Injecting Procedure to another process

Share your advanced PureBasic knowledge/code with the community.
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Injecting Procedure to another process

Post by okasvi »

Code updated for 5.20+

Injects Procedure(RemoteThread()) into another process(notepad.exe)...
alot of the code is now coded by DarkDragon so I hope he is fine with me putting it here

createremotethread not supported within windows 9x
uses latest droopylib

Method without create process as suspended

Code: Select all

;thanks for everyone who have helped with this
DisableDebugger ;DISABLES DEBUGGER! This is needed.
Procedure RemoteThread()
	MessageRequester("Success","Injection worked.")
EndProcedure

Procedure InjectCode(Process.s, *lpCodeToInject)
	RunProgram(Process)
	dwPID = GetPidProcess(GetFilePart(Process))
	hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, dwPID)	
	dwWritten.l = #Null 
	pbModule.l = GetModuleHandle_(#Null)
 DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
	VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE)
	lpBuffer.l = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
	If lpBuffer = #Null :   ProcedureReturn #False : EndIf
	If WriteProcessMemory_(hProcess, pbModule, pbModule, dwSize, dwWritten) = 0
		ProcedureReturn #False
	EndIf
	hThread.l = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
	If hThread=#Null : ProcedureReturn #False : EndIf
	CloseHandle_(hThread) : CloseHandle_(hProcess) : ProcedureReturn #True
EndProcedure

If InjectCode("notepad.exe", @RemoteThread()) = #False
   MessageRequester("Error!", "Injection failed!")
EndIf
End
alternative method:

Code: Select all

;whole idea to use create process as suspended is by DarkDragon
;thanks for everyone who have helped with this
DisableDebugger ;DISABLES DEBUGGER! This is needed.
Procedure RemoteThread()
   MessageRequester("Success", "Injection successed!")
EndProcedure
Procedure InjectCode(Process.s, *lpCodeToInject)
   CreateProcess_(0,Process.s,0,0,0,#CREATE_SUSPENDED,0,0,@sinfo.STARTUPINFO,@pinfo.PROCESS_INFORMATION)
   dwPID = pinfo\dwProcessId
   hProcess = pinfo\hProcess
   dwWritten = #Null : pbModule = GetModuleHandle_(0) : DwSize = PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
   VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE)
   lpBuffer = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
   If lpBuffer = #Null : While ResumeThread_(pinfo\hThread)>1 : Wend : CloseHandle_(hProcess)  :   ProcedureReturn #False : EndIf
   If WriteProcessMemory_(hProcess, lpBuffer, pbModule, dwSize, dwWritten) = 0
      While ResumeThread_(pinfo\hThread)>1 : Wend : CloseHandle_(hProcess)
      ProcedureReturn #False
   EndIf
   hThread = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
 
   If hThread=#Null : CloseHandle_(hProcess) : ProcedureReturn #False : EndIf
   While ResumeThread_(pinfo\hThread)>1 : Wend
   CloseHandle_(hThread)
   ProcedureReturn #True
EndProcedure
 
If InjectCode("notepad.exe", @RemoteThread()) = #False
   MessageRequester("Error!", "Injection failed!")
EndIf
End
Last edited by okasvi on Tue Sep 06, 2005 8:07 pm, edited 11 times in total.
PB
PureBasic Expert
PureBasic Expert
Posts: 7581
Joined: Fri Apr 25, 2003 5:24 pm

Re: Injecting Procedure to another process

Post by PB »

> for Pupil being only one who replied my thread

:roll:
I compile using 5.31 (x86) on Win 7 Ultimate (64-bit).
"PureBasic won't be object oriented, period" - Fred.
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Re: Injecting Procedure to another process

Post by okasvi »

PB wrote:> for Pupil being only one who replied my thread

:roll:

well he was only one who replied and even posted something that was useful for me...

anyway you mind posting some comments about this?
PB
PureBasic Expert
PureBasic Expert
Posts: 7581
Joined: Fri Apr 25, 2003 5:24 pm

Re: Injecting Procedure to another process

Post by PB »

> he was only one who replied and even posted something that was useful for me

So what? He was obviously the only person who knew how to help. I'm sick
of people bitching here about "no help" as though we're expected to jump at
a moment's notice; as if we're personal tech support for people on call 24
hours a day. If nobody replies, too bad. Don't post evil faces and make
smart-ass comments that insult the rest of us. If I could have helped, then
I would have. I don't need to come here and be directly insulted with a
comment of "being only one who replied". Think about it!
I compile using 5.31 (x86) on Win 7 Ultimate (64-bit).
"PureBasic won't be object oriented, period" - Fred.
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Re: Injecting Procedure to another process

Post by okasvi »

PB wrote:> he was only one who replied and even posted something that was useful for me

So what? He was obviously the only person who knew how to help. I'm sick
of people bitching here about "no help" as though we're expected to jump at
a moment's notice; as if we're personal tech support for people on call 24
hours a day. If nobody replies, too bad. Don't post evil faces and make
smart-ass comments that insult the rest of us. If I could have helped, then
I would have. I don't need to come here and be directly insulted with a
comment of "being only one who replied". Think about it!
sorry :roll:
Dare2
Moderator
Moderator
Posts: 3321
Joined: Sat Dec 27, 2003 3:55 am
Location: Great Southern Land

Post by Dare2 »

Hi okasvi.

What exactly does it do? :?



BTW:

I installed droopylib.
Ran in debug mode with JaPBe - PB v3.94 on XP.
Got the microsoft message "Notepad encountered an error .... [send] [don't send]
@}--`--,-- A rose by any other name ..
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Post by okasvi »

try running without debug... works fine here and im on XP SP2+latest updates... to tell you the thruth i havent tried it with debugging but works when i create executable out of it (i tried calc.exe too and it worked)...

ill test some things with it...
Dare2
Moderator
Moderator
Posts: 3321
Joined: Sat Dec 27, 2003 3:55 am
Location: Great Southern Land

Post by Dare2 »

Okay, will try that a bit later on (uninstalled droopylib and too lazy to find/reinstall just at mo).

Still clueless about what it does. What is the purpose/functionality of this? :)
@}--`--,-- A rose by any other name ..
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Post by okasvi »

well this example only injects RemoteThread procedure to notepad :D
so it opens up notepad and then injects messagerequester into it...


ill edit this so it wont need droopylib soon...
User avatar
Rescator
Addict
Addict
Posts: 1769
Joined: Sat Feb 19, 2005 5:05 pm
Location: Norway

Post by Rescator »

Actualy, this is like a process/function hook,
only it discards notepad's own code
and replace it with your own procedure.

I don't see much use for this though, other than prevent certain programs from functioning, and *Ugh* viruses or spyware etc.

Unless I'm misaken, what actualy happen is that notepads memory is dumped (or enough memory to "fit" the current program.
Then around 32KB is allocated to replace the freed memory.
Yeah not the prettiest allocations but.

Basicaly it's the same as taking a car, ripping out the insides,
replacing it with something else, and then turning on the radio.
It looks like the same car, but now the radio will automaticaly turn on
and it's no longer a radio. *laughs*

I'm surprised doing something like this is so easy though!
(no wonder Windows is full of so many holes)

I'm curious on the allocation though, I kinda haf guess that it only works
with administrator priviledges, so on a Guest or non admin priviledge user
this may fail.
Dare2
Moderator
Moderator
Posts: 3321
Joined: Sat Dec 27, 2003 3:55 am
Location: Great Southern Land

Post by Dare2 »

Okay, created an exe and ran it.
Notepad opened.
A message requester showed success.

So I guess it worked. :)

However I am still not sure how this could be useful, or used. Even after reading Rescator's post, none the wiser. Not saying it isn't ...

The change is not permanent (is it?) so it needs to have a prog running to do this sort of thing. The "resident virus" or "admin tool", as it were. :)

So .. what would be a practical use for injecting something into something else?
@}--`--,-- A rose by any other name ..
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Post by okasvi »

Change is not permanent and infact it doesnt effect process it is injected to at all(If I'm wrong here please correct me :D).

And for use of this, you could eg.:
- inject procedure to hook any thing within another executable.
- inject procedure to any running process just to remove/modify your own exe (useful with autoupdates).
- etc. :D be creative
ricardo
Addict
Addict
Posts: 2402
Joined: Fri Apr 25, 2003 7:06 pm
Location: Argentina

Post by ricardo »

okasvi wrote:Change is not permanent and infact it doesnt effect process it is injected to at all(If I'm wrong here please correct me :D).

And for use of this, you could eg.:
- inject procedure to hook any thing within another executable.
- inject procedure to any running process just to remove/modify your own exe (useful with autoupdates).
- etc. :D be creative
Can you give us an example with notepad.exe (the one you are using) of some usefull usage, just to understand what are you doing.

If you exe closes... the code you injected still runs in the injected app?

Show us an example.

Thanks
ARGENTINA WORLD CHAMPION
okasvi
Enthusiast
Enthusiast
Posts: 150
Joined: Wed Apr 27, 2005 9:41 pm
Location: Finland

Post by okasvi »

yes, code injected will stay there and as you can see from my code that right after it have successfully injected it will quit:

If InjectCode("notepad.exe", @RemoteThread()) = #False
MessageRequester("Error!", "Injection failed!")
EndIf
End

and i dont have any examples since i just got this today working...
ricardo
Addict
Addict
Posts: 2402
Joined: Fri Apr 25, 2003 7:06 pm
Location: Argentina

Post by ricardo »

dwSize is the size of the procedure you are going to inject.
As far as i can understand, is the size of memory you need to allocate for injecting your code.
ARGENTINA WORLD CHAMPION
Post Reply