0

Dll Code:

#include <windows.h>

BOOL APIENTRY DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
    MessageBoxW(NULL, L"Hello world!", L"Test DLL", MB_OK);

    return TRUE;
}

LoadLibrary Code:

#include <windows.h>

int main()
{
    LoadLibrary("dll.dll");
    return 0;
}

When I load the dll with the above code the message box pops up as expected.

When I instead try to inject the dll with any injector I was able to find, DllMain never gets called.

The target process and dll architecture is both x64. The target process has the required library for MessageBoxW() already loaded. If needed, this is how I compile the dll (mingw): gcc.exe main.cpp -shared -fPIC -o dll.dll

Maybe I'm unlucky with my 5 injector's I already tried, any recommendation?

What else could cause the message box to not pop up?

Cu29p
  • 51
  • 1
  • 4
  • The family of things to consider fair-game for DllMain is [substantially limited](https://stackoverflow.com/questions/5834508/usage-limitations-during-the-dllmain-attach-and-detach-process). Two guesses as to which side of that fence MessageBox lays. You're just asking for a loader lock. – WhozCraig Apr 04 '20 at 13:26
  • @WhozCraig From your link: _It is legal to do the following: Create and initialize synchronization objects. Open, read from, and write to files._ I tried to write to a file with ofstream, which didn't work. Do you know anything else that could make the injection appearent without causing a loader lock? – Cu29p Apr 04 '20 at 13:50
  • OutputDebugString and use DebugView to monitor. That's what I always use. Of course, I've yet ot come across a reason in my business for DLL injection, but so it goes. GL. – WhozCraig Apr 04 '20 at 13:52
  • The debug monitor is very nice, thanks. Though the string only appears when I load the dll myself. It seems there is an issue with the injectors. I will try to find a working one. – Cu29p Apr 04 '20 at 14:07
  • You may also want to get a cheat sheet and do some spelunking with WinDbg (aka wind-bag, as it is commonly called). It's a dreadfully archaic, but nonetheless *remarkable* debugging tool for for all kinds of things, including kernel-level debugging. It's worth spending a day to get familiar with that tool, believe me. Best of luck. – WhozCraig Apr 04 '20 at 14:10

1 Answers1

0

Looks like the injectors weren't working. Finally found one called "Remote DLL" from securityxploded.com, making strings show up on DebugView. Thanks to @WhozCraig.

Cu29p
  • 51
  • 1
  • 4