Injecting Procedure to another process
and if someone wonders what to do with this here is an example:
Inject hooking code, that will shift out an api command. That way the command that gets the code can execute it. Very nice for copy and cracking protection if you are a little creative!
edit: of course this have bad uses too, but much have. I wont tell what the bad idea is, but its a real nasty one of course i wont use it for that bad idea.. but again, every code have good and bad sides! this code can be VERY helpfull for programmers wanting to avoid crackers. btw does it work on 9x too? Anyone can test?
Inject hooking code, that will shift out an api command. That way the command that gets the code can execute it. Very nice for copy and cracking protection if you are a little creative!
edit: of course this have bad uses too, but much have. I wont tell what the bad idea is, but its a real nasty one of course i wont use it for that bad idea.. but again, every code have good and bad sides! this code can be VERY helpfull for programmers wanting to avoid crackers. btw does it work on 9x too? Anyone can test?
-
- User
- Posts: 54
- Joined: Mon Jul 18, 2005 10:28 am
Re: Injecting Procedure to another process
I hope this works for youokasvi wrote: dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...
2. doesnt work with debugger for some reason i dont know
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.
Re: Injecting Procedure to another process
Thanks, it worksFreeThought wrote:I hope this works for youokasvi wrote: dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...
2. doesnt work with debugger for some reason i dont know
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.
I would like to know if this works on 9x/2k
edit: updated code on first post
The problem is that in the Thread you cant run any kind of code.
I test with msgbox and works, but can make any other call to make it work, tried some API calls or PB functions and all fails.
This is the most i can make run atm from mspaint.exe:
I test with msgbox and works, but can make any other call to make it work, tried some API calls or PB functions and all fails.
This is the most i can make run atm from mspaint.exe:
Code: Select all
Procedure RemoteThread()
;MessageRequester("Success","Injection worked.")
;Delay(1500)
Repeat
Beep(1999,1) ;Just to know its running
Delay(320)
cont+1
If cont = 20
a$ = "hello world"
MessageRequester("",a$)
cont = 0
EndIf
ForEver
EndProcedure
ARGENTINA WORLD CHAMPION
-
- User
- Posts: 54
- Joined: Mon Jul 18, 2005 10:28 am
deleted by freethought
Last edited by FreeThought on Mon Sep 05, 2005 12:47 pm, edited 1 time in total.
-
- Addict
- Posts: 1648
- Joined: Mon Sep 20, 2004 3:52 pm
- Contact:
im not sure since im still learning this stuff myself...FreeThought wrote:please forgive me, but I still don't understand the code, GetModuleHandle_(0) should
return the handle to the calling process.why virtualalloc a region that is already allocated. it is nice of you ,if you can clarify .thanks
regards
have you done this before?
@okasvi
it Fails on win98
Best regrads
Henrik
it Fails on win98
Code: Select all
;RemoteProcedureInjection :D
;credits goes for D-oNe for original code in C++, for Pupil for pointing out that i should use long with pbModule, for FreeThought way to get dwSize dynamically... thanks :D
;okasvi
Procedure RemoteThread()
MessageRequester("Success","Injection worked.")
EndProcedure
Procedure InjectCode(Process.s, *lpCodeToInject)
RunProgram(Process)
dwPID = GetPidProcess(GetFilePart(Process))
Debug Hex(dwPID)
hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, dwPID)
Debug hProcess
dwWritten.l = #Null :
pbModule.l = GetModuleHandle_(#Null)
Debug pbModule.l
DwSize.l =PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
Debug DwSize.l
;******************************
TestRelease.l= VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE) ;<<-- *** TestRelease.l = 0
Debug TestRelease.l ;<- *** Fails here ** TestRelease.l is 0 ***
lpBuffer.l = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE) ;<<-- *** lpBuffer.l = 0
Debug lpBuffer.l ; <- *** And obviously here too NULL ***
;******************************
If lpBuffer = #Null : ProcedureReturn #False : EndIf
If WriteProcessMemory_(hProcess, lpBuffer, pbModule, dwSize, dwWritten) = 0
ProcedureReturn #False
EndIf
hThread.l = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
If hThread=#Null : ProcedureReturn #False : EndIf
CloseHandle_(hThread) : CloseHandle_(hProcess) : ProcedureReturn #True
EndProcedure
If InjectCode("notepad.exe", @RemoteThread()) = #False
MessageRequester("Error!", "Injection failed!")
EndIf
End
Henrik
- DoubleDutch
- Addict
- Posts: 3219
- Joined: Thu Aug 07, 2003 7:01 pm
- Location: United Kingdom
- Contact:
I wonder if what would happen if you injected into msn messenger then start a server app, will a firewall trigger alarms - or will it assume that msn is creating the server and let it work okay...
https://deluxepixel.com <- My Business website
https://reportcomplete.com <- School end of term reports system
https://reportcomplete.com <- School end of term reports system