I need to inject into explorer.exe, I have a dll that has this code:

 #include "stdafx.h" #include <stdio.h> #include "windows.h" BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { MessageBox(NULL, "Hello injected to explorer.exe", "Info", MB_OK); }

I tried to collect both 32 cue ball and 64 cue ball. Windows 10 x64.

There is an injector with this code:

 char *CDP = TEXT("C:\\ProgramData\\windows.dll"); printf("Hi from inject\n"); HANDLE proc_handle; printf("Hi from inject\n"); LPVOID RemoteString; printf("Hi from inject\n"); LPVOID LoadLibAddy; printf("Hi from inject\n"); if (pID == 0) { printf("pID not found\n"); return false; } proc_handle = OpenProcess(PROCESS_ALL_ACCESS, false, pID); printf("Hi from inject\n"); if (proc_handle == 0) { printf("Cannot take file handle\n"); return false; } LoadLibAddy = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); printf("Hi from inject\n"); RemoteString = (LPVOID)VirtualAllocEx(proc_handle, NULL, strlen(CDP), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); printf("Hi from inject\n"); WriteProcessMemory(proc_handle, RemoteString, CDP, strlen(CDP), NULL); printf("Hi from inject\n"); CreateRemoteThread(proc_handle, NULL, NULL, (LPTHREAD_START_ROUTINE)LoadLibAddy, RemoteString, NULL, NULL); printf("Injection was successful\n"); CloseHandle(proc_handle); return true;

printf("Hi from inject\n") used for debugging. Also collected both 32 and 64 cue ball. Only nothing is injected. In programs like torrents or browsers, it is injected without problems. What could be the problem?

  • It seems that this method is based on the fact that kernel32.dll is always loaded at the same address. Could not explorer.exe be protected from such a disgrace - or is some ASLR enabled by default for it? - Lyth
  • Well, as far as I read, there is no protection there, and if there is where it can be seen / tracked? - Aleksei .C
  • In Process Explorer (English): select a process, poke "show DLL", select columns in the lower panel with a right click, put a check mark next to ASLR. In the DLL list, you can double-poke at kernel32.dll, the download address will be shown. I clicked the interest for the sake of it - basically the same address, but rarely different. - Lyth
  • This is all well and good, but is there at least some possibility of downloading my dll into explorer.exe memory? - Aleksei .C
  • one
    Why use a hack when there is an official way to load user extensions specifically for explorer? rsdn.org/article/winshell/shlext1.xml - Chorkov

1 answer 1

I tried to collect both 32 cue ball and 64 cue ball. Windows 10 x64.

You need exactly x64, because in this method you need the injector, dll, and the target process to be both the same bit depth.

Therefore, check that you tried to assemble both the injector and the dll as x64

Well, the little things:

 RemoteString = (LPVOID)VirtualAllocEx(proc_handle, NULL, strlen(CDP), MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(proc_handle, RemoteString, CDP, strlen(CDP), NULL);

You have CDP = TEXT (...), if it is Unicode, then exactly half of the string is written, because 1 character = 2 bytes, in Unicode, and you select by the number of characters. In this case, I advise you to do something more specific by removing TEXT and specifying the type CHAR *

  printf("Hi from inject\n");

Well, this code does not make sense, because with an error the execution is not interrupted, but continues.

And check for LoadLibraryA, in the event that you pass unicode, LoadLibraryA will return an error already inside the target process.

Because the following entry:

 CHAR* a =TEXT(...)

does not guarantee at all that CHAR will point to the ANSI string, and not UNICODE, if in the compiler settings there is a preference for Unicode, then the address in this pointer will be written not at all what is expected.