hacking contest

hacking exploits security forum
hacking
compliance articles
upgrade backup exec
information security consultant
Help - Search - Member List - Calendar
GovernmentSecurity.org > System Security > Windows Systems
x1`
Dec 9 2004, 06:19 PM
i am wanting to know how do you inject your code or exe so the firewall dosent popup and asked net access when its already accetped for iexplorer.exe . so the apps runs through port 80
nnxion
Dec 9 2004, 11:19 PM
well you cant inject a .exe as far as I know, you can inject a Dynamic Link Library (.dll) though, you need some way of making iexplorer.exe execute a command so your dll can take control
tibbar
Dec 9 2004, 11:51 PM
This is very easy to do. See my attached example which i released to the advanced forum a long time ago. It is only POC and I am not interested in comments on mistakes in the code, as it is a rough example.

Disclaimer: This is purely for educational purposes and must not be used for illegal activity. I accept no responsibility for what people do with this code.

QUOTE
Basically, there are two parts to this. The injection program, and the trojan dll which does the downloading (and execution etc if you want it to).

You will need to change the line: char dll[]="D:\\c backup\\cpp\\system hooks\\test dll\\Release\\test dll.dll";

to fit in with your local drive structure.

Thanks to vnet for his idea on using CreateToolhelp32Snapshot to retrieve the handle to the injected dll, to unload it at the end.

I'm currently working on a netcat shell which lives in a dll to inject via this method.
AdmiralB
Dec 10 2004, 01:22 AM
Its very difficult to inject
Unless u know what u doing
its best u practise in a localarea or some experiemental computer
theclarkkent
Dec 10 2004, 04:54 AM
tibbar, Thanks for the Code. biggrin.gif
Jumpi
Dec 10 2004, 09:13 AM
but you won't pass any firewall with injection, these times are over sad.gif

zonealarm asks if the dll should be allowd to access the net.
Borgon
Dec 10 2004, 09:28 AM
hey you gotta find processes or program which have access to use the internet, not all iexplorer process arent allowed
tibbar
Dec 10 2004, 09:33 AM
explorer.exe is another good target. also you can try actually injecting into the firewall, keep a list of firewall names, and find which one exists, then inject into that.
belgther
Dec 10 2004, 12:01 PM
well there's a program called zeroadd and it adds bytes to modify...
so you can inject your complete exe code (excluding header) and modify some bytes on the main code to execute this exe...
it even bypasses the firewall since it's a part of the main exe
have fun and be careful what you do with it...
blackP0ster
Dec 10 2004, 02:10 PM
ok..injection is on way..
but who to delete the injected file?

black
belgther
Dec 10 2004, 02:20 PM
QUOTE(blackP0ster @ Dec 10 2004, 03:10 PM)
ok..injection is on way..
but who to delete the injected file?

black
*



there is the point, it is hard to restore it, you have to update/reinstall IE... so that's why x1` asked for an exe code injection
cool_one
Dec 10 2004, 06:14 PM
injection is tuff and most ifrewalls simply compare the the list of dlls needed and the list of dlls actually used. my suggestion is to use FWB, FireWall Bypass, like optix FWB or bifrost FWB which actually drives code into the core of the exe without ruining it at all this technique requires awesome assembly skills as the brain of the code that ventures around the memory is very complex because it must place code some where safe and continually is moving from empty segment to empty segment.
tibbar
Dec 10 2004, 08:39 PM
QUOTE(cool_one @ Dec 10 2004, 06:14 PM)
injection is tuff and most ifrewalls simply compare the the list of dlls needed and the list of dlls actually used. my suggestion is to use FWB, FireWall Bypass, like optix FWB or bifrost FWB which actually drives code into the core of the exe without ruining it at all this technique requires awesome assembly skills as the brain of the code that ventures around the memory is very complex because it must place code some where safe and continually is moving from empty segment to empty segment.
*



It is actually not hard to do this. You can use WriteProcessMemory to write a function into the another process' memory space, and then CreateRemoteThread to execute this function. This requires no asm skills, only c programming + knowledge of winapi.

Here is an extract from one of my programs that uses this idea:

CODE
// here's the tricky bit.  when we inject the function into target process it will not have access to any
// functions via imports since it is not compiled with the process
// instead we must supply function pointer to it, which tell it where to look
// this method relies of the fact that ntdll.dll is loaded into the same place in all processes!

// pointer to RtlInitUnicodeString and LdrLoadDll
FARPROC fPointers[2];
fPointers[0] = GetProcAddress(LoadLibrary("ntdll.dll"), "RtlInitUnicodeString");
fPointers[1] = g_OriginalLdrLoadDll;//GetProcAddress(LoadLibrary("ntdll.dll"), "LdrLoadDll");


void* lpStartAddress = VirtualAllocEx(targetProcessHandle, NULL, functionSize, MEM_COMMIT|MEM_TOP_DOWN|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
SIZE_T numBytesWritten = NULL;
BOOL didWork = WriteProcessMemory(targetProcessHandle, lpStartAddress, &InjectedDllLoader, functionSize, &numBytesWritten);

HANDLE hHandle = CreateRemoteThread(targetProcessHandle, NULL, 0,(LPTHREAD_START_ROUTINE)lpStartAddress, fPointers, 0, &ThreadID);

....
....

void WINAPI InjectedDllLoader(FARPROC functionPointers[2])
{

wchar_t temp[] = L"Secure API Library.dll";
int totalSize = wcslen(temp)*sizeof(wchar_t) + 2*sizeof(USHORT) + 1;
void* dllName = malloc(totalSize);

((RTLINITUNICODESTRING)functionPointers[0])((PUNICODE_STRING)dllName, temp);

DWORD dllHandle = 0;
((LDRLOADDLL)functionPointers[1])(NULL, NULL, (PUNICODE_STRING)dllName, (PVOID*)&dllHandle);

delete pdllName;
}


This is using this concept to write the function InjectedDllLoader into the process space of another process, and then uses CreateRemoteThread to execute it.
aapje
Dec 15 2004, 02:57 PM
search for the dll injection example i posted some time ago, its not picked up by anti virus, you just create a dll file with your code in it and inject it.

Here is some example injection methods:

http://www.codeproject.com/threads/winspy.asp
darkt3ch
Dec 16 2004, 04:16 PM
uhh check out http://iamaphex.com he has released heaps of great shit
fwb fwb++ fwb# and yes you can inject an entire exe it isnt that hard all the hard work has been done
simply-me
Dec 26 2004, 04:56 AM
Exe injection cant bypass a firewall either. Sygate Personal Firewall prompts me if any file has changed and wants to access the internet. Whenever i upgrade my internet software this happens. Even when i patched MSN Messenger with polgamy it prompt me and showed where exactly was the file changed. I hope most of the other firewall have this feature aswell.
CarTmanKILL
Dec 27 2004, 09:37 AM
this injection tools work very hard.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
 
Invision Power Board © 2001-2005 Invision Power Services, Inc.