CreateRemoteThread - Strange behaviour

[Lazy]

Note: This has nothing to do with Half-Life at all.
BUGBUGBUG: Code sections are not accepting newlines? All my code appeared on a single line.

For some reason using CreateRemoteThread to inject a dll into a remote process causes it to either not load or behave strangely.

Notepad: Dll injected, DllMain Callled and exits after DllMain returns
Solitaire: Dll injected, DllMain Called, loads but about menu doesn't work aswell as the options menu refreshes the deck instead.

This is really strange, does anyone have an idea as to why this is happening?

HMODULE RemoteLoadModule( HANDLE hProcess, LPSTR lpModulepath ) {
HANDLE hThread = INVALID_HANDLE_VALUE;
DWORD dwLoadLibraryA = 0;
LPVOID lpMemory = NULL;
DWORD dwResult = 0;
DWORD dwBytes = 0;
int nPathlen = 0;

nPathlen = strlen( lpModulepath );

lpMemory = VirtualAllocEx( hProcess, 0, nPathlen, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
dwLoadLibraryA = ( DWORD ) GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" );

if ( lpMemory ) {
if ( WriteProcessMemory( hProcess, lpMemory, lpModulepath, nPathlen, &dwBytes ) ) {
hThread = CreateRemoteThread( hProcess, NULL, 0, ( LPTHREAD_START_ROUTINE ) dwLoadLibraryA, lpMemory, 0, NULL );

if ( hThread != INVALID_HANDLE_VALUE ) {
WaitForSingleObject( hThread, INFINITE );
GetExitCodeThread( hThread, &dwResult );

CloseHandle( hThread );
}
}

VirtualFreeEx( hProcess, lpMemory, nPathlen, MEM_RELEASE );
}

return ( HMODULE ) dwResult;
}

BOOL CreateWithInject( LPCTSTR lpApplicationpath, LPCTSTR lpCurrentdirectory, LPTSTR lpCommandline, LPCTSTR lpInjectmodulepath, HMODULE* pRemoteModule ) {
PROCESS_INFORMATION procInfo;
STARTUPINFO startupInfo;
HMODULE hRemote = NULL;
DWORD dwEntrypoint = 0;
BOOL bResult = FALSE;

ZeroMemory( &procInfo, sizeof( PROCESS_INFORMATION ) );
ZeroMemory( &startupInfo, sizeof( STARTUPINFO ) );

if ( CreateProcess( lpApplicationpath, lpCommandline, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, lpCurrentdirectory, &startupInfo, &procInfo ) ) {
hRemote = RemoteLoadModule( procInfo.hProcess, lpInjectmodulepath );

if ( hRemote != NULL )
bResult = TRUE;

// TODO:
// The function exists, free the remote ya lazy bastard

ResumeThread( procInfo.hThread );
WaitForSingleObject( procInfo.hThread, INFINITE );

CloseHandle( procInfo.hProcess );
CloseHandle( procInfo.hThread );
}

return bResult;
}

[koraX]

a 'bit' more readable :

PHP Code:

HMODULE RemoteLoadModule( HANDLE hProcess, LPSTR lpModulepath )
{
    HANDLE hThread = INVALID_HANDLE_VALUE;
    DWORD dwLoadLibraryA = 0;
    LPVOID lpMemory = NULL;
    DWORD dwResult = 0;
    DWORD dwBytes = 0;
    int nPathlen = 0;

    nPathlen = strlen( lpModulepath );

    lpMemory = VirtualAllocEx( hProcess, 0, nPathlen, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
    dwLoadLibraryA = ( DWORD ) GetProcAddress( GetModuleHandle( "kernel32.dll" ), "LoadLibraryA" );

    if ( lpMemory ) {
        if ( WriteProcessMemory( hProcess, lpMemory, lpModulepath, nPathlen, &dwBytes ) ) {
            hThread = CreateRemoteThread( hProcess, NULL, 0, ( LPTHREAD_START_ROUTINE ) dwLoadLibraryA, lpMemory, 0, NULL );

            if ( hThread != INVALID_HANDLE_VALUE ) {
                WaitForSingleObject( hThread, INFINITE );
                GetExitCodeThread( hThread, &dwResult );

                CloseHandle( hThread );
            }
        }

        VirtualFreeEx( hProcess, lpMemory, nPathlen, MEM_RELEASE );
    }

    return ( HMODULE ) dwResult;
}



BOOL CreateWithInject( LPCTSTR lpApplicationpath, LPCTSTR lpCurrentdirectory, LPTSTR lpCommandline, LPCTSTR lpInjectmodulepath, HMODULE* pRemoteModule ) {
    PROCESS_INFORMATION procInfo;
    STARTUPINFO startupInfo;
    HMODULE hRemote = NULL;
    DWORD dwEntrypoint = 0;
    BOOL bResult = FALSE;

    ZeroMemory( &procInfo, sizeof( PROCESS_INFORMATION ) );
    ZeroMemory( &startupInfo, sizeof( STARTUPINFO ) );

    if ( CreateProcess( lpApplicationpath, lpCommandline, NULL, NULL, TRUE, CREATE_SUSPENDED, NULL, lpCurrentdirectory, &startupInfo, &procInfo ) ) {
        hRemote = RemoteLoadModule( procInfo.hProcess, lpInjectmodulepath );

        if ( hRemote != NULL )
            bResult = TRUE;

        // TODO:
        // The function exists, free the remote ya lazy bastard :)

        ResumeThread( procInfo.hThread );
        WaitForSingleObject( procInfo.hThread, INFINITE );

        CloseHandle( procInfo.hProcess );
        CloseHandle( procInfo.hThread );
    }

    return bResult;
} 


[koraX]

Just a few notes, maybe it will help :

- perform only simple tasks in dllmain(). DO NOT load/free other libraries in dllmain(). (I know in most bots they call freelibrary to free game DLL file from dllmain(), but it is not good ) See here for more info.

Quote:

The entry-point function should perform only simple initialization or termination tasks. It must not call the LoadLibrary or LoadLibraryEx function (or a function that calls these functions), because this may create dependency loops in the DLL load order. This can result in a DLL being used before the system has executed its initialization code. Similarly, the entry-point function must not call the FreeLibrary function (or a function that calls FreeLibrary), because this can result in a DLL being used after the system has executed its termination code.

- http://weblogs.asp.net/oldnewthing/a.../27/63401.aspx
- http://weblogs.asp.net/oldnewthing/a.../28/63880.aspx

[Lazy]

It had the same result both times even when DllMain did nothing and just returned TRUE.
This also only happens when the process is created with the CREATE_SUSPENDED flag. But since that is the only time where IAT patching is useful, injection afterwards is basically useless.

I have had success with proxy dlls but they take a loong time to make and does not work with kernel32.dll functions. There was also another method where you overwrote the entrypoint with your code, let it execute and restored the original. The problem with that was I tried writing 0xCD03 ( equal to __asm int 3 ) and the application would refuse to start.