-1

Goal

I am trying to inject an x64 DLL into the w3wp.exe process (IIS worker process) in order to debug my DLL with Visual Studio.

What I have done

I am using Extreme Injector V3 to do this. After selecting the debug build of my DLL and the w3wp.exe process from the process list in Extreme Injector, I click on Inject and am greeted with a MessageBox telling me that the injection completed successfully.

What I expect

I should see a MessageBoxA(0, "injected", 0, 0) from the DllMain. However, I don't see no such thing!

The code of the DLL

int __stdcall DllMain(HMODULE base, unsigned long reason, void* args)
{
    if (reason == DLL_PROCESS_ATTACH)
    {
        return 1;
    }
    return 0;
}
random9453
  • 19
  • 2
  • 2
    `MessageBox()` (and any other function from `user32.dll`) is not safe to call from `DllMain()`. See [Dynamic-Link Library Best Practices](https://learn.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-best-practices). – Remy Lebeau Jan 22 '20 at 02:34
  • 2
    You can use `OutputDebugString()` and dbgview.exe if you want confirmation that your injection was successful. – Jonathan Potter Jan 22 '20 at 04:39
  • Why would you expect to see a message box? The code posted doesn't call `MessageBox` (ignoring that you cannot safely do this anyway). – IInspectable Jan 22 '20 at 07:00
  • @JonathanPotter I replaced `MessageBox` with `OutputDebugStringA("test")` and open `DbgView.exe` as admin. I don't see "test" in the DbgView.exe output. Why is this? – random9453 Jan 23 '20 at 00:22
  • 1
    I guess your injection is failing. – Jonathan Potter Jan 23 '20 at 00:33
  • I can see the output by using `OutputDebugString` + `dbgview.exe`. Can you confirm your injection success? – Drake Wu Jan 23 '20 at 10:04
  • Does this answer your question? [Howto call MessageBox in dllmain](https://stackoverflow.com/questions/8377569/howto-call-messagebox-in-dllmain) – rustyx Apr 25 '20 at 13:33

1 Answers1

0

What I expect I should see a MessageBoxA(0, "injected", 0, 0) from the DllMain. However, I don't see no such thing!

Your code doesn't call MessageBox(), it just returns 1 on injection.

Despite being not recommended, if you're just doing it for experiment purposes the code should look like:

int __stdcall DllMain(HMODULE base, unsigned long reason, void* args)
{
    if (reason == DLL_PROCESS_ATTACH)
    {
        MessageBoxA(0, "injected", 0, 0);
    }
    return 0;
}

If that doesn't work you need to try a different injector, make sure your injector is running as administrator.

If w3wp.exe is running as NT AUTHORITY\SYSTEM you may need higher permissions

GuidedHacking
  • 3,628
  • 1
  • 9
  • 59