Currently I am working on a personal project of testing Windows 11 for a DLL injection.
First of all allow me to share with you some general aspects / guidelines:
1. In order, for a successful attack in a 64-bit architecture, your source code must be compiled in 'x64' mode.
2. I used Visual Studio 2019 and C++ for creating my test apps.
3. I use two methods for applying the DLL injection:
3.1. Method 1: Using the API function: CreateRemoteThread (https://learn.micros...ateremotethread)
3.2. Method 2: Using the API (undocumented) function: RtlCreateUserThread (http://undocumented....UserThread.html)
And, YES, I know, these methods are not new... but I just want to check/test them with the Windows 11 and share my findings...
The DLL source code (the one that will inject the target process) is the following:
Now, let's go to the DLL Injector source code, in CPP:
I also write the DLL Injector in C Sharp (for .Net lovers):
As you can see the code in C# is a bit more compact, (OK, OK, YES, there is no error handling... ???? ).
btw,... C# will handle the errors at runtime in a decent way (in the debug mode)...
Again, the compilation is for x64bit architecture.
My goal is to run the 'DllInjectionTest.exe' that will try to inject a process (its ID is passed as command line argument) using the above DLL (its full path is passed as command line argument) and when the injection succeeds i must see a command prompt window as a result.
In addition I pass as a command line parameter the method of injection I would like to use (1 or 2)
Lets see an example of a successful execution.
The target process is the Microsoft Word.
Supposing that its process ID is 21076:
So, I run from command line:
DllInjectionTest.exe 1 "\work\DLLInjection\BadDLL\x64\Debug\BadDLL.dll" 21076
Thus, I see this successful result:
FINDINGS AND QUESTIONS
My tests scenarios was:
1. Target on WINWORD (MS Word) process : Success
2. Target on MSEXCEL process: Success
3. Target on TOTALCMD64.EXE (the Total Commander app) process: Success
4. Target on explorer.exe process: Success
5. Target on notepad.exe (Windows Notepad) process: failed with no error!!
6. Target on notepad++.exe (Notepad++ editor) process: failed with no error!!
7. Target on CalculatorApp.exe (Windows Calculator) process: failed with no error!!
I repeat every test using:
a ) The C++ injector using method #1:CreateRemoteThread
b ) The C++ injector using method #2: RtlCreateUserThread
c ) The C# injector (that is actually the same as (a).
BUT, I see that my app ONLY CONDITIONALLY works!!
For the (5,6,7) I am still investigating and researching to find a work around, or to be more specific: to find the actual root cause of fails...
The odd thing about it is that I am getting a "SUCCESSFUL" response from my app, but no DLL code is attached (is executed), thus, I see no command prompt window!
That's all for now...
If you have any suggestion about how to inject but more important why i cannot inject them, it will be more than welcome...!
Thank you!!
Edited by TCPFrame, 23 October 2022 - 07:06 PM.