Injector

Library for injecting a shared library into a Linux or Windows process

Linux

Note: Don't use this library in production environments. This may stop processes forever. See Caveats.

I was inspired by linux-inject and the basic idea came from it. However the way to call __libc_dlopen_mode in libc.so.6 is thoroughly different.

• linux-inject writes about 80 bytes of code to the target process on x86_64. This writes only four or eight bytes.
• linux-inject writes code at the firstly found executable region of memory, which may be referred by other threads. This writes it at the entry point of libc.so.6, which will be referred by nobody unless the libc itself is executed as a program.

This was tested only on Ubuntu 16.04 x86_64 and Debian 8 arm64. It may not work on other distributions.

Windows

Windows version is also here. It uses well-known CreateRemoteThread+LoadLibrary technique to load a DLL into another process with some improvements.

1. It gets Win32 error messages when LoadLibrary fails by copying assembly code into the target process.
2. It can inject a 32-bit dll into a 32-bit process from x64 processes by checking the export entries in 32-bit kernel32.dll.

Note: It may work on Windows on ARM though I have not tested it because I have no ARM machines. Let me know if it really works.

Compilation

Linux

$ git clone https://github.com/kubo/injector.git
$ cd injector
$ make

The make command creates:

Windows

Open a Visual Studio command prompt and run the following commands:

$ git clone https://github.com/kubo/injector.git # Or use any other tool
$ cd injector
$ nmake -f Makefile.win32

The nmake command creates:

Usage

C API

#include <injector.h>

...

    injector_t *injector;
    void *handle;

    /* attach to a process whose process id is 1234. */
    if (injector_attach(&injector, 1234) != 0) {
        printf("ATTACH ERROR: %s\n", injector_error());
        return;
    }
    /* inject a shared library into the process. */
    if (injector_inject(injector, "/path/to/shared/library", NULL) != 0) {
        printf("INJECT ERROR: %s\n", injector_error());
    }
    /* inject another shared library. */
    if (injector_inject(injector, "/path/to/another/shared/library", &handle) != 0) {
        printf("INJECT ERROR: %s\n", injector_error());
    }

...

    /* uninject the second shared library. */
    if (injector_uninject(injector, handle) != 0) {
        printf("UNINJECT ERROR: %s\n", injector_error());
    }

    /* cleanup */
    injector_detach(injector);

Command line program

See Usage section and Sample section in linux-inject and substitute inject with injector in the page.

Tested Architectures

Linux

*1: x32 ABI
*2: failure with 64-bit target process isn't supported by 32-bit process.
*3: failure with x32-ABI target process is supported only by x86_64.
*4: tested on github actions

Windows

*1: failure with x64 target process isn't supported by x86 process.
*2: tested on github actions
*3: It may work though I have not tested it. Let me know if it really works.

Caveats

Caveat about ptrace() is same with linux-inject.

__libc_dlopen_mode internally calls malloc() and free(). If the target process is allocating or freeing memory and malloc() or free() holds a lock, this may stop the process forever. Same caveat is in linux-inject also.

License

Files under include and src are licensed under LGPL 2.1 or later.
Files under cmd are licensed under GPL 2 or later.
Files under util are licensed under 2-clause BSD.