more elegant that atom bombing if only dll injection is required
 
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts