Dave Kukfa Security bub

DLL Injection with an Old MMO Client

On and off over the past few months, I’ve been working on reversing the client of an old out-of-service MMO I used to play. This post goes over basic DLL injection, with the hope to update as I move into more advanced techniques and demonstrate a possible usage case.

To start off, we’re going to need a few tools. Process Explorer from the Sysinternals suite is used to inspect each running process and the DLLs it has loaded. I used Visual Studio to build the DLL and NCLoader to inject it, although there are other tools that can be substituted if preferred.

Use your program of choice to write the DLL and build it. Here’s the code I used:

#include <windows.h>

BOOL APIENTRY DllMain(HINSTANCE hInst     /* Library instance handle. */,
	DWORD reason        /* Reason this function is being called. */,
	LPVOID reserved     /* Not used. */)
{
	switch (reason)
	{
	case DLL_PROCESS_ATTACH:
		MessageBox(0, (LPCWSTR) L"From DLL\n", (LPCWSTR) L"Process loading DLL", MB_ICONINFORMATION);
		break;

	case DLL_PROCESS_DETACH:
		MessageBox(0, (LPCWSTR) L"From DLL\n", (LPCWSTR) L"Process unloading DLL", MB_ICONINFORMATION);
		break;

	case DLL_THREAD_ATTACH:
		MessageBox(0, (LPCWSTR) L"From DLL\n", (LPCWSTR) L"Creating new thread", MB_ICONINFORMATION);
		break;

	case DLL_THREAD_DETACH:
		MessageBox(0, (LPCWSTR) L"From DLL\n", (LPCWSTR) L"Thread exiting", MB_ICONINFORMATION);
		break;
	}

	return TRUE;
}

The code defines the DLL entry point function, which executes when processes load and unload the DLL, and processes that have already loaded the DLL create and terminate threads. In our case, we just throw up a message box letting us know what happened (not the best way of doing things, but for our test purposes, it works). For more information, TutorialsPoint and MSDN have great pages on the topic.

Once we have the DLL built, open the target program (the MMO, in my case) and find it in Process Explorer. We’ll need the process ID (PID) of the target for the DLL injector.

Finding the PID using Process Explorer

Next, open the DLL injector and inject the DLL into the process. Using NCLoader:

Injecting using NCLoader

Notice that we can see the DLL loaded in the target process (the purple DLL in Process Explorer), and the DLL_PROCESS_ATTACH case triggered its message box when the process loaded the DLL.

The next step is to modify the DLL to include useful functionality for reversing the client. More to come soon!