Injecting Procedure to another process

Share your advanced PureBasic knowledge/code with the community.
ricardo
Addict
Addict
Posts: 2402
Joined: Fri Apr 25, 2003 7:06 pm
Location: Argentina

Post by ricardo »

One tip: Size Of the structure IMAGE_OPTIONAL_HEADER32 is your answer.

*Dont ask me how to do it :oops: I dont know
ARGENTINA WORLD CHAMPION
thefool
Always Here
Always Here
Posts: 5881
Joined: Sat Aug 30, 2003 5:58 pm
Location: Denmark

Post by thefool »

nice code!
thefool
Always Here
Always Here
Posts: 5881
Joined: Sat Aug 30, 2003 5:58 pm
Location: Denmark

Post by thefool »

and if someone wonders what to do with this here is an example:

Inject hooking code, that will shift out an api command. That way the command that gets the code can execute it. Very nice for copy and cracking protection if you are a little creative!


edit: of course this have bad uses too, but much have. I wont tell what the bad idea is, but its a real nasty one :) of course i wont use it for that bad idea.. but again, every code have good and bad sides! this code can be VERY helpfull for programmers wanting to avoid crackers. btw does it work on 9x too? Anyone can test?
Dare2
Moderator
Moderator
Posts: 3321
Joined: Sat Dec 27, 2003 3:55 am
Location: Great Southern Land

Post by Dare2 »

:idea:
Aha. Starting to see.
@}--`--,-- A rose by any other name ..
FreeThought
User
User
Posts: 54
Joined: Mon Jul 18, 2005 10:28 am

Re: Injecting Procedure to another process

Post by FreeThought »

okasvi wrote: dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...

2. doesnt work with debugger for some reason i dont know :?
I hope this works for you
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Re: Injecting Procedure to another process

Post by okasvi »

FreeThought wrote:
okasvi wrote: dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...

2. doesnt work with debugger for some reason i dont know :?
I hope this works for you
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.
Thanks, it works :D

I would like to know if this works on 9x/2k

edit: updated code on first post
ricardo
Addict
Addict
Posts: 2402
Joined: Fri Apr 25, 2003 7:06 pm
Location: Argentina

Post by ricardo »

The problem is that in the Thread you cant run any kind of code.

I test with msgbox and works, but can make any other call to make it work, tried some API calls or PB functions and all fails.

This is the most i can make run atm from mspaint.exe:

Code: Select all

Procedure RemoteThread() 
    ;MessageRequester("Success","Injection worked.")
    ;Delay(1500)
    Repeat
        Beep(1999,1) ;Just to know its running
        Delay(320)
        cont+1
        If cont = 20
            a$ = "hello world"
            MessageRequester("",a$)
            cont = 0
        EndIf
    ForEver
EndProcedure 
ARGENTINA WORLD CHAMPION
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Post by okasvi »

ill try something more complex and post it when i get it ready...
FreeThought
User
User
Posts: 54
Joined: Mon Jul 18, 2005 10:28 am

Post by FreeThought »

deleted by freethought
Last edited by FreeThought on Mon Sep 05, 2005 12:47 pm, edited 1 time in total.
dracflamloc
Addict
Addict
Posts: 1648
Joined: Mon Sep 20, 2004 3:52 pm
Contact:

Post by dracflamloc »

This has its legitimate uses. Very nice. Similar to what I did on my DesktopRightMenu program.
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Post by okasvi »

FreeThought wrote:please forgive me, but I still don't understand the code, GetModuleHandle_(0) should
return the handle to the calling process.why virtualalloc a region that is already allocated. it is nice of you ,if you can clarify .thanks
regards
im not sure :? since im still learning this stuff myself...
have you done this before?
Henrik
Enthusiast
Enthusiast
Posts: 404
Joined: Sat Apr 26, 2003 5:08 pm
Location: Denmark

Post by Henrik »

@okasvi
it Fails on win98 :?

Code: Select all

;RemoteProcedureInjection :D
;credits goes for D-oNe for original code in C++, for Pupil for pointing out that i should use long with pbModule, for FreeThought way to get dwSize dynamically... thanks :D
;okasvi
Procedure RemoteThread()
   MessageRequester("Success","Injection worked.")
EndProcedure
Procedure InjectCode(Process.s, *lpCodeToInject)
   RunProgram(Process)
   dwPID = GetPidProcess(GetFilePart(Process))
   Debug Hex(dwPID)
   hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, dwPID)   
   Debug hProcess
   dwWritten.l = #Null :
   pbModule.l = GetModuleHandle_(#Null)
   Debug pbModule.l
   DwSize.l =PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
   Debug DwSize.l
   
   ;******************************
   TestRelease.l= VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE) ;<<-- *** TestRelease.l = 0
   
   Debug TestRelease.l ;<- ***  Fails here ** TestRelease.l is 0  ***
    
   lpBuffer.l = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE) ;<<-- ***  lpBuffer.l = 0
  
 Debug lpBuffer.l ; <- ***  And obviously here too NULL  ***

   ;******************************
   
    
   If lpBuffer = #Null :   ProcedureReturn #False : EndIf
   If WriteProcessMemory_(hProcess, lpBuffer, pbModule, dwSize, dwWritten) = 0
      ProcedureReturn #False
   EndIf
   hThread.l = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
   If hThread=#Null : ProcedureReturn #False : EndIf
   CloseHandle_(hThread) : CloseHandle_(hProcess) : ProcedureReturn #True
EndProcedure

If InjectCode("notepad.exe", @RemoteThread()) = #False
   MessageRequester("Error!", "Injection failed!")
EndIf
End
Best regrads
Henrik
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Post by okasvi »

yes, thefool noticed it too and he found out from msn that createremotethread doesnt work in win9x :(
thefool
Always Here
Always Here
Posts: 5881
Joined: Sat Aug 30, 2003 5:58 pm
Location: Denmark

Post by thefool »

true we need another thingy that CreateRemoteThread.!
User avatar
DoubleDutch
Addict
Addict
Posts: 3219
Joined: Thu Aug 07, 2003 7:01 pm
Location: United Kingdom
Contact:

Post by DoubleDutch »

I wonder if what would happen if you injected into msn messenger then start a server app, will a firewall trigger alarms - or will it assume that msn is creating the server and let it work okay...
https://deluxepixel.com <- My Business website
https://reportcomplete.com <- School end of term reports system
Post Reply