DLL Injection works under conditions on Windows 11

[TCPFrame]

Currently I am working on a personal project of testing Windows 11 for a DLL injection.
First of all allow me to share with you some general aspects / guidelines:
1. In order, for a successful attack in a 64-bit architecture, your source code must be compiled in 'x64' mode.
2. I used Visual Studio 2019 and C++ for creating my test apps.
3. I use two methods for applying the DLL injection:
3.1. Method 1: Using the API function: CreateRemoteThread (https://learn.micros...ateremotethread)
3.2. Method 2: Using the API (undocumented) function: RtlCreateUserThread (http://undocumented....UserThread.html)

 

And, YES, I know, these methods are not new... but I just want to check/test them with the Windows 11 and share my findings...

 

The DLL source code (the one that will inject the target process) is the following:

Hidden Content
You'll be able to see the hidden content once you reply to this topic or upgrade your account.

Now, let's go to the DLL Injector source code, in CPP:

Hidden Content
You'll be able to see the hidden content once you reply to this topic or upgrade your account.

 

I also write the DLL Injector in C Sharp (for .Net lovers):

Hidden Content
You'll be able to see the hidden content once you reply to this topic or upgrade your account.

As you can see the code in C# is a bit more compact, (OK, OK, YES, there is no error handling... ???? ).

btw,... C# will handle the errors at runtime in a decent way (in the debug mode)...

Again, the compilation is for x64bit architecture.

 

 

My goal is to run the 'DllInjectionTest.exe' that will try to inject a process (its ID is passed as command line argument) using the above DLL  (its full path is passed as command line argument) and when the injection succeeds i must see a command prompt window as a result.

In addition I pass as a command line parameter the method of injection I would like to use (1 or 2)
Lets see an example of a successful execution.
The target process is the Microsoft Word.
Supposing that its process ID is 21076:

 

 

So, I run from command line:

DllInjectionTest.exe 1 "\work\DLLInjection\BadDLL\x64\Debug\BadDLL.dll" 21076

Thus, I see this successful result:

 

 

 

 

FINDINGS AND QUESTIONS

 

My tests scenarios was:

1. Target on WINWORD (MS Word) process : Success

2. Target on MSEXCEL  process: Success

3. Target on TOTALCMD64.EXE (the Total Commander app) process: Success

4. Target on explorer.exe process: Success

5. Target on notepad.exe (Windows Notepad) process: failed with no error!!

6. Target on notepad++.exe (Notepad++ editor) process: failed with no error!!

7. Target on CalculatorApp.exe (Windows Calculator) process: failed with no error!!

 

I repeat every test using:

a ) The C++ injector using method #1:CreateRemoteThread
b ) The C++ injector using method #2: RtlCreateUserThread

c ) The C# injector (that is actually the same as (a).

 

BUT, I see that my app ONLY CONDITIONALLY works!!

 

For the (5,6,7) I am still investigating and researching to find a work around, or to be more specific: to find the actual root cause of fails...

The odd thing about it is that I am getting a "SUCCESSFUL" response from my app, but no DLL code is attached (is executed), thus, I see no command prompt window!

 

 

That's all for now...

 

If you have any suggestion about how to inject but more important why i cannot inject them, it will be more than welcome...!

 

 

Thank you!!

Edited by TCPFrame, 23 October 2022 - 07:06 PM.

[astrax64]

U can use remotedll to inject running process or use cef explorer to inject dll files or exe

https://securityxplo...m/remotedll.php

but in some cases  the app tell you that the injection is done but your external code can't lunch  , even av will detect  external code if it is malicious

Edited by astrax64, 23 October 2022 - 01:37 PM.

[TCPFrame]

U can use remotedll to inject running process or use cef explorer to inject dll files or exe

https://securityxplo...m/remotedll.php

but in some cases  the app tell you that the injection is done but your external code can't lunch  , even av will detect  external code if it is malicious

Thanks for your note...

I test the remotedll and I must say that I am not very happy with the results. Nevertheless, this app push me to find an explanation of the fails...

 

First of all, the RemoteDLL returns a "fail" on a successful run. As you can see in the image below, the command windows was opened even the RemoteDLL indicates a fail...

 

 

But, in general, the RemoteDLL has exactly the same behavior as my application.

Another drawback is that RemoteDLL does not work correctly (it freezes actually) when I run it as Admin and try to test it with my DLL.

 

BUT,... I show both Apps (my app and RemoteDLL) cannot inject applications that are UWP (Universal Windows Platform) apps!!

They run from the "C:\Program Files\WindowsApps" path, instead of the others that run from "C:\Windows\System32\", "C:\Windows\", etc...

[astrax64]

I test this in ff browser and it seems work successful

 

 

without ffhook.dll it will give an error like this then after add ffhook.dll to ff browser folder it will lunch successfully (Injected)

 

I try also with cmd and some sys files

 

 

then ..

 

here is the ffhook.dll

 

 

And for win 11/10 the same  thing

 

 

successfully injected :

 

 

and here is ffhook.dll

 

 

bypass uac also needed here to make sure that the inject is done successfully .

Edited by astrax64, 24 October 2022 - 10:12 AM.

[TCPFrame]

@astrax64

Can you try it please in:

• windows 11 for: Calculator & Notepad and
• windows10 for: Calculator

 

In my case, there was a problem because these Apps are UWP (Universal Windows Platform) apps and maybe we ll need some mod/s on the actual code of the injector...

Edited by TCPFrame, 24 October 2022 - 01:40 PM.

[astrax64]

For calculator in win11 :

 

 

successfully injected without ffhook.dll  can't lunch

 

 

now after copying ffhook.dll inside sys files here is the result (Injected)

 

 

 

For notepad same thing happened

 

Notice make sure that ur baddll is compatible with notepad.exe (64 bit)

 

 

now its successfully injected

 

 

now after copying hookdll inside sys files here is the result

 

 

For win 10 the same thing happened.

U can't edit sys files without bypass uac .

U can change file security manually just remove trudinstaller and add some users not the admin.

Even if you change the patch of this files (notepad and calculator) copying them outside sys files ,this will not work .

Edited by astrax64, 24 October 2022 - 03:47 PM.

[idaproking]

I'll check this file

[TCPFrame]

@astrax64, I thing we are checking different things:

 

1. What is 'ffhook.dll' ? Is it part of RemoteDLL application? I just use my own DLL...

2. What is the parameters that you pass to RemoteDLL application?

3. Please check that the processes you try to inject run from "C:\Program Files\WindowsApps" directory and not from system32 etc...

[Check the "IMAGE PATH NAME" at run time, not the path where the executable is located...]

 

 

Also check the difference between the UWP (Universal Windows Platform) applications and the conventional applications...

Edited by TCPFrame, 25 October 2022 - 06:09 PM.

[astrax64]

@astrax64, I thing we are checking different things:
 
1. What is 'ffhook.dll' ? Is it part of RemoteDLL application? I just use my own DLL...
2. What is the parameters that you pass to RemoteDLL application?
3. Please check that the processes you try to inject run from "C:\Program Files\WindowsApps" directory and not from system32 etc...
[Check the "IMAGE PATH NAME" at run time, not the path where the executable is located...]
 

 
Also check the difference between the UWP (Universal Windows Platform) applications and the conventional applications...

Hi

ffhook is my own DLL not part of remote app it have one external func init.

I am using cef explorer to rebuild tables with my new imported functions as you sée in my last reply then use remote DLL to inject that process

Now i have just update win11 becz windowsapp folder is empty all my apps start from sys32 .
I Can see Windows app folder full with apps i have notice that Microsoft disable permissions inside this folder, you can bypass this manually from security tab,  But when i try to inject notepad ... 

 I have delete notepad from his folder when i try to replace it with my injectble one ... No good result 
But i am sure that some of this windows apps are using some resourses that is inside sys32 ... so you can inject one of them.

Edited by astrax64, 26 October 2022 - 04:02 PM.

[TCPFrame]

Hi

ffhook is my own DLL not part of remote app it have one external func init.

I am using cef explorer to rebuild tables with my new imported functions as you sée in my last reply then use remote DLL to inject that process

Now i have just update win11 becz windowsapp folder is empty all my apps start from sys32 .
I Can see Windows app folder full with apps i have notice that Microsoft disable permissions inside this folder, you can bypass this manually from security tab,  But when i try to inject notepad ... 

 I have delete notepad from his folder when i try to replace it with my injectble one ... No good result 
But i am sure that some of this windows apps are using some resourses that is inside sys32 ... so you can inject one of them.

Well... OOook my friend! I understand now, and I see your point...

 

Just one more thing to clarify:

You can see a program (an executable) in System32, in your disk, but when you execute it you will see a different image path in the Task Manager, as you can see in the following image (for the Calculator app) on my Windows 10 box.