Page 3 of 5
Posted: Sun Sep 04, 2005 10:38 pm
by DoubleDutch
Also one to try is injecting IE and then try to send commands via port 80 to a remote server.... this little trick may be quite evil.
Posted: Sun Sep 04, 2005 10:41 pm
by thefool
yup it would probably work.
Another idea:
If you are a guest on an windows, or normal user, you can use a program running as admin, like antivirus or a service, then inject your code into that program, and boom your program can do whatever it want.
Posted: Sun Sep 04, 2005 11:08 pm
by Henrik
Come on you 2, do you want this tread locked or what ?
you can do alot of bad things with a match and some shoelace too, but there is no reason to discuss it here, it could be very messy you know...
Best Regrads
Henrik
Posted: Sun Sep 04, 2005 11:23 pm
by DoubleDutch
Sorry, I was getting carried away
If you inject a looping process into notepad or something, then terminate the "injector", does the process keep running until notepad stops, or does it terminate with the injector? Is there any memory leakage or problem?
Posted: Sun Sep 04, 2005 11:43 pm
by xgp
I've tried and it fails.
WinXP SP2.
just for notice
xgp
Posted: Mon Sep 05, 2005 1:42 am
by Dreglor
i think most firewalls work by looking what program is doing this well if your hooked maybe it will think its msn instead of your program well only one way to find out :\
btw
it fails on my machine XP SP2
Posted: Mon Sep 05, 2005 5:22 am
by Dreglor
i looked into why it wasn't working and i found it does work but only rarely it is always stoping at VirtualAllocEx_() it returning null which msdn says is a error and says if you want more on the error use the GetLastError_(). well that returns zero which i look up and that code means it worked. so either there was a error to which there was no code to or VirtualAllocEx_() is lying to me
i figured it somthing with the code you wrote converted the original c++ code you found.
and guess what it did the same exact thing rarely working and when it didn't it stopped on VirtualAllocEx_()
is anyone having the same problem?
Posted: Mon Sep 05, 2005 6:33 am
by okasvi
hmm... weird since im on XP SP2 and works fine here...
Doubledutch, does your ideas have something to do with your remote administration tool?
Posted: Mon Sep 05, 2005 1:12 pm
by thefool
No you need the allocations on my xp too! better put them back.
Henrik, can you tell me about that shoelace and matches??
DoubleDutch, it should terminate with the app its injected too. Not the one that injects it!
Posted: Mon Sep 05, 2005 2:52 pm
by okasvi
thefool wrote:No you need the allocations on my xp too! better put them back.
i forgot to edit 1st post, anyway now its there with DarkDragons idea/code of creating process as suspended...
Posted: Mon Sep 05, 2005 3:09 pm
by thefool
sorry, but why do you want to put it as suspended?
Posted: Mon Sep 05, 2005 3:29 pm
by okasvi
thefool wrote:sorry, but why do you want to put it as suspended?
it was because i thought my way didnt work for everyone... well i guess it was just because i left copypasted broken code there and darkdragon "fixed" it with another method and i thought it would be better
well mistakes happen... now there is both methods on 1st post
Posted: Mon Sep 05, 2005 3:50 pm
by thefool
hehe
Posted: Mon Sep 05, 2005 4:01 pm
by ricardo
Can anybody show something that the injected code can do without crashing?
I was only able to use delays and msgboxes, but not anymore. Any API call (per example) crashes for me.
Posted: Mon Sep 05, 2005 6:17 pm
by LuCiFeR[SD]
interesting... very interesting
. Nice to see that Microsoft got something right with Windows XP SP2. I must remember to disable DEP for further testing
http://www.satanicdreams.com/error.jpg
