.386
.model flat,stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
includelib \masm32\lib\kernel32.lib
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib
include \masm32\include\masm32.inc
includelib \masm32\lib\masm32.lib
GetPid PROTO :DWORD
injected_thread PROTO
CTEXT MACRO y:VARARG
LOCAL sym, dummy
dummy EQU $;; MASM error fix
CONST segment
IFIDNI <y>,<>
sym db 0
ELSE
sym db y,0
ENDIF
CONST ends
EXITM <OFFSET sym>
ENDM
.data?
Buffer db 256 dup(?)
ThePID dd ?
lpProcess dd ?
lpModule dd ?
lpNewModule dd ?
dwSize dd ?
lpPID dd ?
nBytesWritten dd ?
.code
start:
invoke GetModuleHandle,0
mov [lpModule], eax
mov edi,eax
add edi,[edi+3Ch]
add edi,4
add edi,14h
mov eax,[edi+38h]
mov [dwSize],eax
;next thing to do is to get the Process ID (PID)
;we can do this 2 ways either CreateToolhelp32Snapshot
;Invoke GetPid,CTEXT ('iexplore.exe')
;or...
invoke FindWindow,CTEXT ('IEFrame'),0 ;find iexplorer.exe window class
invoke GetWindowThreadProcessId, eax, addr ThePID ;get the PID :)
invoke OpenProcess,PROCESS_ALL_ACCESS, FALSE, ThePID ;open the process
mov [lpProcess],eax
invoke VirtualFreeEx, [lpProcess], [lpModule], 0, MEM_RELEASE
invoke VirtualAllocEx, [lpProcess], [lpModule], dwSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
invoke WriteProcessMemory, [lpProcess], eax, [lpModule], [dwSize], addr nBytesWritten
invoke CreateRemoteThread, [lpProcess], 0, 0, offset injected_thread, [lpModule], 0, ebx
invoke ExitProcess,0
injected_thread proc
invoke LoadLibrary,CTEXT ('user32.dll')
invoke MessageBox,0,CTEXT ('Success!!!'),CTEXT ('Hello From iexplorer'),0
invoke ExitThread,0
ret
injected_thread endp
GetPid proc szFile:dword
LOCAL Process:PROCESSENTRY32
mov Process.dwSize, sizeof Process
invoke CreateToolhelp32Snapshot, 2, 0
mov esi, eax
invoke Process32First, esi, addr Process
@@loop:
invoke lstrcmpiA,szFile, addr Process.szExeFile
test eax, eax
jnz @@continue
;if we are here then we got the pid (Process.th32ProcessID}
push Process.th32ProcessID
pop ThePID
jmp @@done
@@continue:
invoke Process32Next, esi, addr Process
test eax, eax
jz @@done
jmp @@loop
@@done:
invoke CloseHandle, esi
ret
GetPid endp
end start
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Injecting Into Another Process
Started by
illwill
, Sep 22 2005 03:21 PM
18 replies to this topic
#1
illwill
-
- Sergeant Major
-
- 569 posts
Specialist
Posted 22 September 2005 - 03:21 PM
#2
No Dice
-
- Sergeant Major
-
- 723 posts
Retired GSO Second Lieutenant
Posted 22 September 2005 - 03:44 PM
Man I gotta learn code... What the hell do you do w/ this stuff? I see so much code posted and it looks interesting... Why is everything code? Why can't ppl just post the program? You ppl may see a blonde, brunette and a redhead.... But all I see is green lines... Being that there is so much code posted to this group, couldn't someone just give a detailed explanation for us newbies so that we can enjoy this stuff too???
Thx, NoDice
Thx, NoDice
#3
nolimit
-
- Members
-
- 387 posts
Staff Sergeant
Posted 22 September 2005 - 09:59 PM
Learn C, It's all downhill from there.
He has commented well enough (the ; lines) for you to understand what is going on. He's injecting raw code into remote applications, in this instance, iexplore.exe.
He has commented well enough (the ; lines) for you to understand what is going on. He's injecting raw code into remote applications, in this instance, iexplore.exe.
#4
setthesun
-
- Sergeant Major
-
- 574 posts
Sergeant First Class
Posted 22 September 2005 - 11:40 PM
I'm not good at Assembly but it seems easier than C for process injection.
setthesun me = new setthesun();
#5
hottzo
-
- Members
-
- 78 posts
Private First Class
Posted 23 September 2005 - 02:28 AM
very nice illwill.
it's the first time i see code that works that is a mix-up in c/assembly for process injection..
just for the record here is another way for process injection in c only:
http://www.codeguru....ticle.php/c5767
it's the first time i see code that works that is a mix-up in c/assembly for process injection..
just for the record here is another way for process injection in c only:
http://www.codeguru....ticle.php/c5767
#6
No Dice
-
- Sergeant Major
-
- 723 posts
Retired GSO Second Lieutenant
Posted 23 September 2005 - 10:05 AM
Learn C, It's all downhill from there.
He has commented well enough (the ; lines) for you to understand what is going on. He's injecting raw code into remote applications, in this instance, iexplore.exe.
Ok raw codes??.... So I can compile this w/ Dev C++ and then what? I'm not try'n to sound like a complete dumb a$$ but I'm just die'n to know exactly what to do w/ this code.
#7
illwill
-
- Sergeant Major
-
- 569 posts
Specialist
#8
nolimit
-
- Members
-
- 387 posts
Staff Sergeant
Posted 23 September 2005 - 12:42 PM
I'm not good at Assembly but it seems easier than C for process injection.
not necessarily. It depends on the person, but C is generally thought of as easier then assembly. I guess you could say it requires less instructions, and can be more efficient.
#9
dmh
-
- Members
-
- 20 posts
Private First Class
Posted 27 October 2005 - 06:32 AM
I'm not good at Assembly but it seems easier than C for process injection.
not necessarily. It depends on the person, but C is generally thought of as easier then assembly. I guess you could say it requires less instructions, and can be more efficient.
There isn't going to be much of a difference in the actual process, because it's done with windows API.
Why is everything code? Why can't ppl just post the program?
Wow, just wow. Ever heard of learning? Some peoples true intentions really do shine through.
#10
Dulcise
-
- Members
-
- 14 posts
Private
Posted 08 November 2005 - 11:54 AM
compiled this, but all it did was crash internet explorer (without the little popup 
), has anyone got this working?
), has anyone got this working?
#11
mas0
-
- Members
-
- 20 posts
Private First Class
Posted 08 November 2005 - 08:15 PM
Hey illwill... i know nothing abt asm coding thats for sure, but well i used injection in c ++ and delphi. And for all i know if you do not set debug priv to your injecting application it will cause the host application to crash. Im not sure if it works the same for asm but... i got many of my apps to crash because my injecting server didnt have the token privileges set. can you explain if i mis interpreted something?
#12
netcomm
-
- Members
-
- 121 posts
Specialist
Posted 08 November 2005 - 10:10 PM
Very nice, but there is a sample i have seen somwhere that looks very much like your post....
Wish i knew where it was...
Btw, if you guys want to learn asm tey debuging with ollydbg or such, get a feel for the workings of ASM it will set you on the right path..
and get MASM to TASM and just play its really quite simple once you get past all the BS.
Peace.
Wish i knew where it was...
Btw, if you guys want to learn asm tey debuging with ollydbg or such, get a feel for the workings of ASM it will set you on the right path..
and get MASM to TASM and just play its really quite simple once you get past all the BS.
Peace.
#13
Jeffrey
-
- Sergeant Major
-
- 1,109 posts
Specialist
Posted 03 February 2006 - 09:33 PM
Hey everyone, i posted an example of process injection on pscode.com written in C. Oh yeah by the way mas0, the processes didnt crash because you didnt have the debug token, if you do not have the debug token for a process that is not a relative of the injector(meaning that it was created by the same process ex. explorer.exe) then all attempts to open,write,createremotethread will fail.
Now the reason that the process kept crashing was most definitely because you were injecting it at an address that was not the original ImageBase. I conquered this by compiling the injector with relocations(.reloc section) and whenever i wanted to inject it into a process i would VirtualAllocEx memory at a random available address and then copying the injector process image to the new random available address in memory and updating the addresses with the new ImageBase.
So what was happening when your target process was crashing is that your injected process was trying to jump to the original unmodified injectors address instead of compensating for the new ImageBase.
And another thing, don't ask for the actual program, learn the code and understand it. If you don't understand the code, then you havn't earned the right to use the program. So get learning...after all, is'nt that what we are all here for?
Sincerely,
Anubis
Now the reason that the process kept crashing was most definitely because you were injecting it at an address that was not the original ImageBase. I conquered this by compiling the injector with relocations(.reloc section) and whenever i wanted to inject it into a process i would VirtualAllocEx memory at a random available address and then copying the injector process image to the new random available address in memory and updating the addresses with the new ImageBase.
So what was happening when your target process was crashing is that your injected process was trying to jump to the original unmodified injectors address instead of compensating for the new ImageBase.
And another thing, don't ask for the actual program, learn the code and understand it. If you don't understand the code, then you havn't earned the right to use the program. So get learning...after all, is'nt that what we are all here for?
Sincerely,
Anubis
#14
basixs
-
- Members
-
- 4 posts
Private
Posted 02 June 2008 - 05:35 AM
invoke GetModuleHandle,0 mov [lpModule], eax mov edi,eax add edi,[edi+3Ch] add edi,4 add edi,14h mov eax,[edi+38h] mov [dwSize],eax
I don't get this part.. it calculates the size of the injected function right? , but how? would u guys explain it?
#15
underpiksna
-
- Members
-
- 8 posts
Private
Posted 08 June 2008 - 02:36 AM
@basixs:
well, not really.
If you wanna understand this you should look up PE headers abit..
This part gets SizeOfImage from IMAGE_OPTIONAL_HEADER.
add edi,[edi+3Ch] ; <-- go to dosHdr->e_lfanew (sizeof(IMAGE_DOS_HEADER)=0x40 ; and LONG e_lfanew; is 4 bytes, dos 0x40-0x4 =>> 0x3C --> which will point us to IMAGE_NT_HEADERS
add edi,0x4 ; <-- mov 4 bytes up (DWORD Signature; from IMAGE_NT_HEADERS ; aka. "PE\0\0")
add edi, 0x14 ; <-- mov 0x14 bytes up (14 = sizeof(IMAGE_FILE_HEADER)) to get to IMAGE_OPTIONAL_HEADER32
mov eax,[edi+38h] ; <-- make eax point to IMAGE_OPTIONAL_HEADER.SizeOfImage
Why 38h?
Look at IMAGE_OPTIONAL_HEADER:
(WORD=2bytes ; BYTE = 1 byte; DWORD=4bytes;)
Hope this clears it up.
Enjoy,
_FIL73R_
well, not really.
If you wanna understand this you should look up PE headers abit..
This part gets SizeOfImage from IMAGE_OPTIONAL_HEADER.
add edi,[edi+3Ch] ; <-- go to dosHdr->e_lfanew (sizeof(IMAGE_DOS_HEADER)=0x40 ; and LONG e_lfanew; is 4 bytes, dos 0x40-0x4 =>> 0x3C --> which will point us to IMAGE_NT_HEADERS
add edi,0x4 ; <-- mov 4 bytes up (DWORD Signature; from IMAGE_NT_HEADERS ; aka. "PE\0\0")
add edi, 0x14 ; <-- mov 0x14 bytes up (14 = sizeof(IMAGE_FILE_HEADER)) to get to IMAGE_OPTIONAL_HEADER32
mov eax,[edi+38h] ; <-- make eax point to IMAGE_OPTIONAL_HEADER.SizeOfImage
Why 38h?
Look at IMAGE_OPTIONAL_HEADER:
(WORD=2bytes ; BYTE = 1 byte; DWORD=4bytes;)
WORD Magic; // 0
BYTE MajorLinkerVersion; // 1
BYTE MinorLinkerVersion; // 2
DWORD SizeOfCode; // 4
DWORD SizeOfInitializedData; // 8
DWORD SizeOfUninitializedData; // 12
DWORD AddressOfEntryPoint; // 16
DWORD BaseOfCode; // 20
DWORD BaseOfData; // 24
DWORD ImageBase; // 28
DWORD SectionAlignment; // 32
DWORD FileAlignment; // 36
WORD MajorOperatingSystemVersion; // 40
WORD MinorOperatingSystemVersion; // 42
WORD MajorImageVersion; // 44
WORD MinorImageVersion; // 46
WORD MajorSubsystemVersion; // 48
WORD MinorSubsystemVersion; // 50
DWORD Win32VersionValue; // 52
DWORD SizeOfImage; // 56 ; and in hex this is 0x38
Hope this clears it up.
Enjoy,
_FIL73R_
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
