Dll Ejection

[Sel3n]

Hi,

I'm trying to write a dll injector/ejector.

My inject code work fully but my eject code notify my dll is ejected but isn't ejected...

It is my eject code

Code:

private static bool EjectModule()
        {
            IntPtr hProcess = new IntPtr(0);
            IntPtr hModule = new IntPtr(0);
            int LenWrite = DllName.Length + 1;

            hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, (uint)loadedPID);

            try
            {
                IntPtr ModDll32 = GetModuleHandle("kernel32.dll");
                IntPtr MyModDll = GetModuleHandle(nameofdll);
                if (ModDll32 != null)
                {
                    hModule = VirtualAllocEx(hProcess, IntPtr.Zero, (UIntPtr)LenWrite, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
                    if (MyModDll != null && hModule != null)
                    {
                        IntPtr hDllThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibrary"), hModule, 0, 0);
                        if (hDllThread != null)
                        {
                            if (WaitForSingleObject(hDllThread, INFINITE) != WAIT_FAILED)
                            {
                                CloseHandle(hDllThread);
                                CloseHandle(hProcess);
                                Console.WriteLine("Dll ejected succesfully!");
                                //loadedPID = 0;
                                Console.WriteLine("Press any key to continue...");
                                Console.ReadKey();
                                return true;
                            }
                            else
                            {
                                CloseHandle(hDllThread);
                                throw new Exception("unknow error =S");
                            }
                        }
                        else throw new Exception("CreateRemoteThread failed"); 
                    }
                    else throw new Exception("Can't found injected dll, or can't allocate memory");
                }
                else throw new Exception("Can't found kernel32.dll");
            }
            catch (Exception e)
            {
                Console.WriteLine("Failure on trying eject module");
                Console.WriteLine("Exception :");
                Console.WriteLine(e.ToString());
                Console.WriteLine("Press any key to continue...");
                Console.ReadKey();
                return false;
            }

            CloseHandle(hProcess);
        }

I thinks this code fail at

Code:

IntPtr hDllThread = CreateRemoteThread(hProcess, IntPtr.Zero, 0, GetProcAddress(GetModuleHandle("kernel32.dll"), "FreeLibrary"), hModule, 0, 0);

Thanks in advance.

[insignia96]

wtf is dll ejection?

[Sel3n]

The opposite of dll injection, no?

[Cypher]

Your code makes no sense.

You can't just call GetModuleHandle in your loader with the name of the DLL you've injected and expect it to return a valid handle...

You need to enumerate the modules REMOTELY with ToolHelp32Snapshot, or, save the value returned by LoadLibrary in your injection code. Though, that only works on x86 because thread exit codes are stored as DWORDs and on x64 you need a 64-bit address, so the top half may be truncated.

Hence, if you want to do it properly you must enumerate the modules remotely to get the address, then call FreeLibrary on the base of the module once you've found it.

[Sel3n]

Thanks Cypher, I didn't know "ToolHelp32Snapshot", but it's very usefull (MSDN pawaa =)


Thanks!