_NativeInjectionEntryPoint@4

Dec 18, 2008 at 12:39 AM
Hi Chris,

I know how pressed for time you must be. Thanks for reading this.

First : excellent product, very well documented, source included - truly very good. Not easy to do at all. Might be EasyHook but NotToEasy to publish.

Alright, I will sound like a total novice, but I cannot my TestDLL to register with the remote calling. States the Native entry point cannot be found.

The first problem may be that creating a funtion of "_NativeInjectionEntryPoint@4()" will not compile. As such, I resorted to DEF files to export that
name equated to another process.

/// DEF file
LIBRARY    TestDLL
EXPORTS
    _NativeInjectionEntryPoint@4=DllStart
    DllStart
/// end DEF file

/// TestDLL
#include "EasyHook.h"

BOOL APIENTRY DllMain( HANDLE hModule, DWORD  ul_reason_for_call, LPVOID lpReserved )
    {
    int beepctr = 4;
    while(beepctr--)
        {
        MessageBeep(321);
        Sleep(100);
        }

    return TRUE;
    };


/*
void __stdcall _NativeInjectionEntryPoint@4()
    {
    };
*/
   
void __stdcall DllStart(REMOTE_ENTRY_INFO* InRemoteInfo)
    {
    int beepctr = 10;
    while(beepctr--)
        {
        MessageBeep(123);
        Sleep(1000);
        }
    return;
    };
/// end TestDLL


I lifted your source code from the remote loader module into my test load program (modifications to your Unmanaged.cpp file) as below. The dll loads,
beeps on the DLLMain section, and does get the error trying to load the entry point. I have tried different variants of specing the _NativeInjectionEntryPoint@4
declaration, but they all seem to fail.

    LPCWSTR p_c = L"TestDLL.dll";
    ULONG                    ErrorCode = 0;
    HMODULE                 hUserLib = LoadLibraryW(p_c);
    REMOTE_ENTRY_INFO       EntryInfo;
    REMOTE_ENTRY_POINT*     EntryProc = (REMOTE_ENTRY_POINT*)GetProcAddress(
                                hUserLib,
#ifdef _M_X64
                                "NativeInjectionEntryPoint");
#else
                                "_NativeInjectionEntryPoint@4");
#endif

// This works
    LPCSTR p_cs = "DllStart";
    REMOTE_ENTRY_POINT* p_fwin = (REMOTE_ENTRY_POINT*)GetProcAddress(hUserLib,p_cs);
    if( p_fwin != NULL )
        {
        p_fwin(NULL);
        }

I hope this is very simple!

VCC version is 2003; I do not have access to your versions (tried opening projects and get version errors).

Thank you again for you time,

Thomas


Dec 18, 2008 at 2:04 AM
Thomas,

Just declare your function as:

void __stdcall NativeInjectionEntryPoint(REMOTE_ENTRY_INFO* InRemoteInfo);

VCC adds the preceding underscore and the @4 automatically and invisibly.

Hope that helps,
Daniel
Dec 18, 2008 at 5:16 AM
Daniel,

Tonight you can go to bed knowing you are a God. Thank you!

I suppose I could have just turned on the /MAP option to determine the output. Forgot those lessons from so many years ago.

Output from my debug file of the DLL attached to a remote process :

-----------------------
HostPID[776]
CurrentPID[3904]
-----------------------

The HostPID is from the REMOTE_ENTRY_INFO* InRemoteInfo->HostPID field. So that is actually the PID of the process[776] that injected the DLL into the target [3904].

The Eagle has Landed - in someone else's backyard!

Take care,
Thomas

Oct 29, 2013 at 7:11 PM
I had an issue with my compiler not decorating NativeInjectionEntryPoint as expected for 32 bit. I fixed it by recompiling the source to look for the undecorated name and then exporting that exact name with a linker def file.