Page 1 of 5
Injecting Procedure to another process
Posted: Sun Sep 04, 2005 1:17 am
by okasvi
Code updated for 5.20+
Injects Procedure(RemoteThread()) into another process(notepad.exe)...
alot of the code is now coded by DarkDragon so I hope he is fine with me putting it here
createremotethread not supported within windows 9x
uses latest droopylib
Method without create process as suspended
Code: Select all
;thanks for everyone who have helped with this
DisableDebugger ;DISABLES DEBUGGER! This is needed.
Procedure RemoteThread()
MessageRequester("Success","Injection worked.")
EndProcedure
Procedure InjectCode(Process.s, *lpCodeToInject)
RunProgram(Process)
dwPID = GetPidProcess(GetFilePart(Process))
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, dwPID)
dwWritten.l = #Null
pbModule.l = GetModuleHandle_(#Null)
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE)
lpBuffer.l = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
If lpBuffer = #Null : ProcedureReturn #False : EndIf
If WriteProcessMemory_(hProcess, pbModule, pbModule, dwSize, dwWritten) = 0
ProcedureReturn #False
EndIf
hThread.l = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
If hThread=#Null : ProcedureReturn #False : EndIf
CloseHandle_(hThread) : CloseHandle_(hProcess) : ProcedureReturn #True
EndProcedure
If InjectCode("notepad.exe", @RemoteThread()) = #False
MessageRequester("Error!", "Injection failed!")
EndIf
End
alternative method:
Code: Select all
;whole idea to use create process as suspended is by DarkDragon
;thanks for everyone who have helped with this
DisableDebugger ;DISABLES DEBUGGER! This is needed.
Procedure RemoteThread()
MessageRequester("Success", "Injection successed!")
EndProcedure
Procedure InjectCode(Process.s, *lpCodeToInject)
CreateProcess_(0,Process.s,0,0,0,#CREATE_SUSPENDED,0,0,@sinfo.STARTUPINFO,@pinfo.PROCESS_INFORMATION)
dwPID = pinfo\dwProcessId
hProcess = pinfo\hProcess
dwWritten = #Null : pbModule = GetModuleHandle_(0) : DwSize = PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE)
lpBuffer = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
If lpBuffer = #Null : While ResumeThread_(pinfo\hThread)>1 : Wend : CloseHandle_(hProcess) : ProcedureReturn #False : EndIf
If WriteProcessMemory_(hProcess, lpBuffer, pbModule, dwSize, dwWritten) = 0
While ResumeThread_(pinfo\hThread)>1 : Wend : CloseHandle_(hProcess)
ProcedureReturn #False
EndIf
hThread = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
If hThread=#Null : CloseHandle_(hProcess) : ProcedureReturn #False : EndIf
While ResumeThread_(pinfo\hThread)>1 : Wend
CloseHandle_(hThread)
ProcedureReturn #True
EndProcedure
If InjectCode("notepad.exe", @RemoteThread()) = #False
MessageRequester("Error!", "Injection failed!")
EndIf
End
Re: Injecting Procedure to another process
Posted: Sun Sep 04, 2005 1:59 am
by PB
> for Pupil being only one who replied my thread
:roll:
Re: Injecting Procedure to another process
Posted: Sun Sep 04, 2005 2:01 am
by okasvi
PB wrote:> for Pupil being only one who replied my thread
:roll:
well he was only one who replied and even posted something that was useful for me...
anyway you mind posting some comments about this?
Re: Injecting Procedure to another process
Posted: Sun Sep 04, 2005 2:18 am
by PB
> he was only one who replied and even posted something that was useful for me
So what? He was obviously the only person who knew how to help. I'm sick
of people bitching here about "no help" as though we're expected to jump at
a moment's notice; as if we're personal tech support for people on call 24
hours a day. If nobody replies, too bad. Don't post evil faces and make
smart-ass comments that insult the rest of us. If I could have helped, then
I would have. I don't need to come here and be directly insulted with a
comment of "being only one who replied". Think about it!
Re: Injecting Procedure to another process
Posted: Sun Sep 04, 2005 2:21 am
by okasvi
PB wrote:> he was only one who replied and even posted something that was useful for me
So what? He was obviously the only person who knew how to help. I'm sick
of people bitching here about "no help" as though we're expected to jump at
a moment's notice; as if we're personal tech support for people on call 24
hours a day. If nobody replies, too bad. Don't post evil faces and make
smart-ass comments that insult the rest of us. If I could have helped, then
I would have. I don't need to come here and be directly insulted with a
comment of "being only one who replied". Think about it!
sorry :roll:
Posted: Sun Sep 04, 2005 2:31 am
by Dare2
Hi okasvi.
What exactly does it do?
BTW:
I installed droopylib.
Ran in debug mode with JaPBe - PB v3.94 on XP.
Got the microsoft message "Notepad encountered an error .... [send] [don't send]
Posted: Sun Sep 04, 2005 2:53 am
by okasvi
try running without debug... works fine here and im on XP SP2+latest updates... to tell you the thruth i havent tried it with debugging but works when i create executable out of it (i tried calc.exe too and it worked)...
ill test some things with it...
Posted: Sun Sep 04, 2005 3:28 am
by Dare2
Okay, will try that a bit later on (uninstalled droopylib and too lazy to find/reinstall just at mo).
Still clueless about what it does. What is the purpose/functionality of this?
Posted: Sun Sep 04, 2005 3:36 am
by okasvi
well this example only injects RemoteThread procedure to notepad
so it opens up notepad and then injects messagerequester into it...
ill edit this so it wont need droopylib soon...
Posted: Sun Sep 04, 2005 4:48 am
by Rescator
Actualy, this is like a process/function hook,
only it discards notepad's own code
and replace it with your own procedure.
I don't see much use for this though, other than prevent certain programs from functioning, and *Ugh* viruses or spyware etc.
Unless I'm misaken, what actualy happen is that notepads memory is dumped (or enough memory to "fit" the current program.
Then around 32KB is allocated to replace the freed memory.
Yeah not the prettiest allocations but.
Basicaly it's the same as taking a car, ripping out the insides,
replacing it with something else, and then turning on the radio.
It looks like the same car, but now the radio will automaticaly turn on
and it's no longer a radio. *laughs*
I'm surprised doing something like this is so easy though!
(no wonder Windows is full of so many holes)
I'm curious on the allocation though, I kinda haf guess that it only works
with administrator priviledges, so on a Guest or non admin priviledge user
this may fail.
Posted: Sun Sep 04, 2005 5:10 am
by Dare2
Okay, created an exe and ran it.
Notepad opened.
A message requester showed success.
So I guess it worked.
However I am still not sure how this could be useful, or used. Even after reading Rescator's post, none the wiser. Not saying it isn't ...
The change is not permanent (is it?) so it needs to have a prog running to do this sort of thing. The "resident virus" or "admin tool", as it were.
So .. what would be a practical use for injecting something into something else?
Posted: Sun Sep 04, 2005 5:29 am
by okasvi
Change is not permanent and infact it doesnt effect process it is injected to at all(If I'm wrong here please correct me
).
And for use of this, you could eg.:
- inject procedure to hook any thing within another executable.
- inject procedure to any running process just to remove/modify your own exe (useful with autoupdates).
- etc.
be creative
Posted: Sun Sep 04, 2005 5:44 am
by ricardo
okasvi wrote:Change is not permanent and infact it doesnt effect process it is injected to at all(If I'm wrong here please correct me
).
And for use of this, you could eg.:
- inject procedure to hook any thing within another executable.
- inject procedure to any running process just to remove/modify your own exe (useful with autoupdates).
- etc.
be creative
Can you give us an example with notepad.exe (the one you are using) of some usefull usage, just to understand what are you doing.
If you exe closes... the code you injected still runs in the injected app?
Show us an example.
Thanks
Posted: Sun Sep 04, 2005 6:39 am
by okasvi
yes, code injected will stay there and as you can see from my code that right after it have successfully injected it will quit:
If InjectCode("notepad.exe", @RemoteThread()) = #False
MessageRequester("Error!", "Injection failed!")
EndIf
End
and i dont have any examples since i just got this today working...
Posted: Sun Sep 04, 2005 7:04 am
by ricardo
dwSize is the size of the procedure you are going to inject.
As far as i can understand, is the size of memory you need to allocate for injecting your code.