DLL Injection with Delphi(转载)
I had recently spent some time playing around with the simple to use DelphiDetours package from Mahdi Safsafi
https://github.com/MahdiSafsafi/DDetours
One missing feature is the ability to inject a DLL into an external process. This is something that I wanted to do for a project that I am currently working on, so I started doing some reading. To me, the topic always seemed to be a Black Art, and something left for the assembly language developers to use, but it turns out to be much more widely accessible and fairly easy to do.
I added a few routines to my dxLib open source project on GitHub to assist with the DLL injection task:
https://github.com/darianmiller/dxLib
I also put a new repository online yesterday, initially containing Delphi projects to create an example custom DLL, a basic victim process, and an example DLL Injector. This repo can be found at:
https://github.com/darianmiller/dxInjectionDetours
The screen shot below demonstrates a successful detour of a simple MessageBox call utilizing the projects from the dxInjectionDetours repo:
Define which ProcessID to target
First, I wanted to offer a list of running processes, so the user can simply select a DLL injection target from a list. There's a new dxLib_ProcessList unit with a simple TdxProcessEntryList class which can be populated with a call to its SnapShotActiveProcesses method:
//https://docs.microsoft.com/en-us/windows/win32/toolhelp/taking-a-snapshot-and-viewing-processes
function TdxProcessEntryList.SnapshotActiveProcesses(const pLookupFullPathName:Boolean=False):Boolean;
The list is generated using the Kernel32.dll API method: CreateToolhelp32Snapshot and related helper routines. It's a quick snapshot of active processes (along with heaps, modules and threads used...which I may extend later.) You can use the related Process32First and Process32Next API methods to build a list of PROCESSENTRY32 items that contain interesting entries like ProcessID, ParentProcessID, and ExeFile name. One potential problem is the ExeFile provided is just the file name without the full path.
You actually do not need the full path name to inject a DLL, but I thought it was a nice feature to add to the demo so I added an optional parameter to utilize another Kernel32 API method QueryFullProcessImageName which returns the full path name of a given process. There are two versions of this method available, one ANSI and one Unicode.
Since I'm using this in a loop, to cache the calls to GetModuleHandle/GetProcAddress, there was a utility class created (TdxProcessNameToId) and a simple method to return the full path name for a given ProcessID:
//requires Vista or later
function TdxProcessNameToId.GetFileNameByProcessID(const pTargetProcessID:DWORD):string;
Note that this method calls OpenProcess with the PROCESS_QUERY_LIMITED_INFORMATION access right, which provides a subset of information. This reduced access grants further calls to QueryFullProcessImageName (along with GetExitCodeProcess, GetPriorityClass, and IsProcessInJob.)
Note: OpenProcess will fail on some system processes.
Since some system processes will generate errors, the SnapshotActiveProcesses method simply skips over them. There typically no good reasons to be sniffing into these system processes anyway. (If you need that, then you should get out of User Land and get yourself into Kernel mode.)
We now have a simple routine to easily get a full list of active processes for a user to select from, which will provide a specific ProcessID to target.
Create a custom DLL to inject
The interesting part of this task involves creating the DLL which contains our API hook, intercept, detour, or the terminology of your choice. Using the DelphiDetours package, it's really simple to do.
Remember to 'match your bitness' - create a 32-bit DLL to inject into a 32-bit process, and a 64-bit DLL for a 64-bit process.
There is a long history of DLL support in Delphi. Unfortunately, there's not a lot of documentation provided for some areas. For example, if you look up the DLLProc global variable, you likely won't find much. Fortunately, there is a succinct StackOverflow response by Sertac Akyuz which explains basic usage:
Unfortunately when begin is executed in your dll code, the OS has already called DllMain in your library. So
when your DllProc := DllMain; statement executes it is already too late.
The Delphi compiler does not allow user code to execute when the dll is attached to a process.
The suggested workaround (if you can call that a workaround) is to call your own DllMain
function yourself in a unit initalization section or in the library code:
We set this DLLProc system variable and call it ourselves with DLL_PROCESS_ATTACH. This is the .DPR source for an example DLL:
library dxDetours_InterceptAPI_MessageBox; uses
WinApi.Windows,
dxDetours_InterceptAPI_MessageBox_CustomImplementation in '..\..\Source\dxDetours_InterceptAPI_MessageBox_CustomImplementation.pas'; {$R *.RES} procedure DllEntry(pReason:DWORD);
begin
case pReason of
DLL_PROCESS_ATTACH: CreateIntercepts();
DLL_PROCESS_DETACH: RemoveIntercepts();
DLL_THREAD_ATTACH:;
DLL_THREAD_DETACH:;
end;
end; begin
DllProc:= @DllEntry;
DllEntry(DLL_PROCESS_ATTACH); end.
We then need to define CreateIntercepts() and RemoveIntercepts() in our custom implementation unit as in the example below. DelphiDetours does most of the heavy lifting. We just need to define which API calls to intercept and what to replace them with.
In this example, we're going to replace the two variations of MessageBox with our own custom implementation. For this very simple example, we will call the intercepted (original version) MessageBox with our custom message and caption whenever the target process calls MessageBox:
unit dxDetours_InterceptAPI_MessageBox_CustomImplementation; interface
uses
Windows,
DDetours; procedure CreateIntercepts();
procedure RemoveIntercepts(); var
//definitions of methods to be replaced - ensure exact match to target methods
InterceptMessageBoxA: function(hWnd: hWnd; lpText, lpCaption: LPCSTR; uType: UINT): Integer; stdcall = nil;
InterceptMessageBoxW: function(hWnd: hWnd; lpText, lpCaption: LPCWSTR; uType: UINT): Integer; stdcall = nil; implementation function MyCustomMessageBoxA(hWnd: hWnd; lpText, lpCaption: LPCWSTR; uType: UINT): Integer; stdcall;
begin
Result := InterceptMessageBoxA(hWnd, 'My custom message', 'ANSI Version Hooked', MB_OK or MB_ICONEXCLAMATION);
end; function MyCustomMessageBoxW(hWnd: hWnd; lpText, lpCaption: LPCWSTR; uType: UINT): Integer; stdcall;
begin
Result := InterceptMessageBoxW(hWnd, 'My custom message', 'UNICODE Version Hooked', MB_OK or MB_ICONEXCLAMATION);
end; procedure CreateIntercepts();
begin
BeginHooks;
@InterceptMessageBoxA := InterceptCreate(@MessageBoxA, @MyCustomMessageBoxA);
@InterceptMessageBoxW := InterceptCreate(@MessageBoxW, @MyCustomMessageBoxW);
EndHooks;
end; procedure RemoveIntercepts();
begin
if Assigned(InterceptMessageBoxA) then
begin
BeginUnHooks;
InterceptRemove(@InterceptMessageBoxA);
InterceptRemove(@InterceptMessageBoxW);
InterceptMessageBoxA := nil;
InterceptMessageBoxW := nil;
EndUnHooks;
end;
end; end.
Thanks to DelphiDetours, this isn't a Black Art at all (at least in our code...DelphiDetours is certainly full of magic.) The major caveat is to ensure that the API method definition exactly matches the original. It's best to utilize the Delphi-provided definitions whenever possible (like those found in the Windows.pas file.)
We now have a DLL ready to inject into a target process!
Inject your DLL into an active process
Now the fun part - actually injecting this custom DLL into a target process. (Note that there are ways to prep a process to load one or more DLLs automatically on startup which could be detailed in a future blog post.)
Unfortunately, the DelphiDetours package doesn't provide the injection capability. I've added a new unit to dxLib so handle this task: dxLib_WinInjection. This has a single utility method, InjectDLL as defined below:
function InjectDLL(const pTargetProcessID:DWORD; const pSourceDLLFullPathName:string; const pSuppressOSError:Boolean=True):Boolean;
You just need the ProcessID and the filename (including full path) of the DLL to inject and it returns success or failure.
This method calls OpenProcess with extended access rights (PROCESS_CREATE_THREAD or PROCESS_QUERY_INFORMATION or PROCESS_VM_OPERATION or PROCESS_VM_WRITE or PROCESS_VM_READ) It then allocates enough memory (via VirtualAllocEx which returns the memory location) to write the DLL full pathname (via WriteProcessMemory) to the process memory space. It then calls CreateRemoteThread with a function pointer to LoadLibrary (ANSI or Unicode variant, depending on your Delphi version) and the memory location of the DLL to be loaded. When this occurs, the interception(s) defined in the custom DLL get put into place.
Now, there is a bit of Black Art in this code, as the remote thread starts with a LoadLibrary call in Kernel32.dll. This will only work because LoadLibrary exists in every process at the same virtual memory address (otherwise we would have to look-up the location of LoadLibrary in the target process' memory space.) We start a new thread executing LoadLibrary with the DLL full filename. This nice blog post from Brandon Arvanaghi goes into more detail. As his post suggests, there is an alternative way of injecting a DLL and that is to write enough space to the external process to hold the entire contents of the DLL instead of just the filename. (Perhaps we'll attempt that task for fun in a future blog post.)
I confess to reading different pieces of sample code a few times before understanding what was going on. Most samples that I found were cryptic without any comments and it seemed odd to be writing the DLL filename to some random memory location - until it finally clicked. Perhaps one way to look at it is to compare it to a simple post-it note. We write the full pathname of the DLL to a post-it note and stick it inside the memory space of the target process. This note is only used by when calling the LoadLibrary routine in a new thread, and then it's discarded/ignored.
What's next?
Next up is to inject a custom DLL into every active process. In the ancient versions of Windows, it was much easier (and a very important reason why viruses were much more rampant back then!) These days, this is going to take a system driver and it's beyond the scope of our simple InjectDLL call. DelphiDetours is a nice package, but it's also missing this functionality. However, there is hope as we can fall back to a famous Delphi classic tool: madCodeHook from Mathias Rauen.
Mathias is no longer offering a freeware version of this package. It's also not available for sale without some sort of background check. Apparently, this powerful tool has been used in the past by malware authors. I've contacted the author directly and was provided a purchase link. (We also connected on LinkedIn. If you are interested in this sort of topic, feel free to reach out to me as well: https://www.linkedin.com/in/darianm/) I plan on purchasing madCodeHook soon and implementing a system wide hook using the driver-based approach. That fun will hopefully be documented in a future blog post. I wanted to get the current task working before tackling the much larger driver-based approach.
Further Information
When looking at intercepting Windows APIs, the industry reference is the Detours package directly from Microsoft. This was available historically as a fairly expensive commercial package but is now available on GitHub under a fee MIT open source license.
https://github.com/microsoft/Detours
There is also apparently some Injection code in the venerable JEDI Code Library for Delphi, which also may be looked at in a future blog post.
https://github.com/project-jedi/jcl
Finally, I used a few tools for composing this blog post. The first is a free source code beautifier available online called Hilite.me by Alexander Kojevnikov. Simply paste code into the Source Code box, pick the Language, optionally pick the Style (I selected vs) and click on the Highlight! button. It will generate the HTML in another edit box, as well as display a preview. It's super-easy and works great.
For the short-animated demo below, I used a free tool called ScreenToGif by Nicke Manarin.
https://github.com/NickeManarin/ScreenToGif
DLL Injection with Delphi(转载)的更多相关文章
- Windows Dll Injection、Process Injection、API Hook、DLL后门/恶意程序入侵技术
catalogue 1. 引言2. 使用注册表注入DLL3. 使用Windows挂钩来注入DLL4. 使用远程线程来注入DLL5. 使用木马DLL来注入DLL6. 把DLL作为调试器来注入7. 使用c ...
- DLL Injection and Hooking
DLL Injection and Hooking http://securityxploded.com/dll-injection-and-hooking.php Three Ways to Inj ...
- .net DLL 注册 regasm delphi调用
.net DLL 注册 regasm regasm regasm myTest.dll regasm.exe 打开vs2005自带的工具“Visual Studio 2005命令提示”,输入上述命令 ...
- C# 调用C++ DLL 的类型转换(转载版)
最近在做视频监控相关的demo开发,实现语言是C#,但视频监控的SDK是C++开发的,所以涉及到C#调用C++的dll库.很多结构体.参数在使用时都要先进行转换,由非托管类型转换成托管类型后才能使用. ...
- CommMonitor8.0 串口过滤驱动 SDK DLL版本 C#/Delphi调用DEMO
CommMonitor8.0 SDK DLL 版本,此版本是直接调用DLL. Delphi调用定义: constCommMOnitor8x = ‘CommMOnitor8x.dll’; typeTOn ...
- WPF使用Log4net.dll库的demo(转载加个人观点)
原文地址:http://blog.csdn.net/linraise/article/details/50547149 配置文件解析地址:http://blog.csdn.net/pfe_nova/a ...
- The current state of generics in Delphi( 转载)
The current state of generics in Delphi To avoid duplication of generated code, the compiler build ...
- Qt532_QWebView做成DLL供VC/Delphi使用_Bug
Qt5.3.2 vs2010 OpenGL ,VC6.0,Delphi7 1.自己继承 类QWebView,制作成DLL 供 VC6/Delphi7 使用 2.测试下来,DLL供VC6使用: 加载&q ...
- 【QTP专题】01_安装时报DLL无法注册(转载)
安装QTP过程中报很多DLL注册失败,全部忽略后安装完成,结果打开QTP录制的脚本无法保存,(点击保存按钮没反应) 1.问题分析: 问题a 使用精减版的操作系统 问题b 需要IE 6.0 及以上版本 ...
随机推荐
- PATB1021个数统计
参考代码: #include<cstdio> #include<cstring> #include<cstdlib> int main() { char str[1 ...
- concurrent(四)Condition
参考文档:Java多线程系列--“JUC锁”06之 Condition条件:http://www.cnblogs.com/skywang12345/p/3496716.html Condition介绍 ...
- 【2019年05月16日】A股最便宜的股票
查看更多A股最便宜的股票:androidinvest.com/CNValueTop/ 经典价值三因子选股: 市盈率PE.市净率PB 和 股息分红率,按照 1:1:1的权重,选择前10大最便宜的股票. ...
- laravel 可以做什么
laravel 可以做什么? Laravel是一套简洁.优雅的PHP Web开发框架(PHP Web Framework).它可以让你从面条一样杂乱的代码中解脱出来:它可以帮你构建一个完美的网络APP ...
- antdpro 打包部署后访问路由刷新后404
antdpro build 后访问路由刷新后 404? 解决方法有三种: 1. 改用 hashHistory,在 .umirc.js或者是config.js 里配 history: 'hash' 2. ...
- AngularJS 的全选、反选实现
目录 AngularJS 的全选.反选实现 一.需求 二.思路 三.实现 AngularJS 的全选.反选实现 一.需求 要使用 AngularJS 实现 checkbox 的全选.反选. 其中所有项 ...
- FastReport 程序员手册
一.使用TfrxReport 组件工作1.加载并存储报表默认情况下,报表窗体同项目窗体构存储在同一个DFM文件中.多数情况下,无须再操作,因而你就不必采用特殊方法加载报表.如果你决定在文件中存储报表窗 ...
- netcore3.0 webapi集成Swagger 5.0,Swagger使用
Swagger使用 1.描述 Swagger 是一个规范和完整的框架,用于生成.描述.调用和可视化 RESTful 风格的 Web 服务. 作用: 1.接口的文档在线自动生成. 2.功能测试 本文转自 ...
- pytest_全局变量的使用
这里重新阐述下PageObject设计模式: PageObject设计模式是selenium自动化最成熟,最受欢迎的一种模式,这里用pytest同样适用 这里直接提供代码: 全局变量 conftest ...
- [Atcoder AGC032C]Three Circuits
题目大意:有一张$n$个点$m$条边的无向连通图,判断是否可以从中分出$3$个环,满足三个环覆盖整张图并且没有重复的边.$n,m\leqslant10^5$ 题解:分类讨论.有度数为奇肯定不行,因为连 ...