It is currently Wed Nov 13, 2019 1:03 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 67 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject:
PostPosted: Sun Sep 04, 2005 7:19 am 
Offline
Addict
Addict
User avatar

Joined: Fri Apr 25, 2003 7:06 pm
Posts: 2244
Location: Argentina
One tip: Size Of the structure IMAGE_OPTIONAL_HEADER32 is your answer.

*Dont ask me how to do it :oops: I dont know


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 3:41 pm 
Offline
Always Here
Always Here
User avatar

Joined: Sat Aug 30, 2003 5:58 pm
Posts: 5883
Location: Denmark
nice code!


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 3:46 pm 
Offline
Always Here
Always Here
User avatar

Joined: Sat Aug 30, 2003 5:58 pm
Posts: 5883
Location: Denmark
and if someone wonders what to do with this here is an example:

Inject hooking code, that will shift out an api command. That way the command that gets the code can execute it. Very nice for copy and cracking protection if you are a little creative!


edit: of course this have bad uses too, but much have. I wont tell what the bad idea is, but its a real nasty one :) of course i wont use it for that bad idea.. but again, every code have good and bad sides! this code can be VERY helpfull for programmers wanting to avoid crackers. btw does it work on 9x too? Anyone can test?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 4:45 pm 
Offline
Moderator
Moderator

Joined: Sat Dec 27, 2003 3:55 am
Posts: 3321
Location: Great Southern Land
:idea:
Aha. Starting to see.

_________________
@}--`--,-- A rose by any other name ..


Top
 Profile  
Reply with quote  
 Post subject: Re: Injecting Procedure to another process
PostPosted: Sun Sep 04, 2005 5:51 pm 
Offline
User
User

Joined: Mon Jul 18, 2005 10:28 am
Posts: 54
okasvi wrote:
dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...

2. doesnt work with debugger for some reason i dont know :?

I hope this works for you
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.


Top
 Profile  
Reply with quote  
 Post subject: Re: Injecting Procedure to another process
PostPosted: Sun Sep 04, 2005 6:36 pm 
Offline
Enthusiast
Enthusiast

Joined: Wed Apr 27, 2005 9:41 pm
Posts: 150
Location: Finland
FreeThought wrote:
okasvi wrote:
dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...

2. doesnt work with debugger for some reason i dont know :?

I hope this works for you
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.


Thanks, it works :D

I would like to know if this works on 9x/2k

edit: updated code on first post


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 7:44 pm 
Offline
Addict
Addict
User avatar

Joined: Fri Apr 25, 2003 7:06 pm
Posts: 2244
Location: Argentina
The problem is that in the Thread you cant run any kind of code.

I test with msgbox and works, but can make any other call to make it work, tried some API calls or PB functions and all fails.

This is the most i can make run atm from mspaint.exe:

Code:
Procedure RemoteThread()
    ;MessageRequester("Success","Injection worked.")
    ;Delay(1500)
    Repeat
        Beep(1999,1) ;Just to know its running
        Delay(320)
        cont+1
        If cont = 20
            a$ = "hello world"
            MessageRequester("",a$)
            cont = 0
        EndIf
    ForEver
EndProcedure


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 7:49 pm 
Offline
Enthusiast
Enthusiast

Joined: Wed Apr 27, 2005 9:41 pm
Posts: 150
Location: Finland
ill try something more complex and post it when i get it ready...


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 8:26 pm 
Offline
User
User

Joined: Mon Jul 18, 2005 10:28 am
Posts: 54
deleted by freethought


Last edited by FreeThought on Mon Sep 05, 2005 12:47 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 8:45 pm 
Offline
Addict
Addict
User avatar

Joined: Mon Sep 20, 2004 3:52 pm
Posts: 1648
This has its legitimate uses. Very nice. Similar to what I did on my DesktopRightMenu program.


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 8:59 pm 
Offline
Enthusiast
Enthusiast

Joined: Wed Apr 27, 2005 9:41 pm
Posts: 150
Location: Finland
FreeThought wrote:
please forgive me, but I still don't understand the code, GetModuleHandle_(0) should
return the handle to the calling process.why virtualalloc a region that is already allocated. it is nice of you ,if you can clarify .thanks
regards


im not sure :? since im still learning this stuff myself...
have you done this before?


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 9:41 pm 
Offline
Enthusiast
Enthusiast

Joined: Sat Apr 26, 2003 5:08 pm
Posts: 404
Location: Denmark
@okasvi
it Fails on win98 :?

Code:
;RemoteProcedureInjection :D
;credits goes for D-oNe for original code in C++, for Pupil for pointing out that i should use long with pbModule, for FreeThought way to get dwSize dynamically... thanks :D
;okasvi
Procedure RemoteThread()
   MessageRequester("Success","Injection worked.")
EndProcedure
Procedure InjectCode(Process.s, *lpCodeToInject)
   RunProgram(Process)
   dwPID = GetPidProcess(GetFilePart(Process))
   Debug Hex(dwPID)
   hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, dwPID)   
   Debug hProcess
   dwWritten.l = #Null :
   pbModule.l = GetModuleHandle_(#Null)
   Debug pbModule.l
   DwSize.l =PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
   Debug DwSize.l
   
   ;******************************
   TestRelease.l= VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE) ;<<-- *** TestRelease.l = 0
   
   Debug TestRelease.l ;<- ***  Fails here ** TestRelease.l is 0  ***
   
   lpBuffer.l = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE) ;<<-- ***  lpBuffer.l = 0
 
 Debug lpBuffer.l ; <- ***  And obviously here too NULL  ***

   ;******************************
   
   
   If lpBuffer = #Null :   ProcedureReturn #False : EndIf
   If WriteProcessMemory_(hProcess, lpBuffer, pbModule, dwSize, dwWritten) = 0
      ProcedureReturn #False
   EndIf
   hThread.l = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
   If hThread=#Null : ProcedureReturn #False : EndIf
   CloseHandle_(hThread) : CloseHandle_(hProcess) : ProcedureReturn #True
EndProcedure

If InjectCode("notepad.exe", @RemoteThread()) = #False
   MessageRequester("Error!", "Injection failed!")
EndIf
End


Best regrads
Henrik


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 9:53 pm 
Offline
Enthusiast
Enthusiast

Joined: Wed Apr 27, 2005 9:41 pm
Posts: 150
Location: Finland
yes, thefool noticed it too and he found out from msn that createremotethread doesnt work in win9x :(


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 9:53 pm 
Offline
Always Here
Always Here
User avatar

Joined: Sat Aug 30, 2003 5:58 pm
Posts: 5883
Location: Denmark
true we need another thingy that CreateRemoteThread.!


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Sun Sep 04, 2005 10:36 pm 
Offline
Addict
Addict
User avatar

Joined: Thu Aug 07, 2003 7:01 pm
Posts: 3113
Location: United Kingdom
I wonder if what would happen if you injected into msn messenger then start a server app, will a firewall trigger alarms - or will it assume that msn is creating the server and let it work okay...

_________________
https://deluxepixel.com <- My Business website
https://reportcomplete.com <- School end of term reports system


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 67 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  

 


Powered by phpBB © 2008 phpBB Group
subSilver+ theme by Canver Software, sponsor Sanal Modifiye