Malleum Knowledge Base

Process Injection and Migration

4 min read

Creating the Project

First create a new dll project in the visual studio environment.

The Code

This project will help to understand how dll actually works

// dllmain.cpp : Defines the entry point for the DLL application.
 
#include "pch.h"
#define EXTERN_DLL_EXPORT extern "C" __declspec(dllexport)
 
EXTERN_DLL_EXPORT void fun() {
    MessageBox(
        NULL,
        (LPCWSTR)L"I'm from DLL!",
        (LPCWSTR)L"Hello",
        MB_OK
    );
}
 
 
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

In the above code the #define EXTERN_DLL_EXPORT extern "C" __declspec(dllexport) line defines a macro named EXTERN_DLL_EXPORT. The __declspec(dllexport) part specifies that the following function will be exported from the DLL so that it can be accessed from outside the DLL. The extern "C" part ensures that the function uses C-style linkage to prevent name mangling, which can be important when linking with code written in other languages.

EXTERN_DLL_EXPORT void fun() {
    MessageBox(
        NULL,
        (LPCWSTR)L"I'm from DLL!",
        (LPCWSTR)L"Hello",
        MB_OK
    );
}

This is the definition of the main function. It is marked as exported using the EXTERN_DLL_EXPORT macro. The MessageBox function is called to display a message box with the text “I’m from DLL!” and the title “Hello”. MB_OK is a flag indicating that the message box should contain an “OK” button.

BOOL APIENTRY DllMain(HMODULE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

This is the definition of the DllMain function, which is the entry point for the DLL. It is called by the system when various events occur, such as when the DLL is loaded or unloaded, or when a thread is created or terminated. In this case, the function does nothing except return TRUE in all cases.

TL;DR

In summary, this code defines a DLL with two main parts: the fun function that displays a message box when the DLL is called, and the DllMain function that serves as the entry point for the DLL and handles various events related to its lifecycle.

Executing the Code

  • Build the dll.

  • Run the Dll

rundll32.exe .\DllDemo.dll,fun

In short with this DLL file we have declared a function fun as an Macro which can be called by other program. This is how window gives access to its APIs from dlls to different programs. Some of the famous are kernel32.dll, ntds.dll.

Creating another C++ Console App

The Code

// fun_execute.cpp : This file contains the 'main' function. Program execution begins and ends there.
 
 
#include <windows.h>
#include<iostream>
 
int main()
{
	HMODULE dllDemo = LoadLibraryA("DllDemo.dll");
	if (!dllDemo) {
		std::cout << "Can't find DLL!";
		return -1;
	}
	FARPROC dllfun = GetProcAddress(dllDemo, "fun");
	dllfun();
	return 0;
}

The provided C++ code snippet performs the following tasks:

  1. Includes necessary header files:

    • windows.h: Provides functions for Windows operating system.
    • iostream: Provides standard input/output stream objects.

  2. Defines the main function, which serves as the entry point of the program.

  3. Calls the LoadLibraryA function to load a dynamic-link library (DLL) named “DllDemo.dll” into the address space of the calling process.

    • If the DLL is not found or cannot be loaded, it prints an error message and returns -1.

  4. Calls the GetProcAddress function to retrieve the address of the function named “fun” from the loaded DLL.

    • If the function is found, it returns a pointer to that function.

  5. Invokes the function obtained from the DLL by calling dllfun().

  6. Returns 0 to indicate successful execution of the program.

TL;DR: This code loads a DLL named “DllDemo.dll”, retrieves a function named “fun” from it, and calls that function. If the DLL or function cannot be found, it prints an error message.

Executing the Code

move the dll file in the folder

Hunting for COM Hijacks

This might be helpful once we have our dll. This gives us ways to exploit it.

Graph View