Nytro Posted January 3, 2013 Report Posted January 3, 2013 [h=1]Code Injections [beginner and advanced][/h]Author: [h=3]RosDevil[/h]This tutorial is for every level, from beginners to advanced (so to review some aspects or istructions)I will use as much as i can C++ in this tutorial.We're going through all kinds of injection.Before any type of injection we need to get the right privileges, SE_DEBUG_NAME, this is the function to get it:int privileges(){HANDLE Token;TOKEN_PRIVILEGES tp;if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)){ LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS }} return 1;}after we need the PID of the target application, it can be got so:DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; }now let's get started with injections:1) Codecave Injection with CreateRemoteThread()This method has been treated a lot on internet so i won't go through the code step by step, if you want to see the documented functions go to msdn.steps:- Open the target Process through the PID (Api used: OpenProcess())- Allocate space in the remote process for our function and parameters (Api used: VirtualAllocEx())- Write our function and parameters in the remote process (Api used: WriteProcessMemory())- Execute the remote code and optionally free the remote memory (Api used: CreateRemoteThread() and VirtualFree())#include <windows.h>#include <iostream>#include <fstream>#include <stdlib.h>#include "ntdef.h"#include <tlhelp32.h>typedef int (WINAPI* MsgBoxParam)(HWND, LPCSTR, LPCSTR, UINT);using namespace std;struct PARAMETERS{ DWORD MessageBoxInj; char text[50]; char caption[25]; int buttons;// HWND handle;};DWORD getPid(string procName);int privileges();DWORD myFunc(PARAMETERS * myparam);DWORD Useless();int main(){ privileges(); DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; //error HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * mytext = "Hello by CodeCave!"; char * mycaption = "Injection result"; PARAMETERS data; //let's fill in a PARAMETERS struct HMODULE user32 = LoadLibrary("User32.dll"); data.MessageBoxInj = (DWORD)GetProcAddress(user32, "MessageBoxA"); strcpy(data.text, mytext); strcpy(data.caption, mycaption); data.buttons = MB_OKCANCEL | MB_ICONQUESTION; DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc; //this gets myFunc's size //--------now we are ready to inject LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, MyFuncAddress, (void*)myFunc,size_myFunc, NULL); LPVOID DataAddress = VirtualAllocEx(p,NULL,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE); WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL); HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL); if (thread!=0){ //injection completed, not we can wait it to end and free the memory WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory CloseHandle(thread); CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process cout<<"Injection completed!"<<endl; }else{ cout<<"Error!"<<endl; } system("PAUSE"); return EXIT_SUCCESS;}DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(pt.szExeFile == procName){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap);return 0; }DWORD myFunc(PARAMETERS * myparam){ MsgBoxParam MsgBox = (MsgBoxParam)myparam->MessageBoxInj; int result = MsgBox(0, myparam->text, myparam->caption, myparam->buttons); switch(result){ case IDOK: //your code break; case IDCANCEL: //your code break; } return 0;}DWORD Useless(){return 0;}//this function is needed to get some extra privileges so your code will be able to work without conflicts with the systemint privileges(){HANDLE Token;TOKEN_PRIVILEGES tp;if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)){ LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS }} return 1;}This code shows that we cannot pass more than 1 parameter to CreateRemoteThread so we need to create a struct (PARAMETERS) and pass it to the remote functionI did a tutorial in past for this, check out:http://www.rohitab.c...ion-tutorial-c/NOTE FOR VISTA/WIN7CreateRemoteThread() for windows Vista and Windows 7 isn't working because of boundaries, the solution is the undocumented function NtCreateThreadEx(), we can get it from ntdll.dll, and replace CreateRemoteThread() with it in the above code (and remember to adjust the parameters)HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter);typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx)( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN LPVOID ObjectAttributes, IN HANDLE ProcessHandle, IN LPTHREAD_START_ROUTINE lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN DWORD StackZeroBits, IN DWORD SizeOfStackCommit, IN DWORD SizeOfStackReserve, OUT LPVOID lpBytesBuffer);struct NtCreateThreadExBuffer{ ULONG Size; ULONG Unknown1; ULONG Unknown2; PULONG Unknown3; ULONG Unknown4; ULONG Unknown5; ULONG Unknown6; PULONG Unknown7; ULONG Unknown8;};HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){ HMODULE modNtDll = LoadLibrary("ntdll.dll"); if(!modNtDll){ cout<<"Error loading ntdll.dll"<<endl; return 0; } LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx"); if(!funNtCreateThreadEx){ cout<<"Error loading NtCreateThreadEx()"<<endl; return 0; } NtCreateThreadExBuffer ntbuffer; memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer)); DWORD temp1 = 0; DWORD temp2 = 0; ntbuffer.Size = sizeof(NtCreateThreadExBuffer); ntbuffer.Unknown1 = 0x10003; ntbuffer.Unknown2 = 0x8; ntbuffer.Unknown3 = &temp2; ntbuffer.Unknown4 = 0; ntbuffer.Unknown5 = 0x10004; ntbuffer.Unknown6 = 4; ntbuffer.Unknown7 = &temp1; // ntbuffer.Unknown8 = 0; HANDLE hThread; NTSTATUS status = funNtCreateThreadEx( &hThread, 0x1FFFFF, NULL, process, (LPTHREAD_START_ROUTINE) Start, lpParameter, FALSE, //start instantly 0, //null 0, //null 0, //null &ntbuffer ); return hThread;}//so to use in the above code like this:HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress);////DLL INJECTIONPerforming Dll injection is much more easier, we don't have to create a struct of parameters beacause LoadLibraryA has only 1 parameter#include <windows.h>#include <iostream>#include <fstream>#include <stdlib.h>#include "ntdef.h"#include <tlhelp32.h>//For Vista/Win7:HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter);using namespace std;DWORD getPid(string procName);int privileges();int main(){ privileges(); //don't mind of the result, because maybe it fails because you already have that privilege DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; //error HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * dll = "C:\\mydll.dll" //--------now we are ready to inject unsigned long LoadLib = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); LPVOID DataAddress = VirtualAllocEx(p, NULL, strlen(dll) + 1, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE); WriteProcessMemory(p, DataAddress, dll, strlen(dll), NULL); HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress, 0, NULL); //For Vista/Win7 //HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress); if (thread!=0){ //injection completed WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory CloseHandle(thread); CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process cout<<"Injection completed!"<<endl; }else{ cout<<"Error!"<<endl; } system("PAUSE"); return EXIT_SUCCESS;}DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(pt.szExeFile == procName){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap);return 0; }int privileges(){HANDLE Token;TOKEN_PRIVILEGES tp;if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)){ LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS }} return 1;}//for VISTA/WIN7typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx)( OUT PHANDLE hThread, IN ACCESS_MASK DesiredAccess, IN LPVOID ObjectAttributes, IN HANDLE ProcessHandle, IN LPTHREAD_START_ROUTINE lpStartAddress, IN LPVOID lpParameter, IN BOOL CreateSuspended, IN DWORD StackZeroBits, IN DWORD SizeOfStackCommit, IN DWORD SizeOfStackReserve, OUT LPVOID lpBytesBuffer);struct NtCreateThreadExBuffer{ ULONG Size; ULONG Unknown1; ULONG Unknown2; PULONG Unknown3; ULONG Unknown4; ULONG Unknown5; ULONG Unknown6; PULONG Unknown7; ULONG Unknown8;};HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){ HMODULE modNtDll = LoadLibrary("ntdll.dll"); if(!modNtDll){ cout<<"Error loading ntdll.dll"<<endl; return 0; } LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx"); if(!funNtCreateThreadEx){ cout<<"Error loading NtCreateThreadEx()"<<endl; return 0; } NtCreateThreadExBuffer ntbuffer; memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer)); DWORD temp1 = 0; DWORD temp2 = 0; ntbuffer.Size = sizeof(NtCreateThreadExBuffer); ntbuffer.Unknown1 = 0x10003; ntbuffer.Unknown2 = 0x8; ntbuffer.Unknown3 = &temp2; ntbuffer.Unknown4 = 0; ntbuffer.Unknown5 = 0x10004; ntbuffer.Unknown6 = 4; ntbuffer.Unknown7 = &temp1; // ntbuffer.Unknown8 = 0; HANDLE hThread; NTSTATUS status = funNtCreateThreadEx( &hThread, 0x1FFFFF, NULL, process, (LPTHREAD_START_ROUTINE) Start, lpParameter, FALSE, //start instantly 0, //null 0, //null 0, //null &ntbuffer ); return hThread;}so if we want to check which OS are we running so to use CreateRemoteThread and NtCreateThreadEx:int CheckOSVersion(){/** Windows XP = 1 (NT 5.0)* Windows Vista = 2 (NT 6.0)* Windows 7 = 3 (NT 6.1)* Windows 8 = 4 (NT 6.2) --> on Windows 8 CreateRemoteThread works perfectly!!*/OSVERSIONINFO osver;osver.dwOSVersionInfoSize = sizeof(osver);if (GetVersionEx(&osver)){ if (!(osver.dwPlatformId == VER_PLATFORM_WIN32_NT)) return 0; if (osver.dwMajorVersion == 5) return 1; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 0) return 2; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 1) return 3; if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 2) return 4;}else return 0;}//use: char type[50]; int os = CheckOSVersion(); if (os == 0) return 0; if (os==1) strcpy(type, "Windows XP"); if (os==2) strcpy(type, "Windows Vista"); if (os==3) strcpy(type, "Windows 7"); if (os==4) strcpy(type, "Windows 8");if you want to check if you are on a 64bit or 32bit OS by code://the size of void* is the answerif (sizeof(void*) == 4) //is 32bitif (sizeof(void*) == 8) //is 64bitOther wayI found many people talking about RtlCreateUserThread(), well it can be implemented easily (it is in ntdll.dll), but has a flaw, if you inject a dll with this function you cannot use CreateThread() inside it but you need to implement RtlCreateUserThread() in the dll too; i don't know why but it is.The implementation is:typedef struct ID{ PVOID UniqueProcess; PVOID UniqueThread;} CLIENT_ID, *PCLIENT_ID;typedef long (*myRtlCreateUserThread) (HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN, ULONG, PULONG, PULONG, PVOID, PVOID, PHANDLE, PCLIENT_ID);myRtlCreateUserThread RtlCreateUserThread;RtlCreateUserThread=(myRtlCreateUserThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlCreateUserThread");IMPORTANT: 32-BIT / 64-BITThis is a portability-injection table:- 32bit program inject 32bit dll in a 32bit target- 32bit program inject 64bit dll in a 64bit target- 64bit program inject 32bit dll in a 32bit target- 64bit program inject 64bit dll in a 64bit targetthe first type and the fourth type are easy to code, but if you dare getting in troubles with the second and the third take a look at this paper:http://www.corsix.or...ction-and-wow642) Code injection with SetWindowsHookExSetting hooks is a tipical action of keyloggers over WH_KEYBOARD hook type.This method makes them perfect in capturing key strokes BUT if we inject a dll using hooks the program that set the hook must keep running otherwise the dll is suddenly unloaded.To perform this type of injection we don't need directly the PID of the process but the Thread ID of it.We obtain the Thread ID from the PID:DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; }Now let's jot down some code about SetWindowsHookEx()#include <cstdlib>#include <iostream>#include "windows.h"#include "tlhelp32.h"using namespace std;DWORD getPid(string procName);DWORD GetThreadID(DWORD pid);int main(int argc, char *argv[]){ HHOOK hproc; HOOKPROC cbt; HMODULE dll = LoadLibrary("DllHook.dll"); //the dll tha we will inject that contains the hook procedure cbt = (HOOKPROC)GetProcAddress(dll, "MyProcedure"); //get the address of our Procedure DWORD id = GetThreadID(getPid("notepad.exe")); //in this example we want to set the hook in a specific target if (id == 0) return 0; //if id == 0 means that the process isn't running hproc = SetWindowsHookEx(WH_KEYBOARD, cbt, dll, id); //if we wanted to set the hook in every process we could replace 'id' with 0 cin.get(); UnhookWindowsHookEx(hproc); //When we want to remove the hook return EXIT_SUCCESS;}DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; }DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; }Now the our Dll that contains the hook procedure (in this case is named DllHook.dll)#include <windows.h>#include <stdio.h>#include <stdlib.h>__declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp);__declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp){ //here goes our code return CallNextHookEx(NULL, code, wp, lp); //this is needed to let other applications set other hooks on this target }BOOL APIENTRY DllMain (HINSTANCE hInst, DWORD reason, LPVOID reserved){ switch (reason) { case DLL_PROCESS_ATTACH: break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } /* Returns TRUE on success, FALSE on failure */ return TRUE;}3) Code Injection modifying the Main ThreadThis part is a bit more complicated, but works on any version of WINDOWS and doesn't need to keep the injector runningsteps:- Open the target Process through the PID (Api used: OpenProcess())- Allocate space in the remote process for our function and parameters (Api used: VirtualAllocEx())- Get the target process's thread ID- Open the remote thread and suspend it (Api used: OpenThread() and SupendThread())- Get the remote thread context (Api used: GetThreadContext())- Saving the current Eip and setting it to the address of our injected function- Write our function and parameters in the remote process (Api used: WriteProcessMemory())- PATCH IN RUNTIME the injected function with the addresses of our parameters (Api used: WriteProcessMemory())- Set the new remote thread context (Api used: SetThreadContext())- Resume the remote thread and optionally free the memory (Api used: ResumeThread())Before seeing the code i want to explain what our function will be.It is an assembly code (or shellcode) that performs our operation, but while coding we can't know the addresses of our parameters so we put placeholders, in other words, we put a label that will be replaced during execution with the right addresses.the assembly function is:push 0xACEACEAC ;-> placeholder for the address of our old EIPpushfd ;->save all flags registerspushad ;-> save all registerspush 0xACEACEAC ;->placeholder for the address of the string 'User32.dll'mov ecx, 0xACEACEAC ;->placeholder for the address of LoadLibraryAcall ecx ;-> traslated in c++: LoadLibrary("User32.dll");now the address of the LOADED LIBRARY User32.dll is in eax registerpush 0xACEACEAC ;->placeholder for the address of the string MessageBoxApush eax ;->push User32.dll into the stackmov edx,0xACEACEAC ;->placeholder for the address of GetProcAddresscall edx ;translated in c++: GetProcAddress(LoadLibrary("User32.dll"), "MessageBoxA");now the address of MessageBoxA is in eax registerpush 0 ;push the fourth parameter of MessageBoxA (MB_OK)push 0xACEACEAC ;->placeholder for the address of the text (3 parameter)push 0xACEACEAC ;->placeholder for the address of the caption (2 parameter)push 0 ;push the first parameter into the stack (don't bother)call eax ;translated in c++: MessageBox(0, "caption", "text", MB_OK)popad ;restore all the registerspopfd ;restore all the flagsret ;get back to right executionas i said before we can inject an assembly code or shellcode (they behave in the same way), so that assembly code converted in shellcode is:char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb9\xac\xce\xea\xac\xff\xd1\x68\xac\xce\xea\xac\x50\xba\xac\xce\xea\xac\xff\xd2\x6a\x00\x68\xac\xce\xea\xac\x68\xac\xce\xea\xac\x6a\x00\xff\xd0\x61\x9d\xc3";now lets see the real full code:#include <windows.h>#include <iostream>#include <fstream>#include <stdlib.h>#include <tlhelp32.h>#include <shlwapi.h>#pragma comment(lib, "shlwapi.lib")using namespace std;int privileges();DWORD getPid(string procName);DWORD GetThreadID(DWORD pid);__declspec() void myFunc();__declspec() void Useless();int _tmain(){ privileges(); unsigned long oldIP; DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; cout<<pid<<endl; HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * user32 = "User32.dll"; char * MsgBox = "MessageBoxA"; char * testo = "REPORT"; char * mex = "INJECTION THREAD: SUCCESS!"; unsigned long size_myFunc = (unsigned long)Useless - (unsigned long)myFunc; unsigned long GetProcAdr = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "GetProcAddress"); unsigned long Load32 = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA"); void * mexAddress = VirtualAllocEx(p, NULL, strlen(mex)+1, MEM_COMMIT, PAGE_READWRITE); void * testoAddress = VirtualAllocEx(p, NULL, strlen(testo)+1, MEM_COMMIT, PAGE_READWRITE); void * MsgboxAddress = VirtualAllocEx(p, NULL, strlen(MsgBox)+1, MEM_COMMIT, PAGE_READWRITE); void * DataAddress = VirtualAllocEx(p, NULL, strlen(user32)+1, MEM_COMMIT, PAGE_READWRITE); void * MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, DataAddress, user32, strlen(user32), NULL); //string user32.dll WriteProcessMemory(p, MsgboxAddress, MsgBox, strlen(MsgBox), NULL); //string MessageBoxA WriteProcessMemory(p, testoAddress, testo, strlen(testo), NULL); //string for caption WriteProcessMemory(p, mexAddress, mex, strlen(mex), NULL); //string for text DWORD thID = GetThreadID(pid); HANDLE hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID); SuspendThread(hThread); CONTEXT ctx; ctx.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hThread, &ctx); oldIP = ctx.Eip; ctx.Eip = (DWORD)MyFuncAddress; ctx.ContextFlags = CONTEXT_CONTROL; WriteProcessMemory(p, MyFuncAddress, myFunc,size_myFunc, NULL); //After writing the function we patch it with the right addresses WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DataAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load32, 4, NULL); //CARICATO USER32.DLL WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 20), &MsgboxAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 26), &GetProcAdr, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 35), &testoAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 40), &mexAddress, 4, NULL); SetThreadContext(hThread, &ctx); ResumeThread(hThread); Sleep(1000); //wait a second! //if we want to free the used memory and the injected code that will take a short time of execution, //we can of course wait for it for a certain period with Sleep(); //but if the code will keep running with no ending we cannot free the memory otherwise it will crash the target application //VirtualFreeEx(p, MyFuncAddress, size_myFunc, MEM_DECOMMIT); //VirtualFreeEx(p, DataAddress, strlen(mytext)+1, MEM_DECOMMIT); CloseHandle(p); CloseHandle(hThread); system("PAUSE"); return EXIT_SUCCESS;}DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; }DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; }__declspec(naked) void myFunc(){ _asm { push 0xACEACEAC pushfd pushad push 0xACEACEAC mov ecx, 0xACEACEAC call ecx push 0xACEACEAC push eax mov edx,0xACEACEAC call edx push 0 push 0xACEACEAC push 0xACEACEAC push 0 call eax popad popfd ret }}__declspec(naked) void Useless(){ //this let's us calculate the address of MyFunc _asm ret;}int privileges(){HANDLE Token;TOKEN_PRIVILEGES tp;if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)){ LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS }} return 1;}Now i want to explain a bit for who didn't understand how to patch the function.Before i stated that i put placeholders that will be replaced with the right addresses, to help you i posted the shellcode that come handy when looking for the offset(position) of the placeholders.take a look at it, we want to patch the first item (oldIP), the placeholder is 0xACEACEAC that translated in hex is "\xac\xce\xea\xac".Now, you need to know that "\xXX" you see is a traslated value, and the first time we meet "\xac\xce\xea\xac" is after 1 "\xXX"...we can consider any "\xXX" such as a posistion, so:. 0 . 1 . 2 . 3 . 4 . 5 . 6 . ..."\x68\xac\xce\xea\xac\x9c\x60 ...so, the beginning address of MyFuncAddress corrisponds to . 0 . ( = \x68 ), and the beginning of the placeholder to . 1 ., so MyFuncAddress + 1... here we write the right address that will replace the first "\xac\xce\xea\xac"if we look for the second we find it in the eighth position so MyFuncAddress + 8... so on until we patch them all.we convent MyFuncAddress from void* to unsigned long so to do an aritmethic sum, then we convert the result back to void*(void*)((unsigned long) MyFuncAddress + each_offset)I noticed that people that use Dev-C++ get an error because it doesn't find OpenThread() and an error with asm tags, well i suggest you to get VisualC++...btw now i show you in a DLL INJECTION how you can get dinamically OpenThread() from kernel32.dll and use the shellcode instead of an asm tags:#include <windows.h>#include <iostream>#include <fstream>#include <stdlib.h>#include <tlhelp32.h>#include <shlwapi.h>#pragma comment(lib, "shlwapi.lib")using namespace std;char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb8\xac\xce\xea\xac\xff\xd0\x61\x9d\xc3";typedef HANDLE (WINAPI* OpenThreadfunc)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId);OpenThreadfunc myOpenThread;void setOpenThread();int privileges();DWORD getPid(string procName);DWORD GetThreadID(DWORD pid);int injectLibrary(char * process, char * dll);HMODULE kernel;int main(int argc, char *argv[]){ injectLibrary("notepad.exe", "C:\\fullpath\\myDll"); system("PAUSE"); return EXIT_SUCCESS;}int injectLibrary(char * process, char * dll){ setOpenThread(); if (myOpenThread == NULL){ cout<<"Error with OpenThread()"<<endl; return 1; } unsigned long oldIP; if (privileges()==1){ //we if you want to check privileges you can, but some times if you are administrator you can perform injection without them cout<<"Error couldn't get privileges..."<<endl; } DWORD pid = getPid("notepad.exe"); if (pid==0) return 1; HANDLE p; p = OpenProcess(PROCESS_ALL_ACCESS,false,pid); if (p==NULL) return 1; //error char * dllName = dll; unsigned long shsize = sizeof(shellcode); unsigned long Load32 = (unsigned long)GetProcAddress(kernel, "LoadLibraryA"); void * DllAddress = VirtualAllocEx(p, NULL, strlen(dllName)+ 1, MEM_COMMIT,PAGE_READWRITE); void * MyFuncAddress = VirtualAllocEx(p, NULL, shsize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); WriteProcessMemory(p, DllAddress, dllName, strlen(dllName), NULL); DWORD thID = GetThreadID(pid); HANDLE hThread = myOpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID); SuspendThread(hThread); CONTEXT ctx; ctx.ContextFlags = CONTEXT_CONTROL; GetThreadContext(hThread, &ctx); oldIP = ctx.Eip; ctx.Eip = (DWORD)MyFuncAddress; ctx.ContextFlags = CONTEXT_CONTROL; WriteProcessMemory(p, MyFuncAddress, &shellcode, shsize, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DllAddress, 4, NULL); WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load32, 4, NULL); SetThreadContext(hThread, &ctx); ResumeThread(hThread); CloseHandle(p); CloseHandle(hThread); FreeLibrary(kernel); return 0;}void setOpenThread(){ kernel = LoadLibrary("kernel32.dll"); if (kernel != NULL) myOpenThread = (OpenThreadfunc)GetProcAddress(kernel, "OpenThread");}DWORD getPid(string procName){ HANDLE hsnap; PROCESSENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); pt.dwSize = sizeof(PROCESSENTRY32); do{ if(!strcmp(pt.szExeFile, procName.c_str())){ DWORD pid = pt.th32ProcessID; CloseHandle(hsnap); return pid; } } while(Process32Next(hsnap, &pt)); CloseHandle(hsnap); return 0; }DWORD GetThreadID(DWORD pid){ HANDLE hsnap; THREADENTRY32 pt; hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0); pt.dwSize = sizeof(THREADENTRY32); while (Thread32Next(hsnap, &pt)){ if(pt.th32OwnerProcessID == pid){ DWORD Thpid = pt.th32ThreadID; CloseHandle(hsnap); return Thpid; } }; CloseHandle(hsnap); return 0; }int privileges(){HANDLE Token;TOKEN_PRIVILEGES tp;if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token)){ LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid); tp.PrivilegeCount = 1; tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){ return 1; //FAIL }else{ return 0; //SUCCESS }} return 1;}WELL, FINISH!! I hope this tutorial will help you!ENJOY CODING! RosDevil Sursa: Code Injections [beginner and advanced] - rohitab.com - Forums Quote
ppdcas Posted January 3, 2013 Report Posted January 3, 2013 Destul de interesant, bookmarked pe mai tarziu.Totusi am o intrebare, in coduri de ce e folosit memset in loc de ZeroMemory ?Nu sunt foarte avansat in injectii si ma intrebam care e avantajul folosirii unuia fata de celalalt? Quote
Nytro Posted January 3, 2013 Author Report Posted January 3, 2013 Destul de interesant, bookmarked pe mai tarziu.Totusi am o intrebare, in coduri de ce e folosit memset in loc de ZeroMemory ?Nu sunt foarte avansat in injectii si ma intrebam care e avantajul folosirii unuia fata de celalalt?Stiam ca e un macro, dar nu stiam cum e definit si dupa mici cautari:WinBase.h#define ZeroMemory RtlZeroMemoryRtlZeroMemory e definit in WDH.h:#define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length))Aparent e acelasi lucru. E probabil insa sa fie mici diferente la apel, "memset" probabil va apela wrapper-ul din runtime-ul de la Visual C iar apelul ZeroMemory e posibil sa fie executat direct in kernel (RtlZeroMemory routine (Windows Drivers)).O sa fac putin research sa vad. Quote
ppdcas Posted January 4, 2013 Report Posted January 4, 2013 @Nytro Multumesc de informatii, am sa mai caut si eu . Quote