[Introduction]This tutorial is for every level, from beginners to advanced (so to review some aspects or instructions)
I will use as much as i can C++ in this tutorial.
It is divided in 3 parts:
A -
Codecave Injection using CreateRemoteThread (with a part dedicated to Vista/Win7 users and RtlCreateUserThread)
B -
Code injection using SetWindowsHookExC -
Code Injection modifying the Main Thread (though an assembly function and shellcode)
We're going through the 3 kinds of injection.
Before any type of injection we need to get the right privileges, in particular SE_DEBUG_NAME, this is the function to get it:
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
after we need the PID of the target application, it can be got so:
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
now let's get started.
[A - CODECAVE INJECTION USING CreateRemoteThread]This method has been treated a lot on internet so i won't go through the code step by step, if you want to see the documented functions go to msdn.
steps:
- Open the target Process through the PID (Api used: OpenProcess())
- Allocate space in the remote process for our function and parameters (Api used: VirtualAllocEx())
- Write our function and parameters in the remote process (Api used: WriteProcessMemory())
- Execute the remote code and optionally free the remote memory (Api used: CreateRemoteThread() and VirtualFree())
#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>
typedef int (WINAPI* MsgBoxParam)(HWND, LPCSTR, LPCSTR, UINT);
using namespace std;
struct PARAMETERS{
DWORD MessageBoxInj;
char text[50];
char caption[25];
int buttons;
// HWND handle;
};
DWORD getPid(string procName);
int privileges();
DWORD myFunc(PARAMETERS * myparam); //(if you use Dev-C++ put static before DWORD)
DWORD Useless(); ////(if you use Dev-C++ put static before DWORD)
int main()
{
privileges();
DWORD pid = getPid("notepad.exe");
if (pid==0) return 1; //error
HANDLE p;
p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (p==NULL) return 1; //error
char * mytext = "Hello by CodeCave!";
char * mycaption = "Injection result";
PARAMETERS data; //let's fill in a PARAMETERS struct
HMODULE user32 = LoadLibrary("User32.dll");
data.MessageBoxInj = (DWORD)GetProcAddress(user32, "MessageBoxA");
strcpy(data.text, mytext);
strcpy(data.caption, mycaption);
data.buttons = MB_OKCANCEL | MB_ICONQUESTION;
DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc; //this gets myFunc's size
//--------now we are ready to inject
LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(p, MyFuncAddress, (void*)myFunc,size_myFunc, NULL);
LPVOID DataAddress = VirtualAllocEx(p,NULL,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);
WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL);
HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL);
if (thread!=0){
//injection completed, not we can wait it to end and free the memory
WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished
VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory
VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory
CloseHandle(thread);
CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process
cout<<"Injection completed!"<<endl;
}else{
cout<<"Error!"<<endl;
}
system("PAUSE");
return EXIT_SUCCESS;
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
static DWORD myFunc(PARAMETERS * myparam){
MsgBoxParam MsgBox = (MsgBoxParam)myparam->MessageBoxInj;
int result = MsgBox(0, myparam->text, myparam->caption, myparam->buttons);
switch(result){
case IDOK:
//your code
break;
case IDCANCEL:
//your code
break;
}
return 0;
}
static DWORD Useless(){
return 0;
}
//this function is needed to get some extra privileges so your code will be able to work without conflicts with the system
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
//Note the use of 'static': VisualC++ in debug mode put Useless() before of myFunc() because of
//name order from Z to A, so when we try to calculate the size of my func with
//DWORD size_myFunc = (PBYTE)Useless - (PBYTE) myFunc;
//the result is negative and so when we try the injection the target app crashes.
//So to avoid any problem remember to put 'static' to those functions (adpted to your compiler)
This code shows that we cannot pass more than 1 parameter to CreateRemoteThread so we need to create a struct (PARAMETERS) and pass it to the remote function
I did a tutorial in past for this, check out:
http://www.rohitab.c...ion-tutorial-c/[NOTE FOR VISTA/WIN7]CreateRemoteThread() for windows Vista and Windows 7 isn't working because of boundaries (msdn reference:
http://msdn.microsof...v=vs.85%29.aspx [end of the page]), the solution is the undocumented function NtCreateThreadEx(), we can get it from ntdll.dll, and replace CreateRemoteThread() with it in the above code (and remember to adjust the parameters)
I don't know why but some users found CreateRemoteThread working on Win7 x64, well, you're lucky... i think is just because of an update or different patch; by the way, from a result of searching on google "CreateRemoteThread Windows7", most of the Win7 users say it isn't working
#include "ntdef.h" //--> it has the definition of NTSTATUS
HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter);
typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx)
(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN LPTHREAD_START_ROUTINE lpStartAddress,
IN LPVOID lpParameter,
IN BOOL CreateSuspended,
IN DWORD StackZeroBits,
IN DWORD SizeOfStackCommit,
IN DWORD SizeOfStackReserve,
OUT LPVOID lpBytesBuffer
);
struct NtCreateThreadExBuffer
{
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
};
HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){
HMODULE modNtDll = LoadLibrary("ntdll.dll");
if(!modNtDll){
cout<<"Error loading ntdll.dll"<<endl;
return 0;
}
LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx");
if(!funNtCreateThreadEx){
cout<<"Error loading NtCreateThreadEx()"<<endl;
return 0;
}
NtCreateThreadExBuffer ntbuffer;
memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer));
DWORD temp1 = 0;
DWORD temp2 = 0;
ntbuffer.Size = sizeof(NtCreateThreadExBuffer);
ntbuffer.Unknown1 = 0x10003;
ntbuffer.Unknown2 = 0x8;
ntbuffer.Unknown3 = &temp2;
ntbuffer.Unknown4 = 0;
ntbuffer.Unknown5 = 0x10004;
ntbuffer.Unknown6 = 4;
ntbuffer.Unknown7 = &temp1;
// ntbuffer.Unknown8 = 0;
HANDLE hThread;
NTSTATUS status = funNtCreateThreadEx(
&hThread,
0x1FFFFF,
NULL,
process,
(LPTHREAD_START_ROUTINE) Start,
lpParameter,
FALSE, //start instantly
0, //null
0, //null
0, //null
&ntbuffer
);
return hThread;
}
//so to use in the above code like this:
HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress);
//
//
[UNSING BOTH CreateRemoteThread AND NtCreateThreadEx]Performing Dll injection is much more easier, we don't have to create a struct of parameters beacause LoadLibraryA has only 1 parameter
#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include "ntdef.h"
#include <tlhelp32.h>
//For Vista/Win7:
HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter);
using namespace std;
DWORD getPid(string procName);
int privileges();
int main()
{
privileges(); //don't mind of the result, because maybe it fails because you already have that privilege
DWORD pid = getPid("notepad.exe");
if (pid==0) return 1; //error
HANDLE p;
p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (p==NULL) return 1; //error
char * dll = "C:\\mydll.dll";
//--------now we are ready to inject
unsigned long LoadLib = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
LPVOID DataAddress = VirtualAllocEx(p, NULL, strlen(dll) + 1, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(p, DataAddress, dll, strlen(dll), NULL);
HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress, 0, NULL);
//For Vista/Win7
//HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress);
if (thread!=0){
//injection completed
WaitForSingleObject(thread, INFINITE); //this waits untill thread thread has finished
VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory
VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory
CloseHandle(thread);
CloseHandle(p); //don't wait for the thread to finish, just close the handle to the process
cout<<"Injection completed!"<<endl;
}else{
cout<<"Error!"<<endl;
}
system("PAUSE");
return EXIT_SUCCESS;
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
//for VISTA/WIN7
typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx)
(
OUT PHANDLE hThread,
IN ACCESS_MASK DesiredAccess,
IN LPVOID ObjectAttributes,
IN HANDLE ProcessHandle,
IN LPTHREAD_START_ROUTINE lpStartAddress,
IN LPVOID lpParameter,
IN BOOL CreateSuspended,
IN DWORD StackZeroBits,
IN DWORD SizeOfStackCommit,
IN DWORD SizeOfStackReserve,
OUT LPVOID lpBytesBuffer
);
struct NtCreateThreadExBuffer
{
ULONG Size;
ULONG Unknown1;
ULONG Unknown2;
PULONG Unknown3;
ULONG Unknown4;
ULONG Unknown5;
ULONG Unknown6;
PULONG Unknown7;
ULONG Unknown8;
};
HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){
HMODULE modNtDll = LoadLibrary("ntdll.dll");
if(!modNtDll){
cout<<"Error loading ntdll.dll"<<endl;
return 0;
}
LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx");
if(!funNtCreateThreadEx){
cout<<"Error loading NtCreateThreadEx()"<<endl;
return 0;
}
NtCreateThreadExBuffer ntbuffer;
memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer));
DWORD temp1 = 0;
DWORD temp2 = 0;
ntbuffer.Size = sizeof(NtCreateThreadExBuffer);
ntbuffer.Unknown1 = 0x10003;
ntbuffer.Unknown2 = 0x8;
ntbuffer.Unknown3 = &temp2;
ntbuffer.Unknown4 = 0;
ntbuffer.Unknown5 = 0x10004;
ntbuffer.Unknown6 = 4;
ntbuffer.Unknown7 = &temp1;
// ntbuffer.Unknown8 = 0;
HANDLE hThread;
NTSTATUS status = funNtCreateThreadEx(
&hThread,
0x1FFFFF,
NULL,
process,
(LPTHREAD_START_ROUTINE) Start,
lpParameter,
FALSE, //start instantly
0, //null
0, //null
0, //null
&ntbuffer
);
return hThread;
}
so if we want to check which OS are we running so to use CreateRemoteThread and NtCreateThreadEx:
int CheckOSVersion()
{
/*
* Windows XP = 1 (NT 5.0)
* Windows Vista = 2 (NT 6.0)
* Windows 7 = 3 (NT 6.1)
* Windows 8 = 4 (NT 6.2) --> on Windows 8 CreateRemoteThread works perfectly!!
*/
OSVERSIONINFO osver;
osver.dwOSVersionInfoSize = sizeof(osver);
if (GetVersionEx(&osver))
{
if (!(osver.dwPlatformId == VER_PLATFORM_WIN32_NT))
return 0;
if (osver.dwMajorVersion == 5)
return 1;
if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 0)
return 2;
if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 1)
return 3;
if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 2)
return 4;
}
else
return 0;
}
char type[50];
int os = CheckOSVersion();
if (os == 0) return 0;
if (os==1) strcpy(type, "Windows XP");
if (os==2) strcpy(type, "Windows Vista");
if (os==3) strcpy(type, "Windows 7");
if (os==4) strcpy(type, "Windows 8");
if you want to check if your application is a 64bit or 32bit by code:
//the size of void* is the answer
if (sizeof(void*) == 4) //is 32bit
if (sizeof(void*) == 8) //is 64bit
[IMPORTANT: 32-BIT / 64-BIT]This is a portability table:
- 32bit program inject 32bit dll in a 32bit target
- 32bit program inject 64bit dll in a 64bit target
- 64bit program inject 32bit dll in a 32bit target
- 64bit program inject 64bit dll in a 64bit target
the first type and the fourth type are easy to code, but if you dare getting in troubles with the second and the third take a look at this paper:
http://www.corsix.or...ction-and-wow64[RtlCreateUserThread - PROS AND CONS]I found many people talking about RtlCreateUserThread(), well it can be implemented easily (it is in ntdll.dll), but has a flaw, if you inject a dll with this function you cannot use CreateThread() inside it but you need to implement RtlCreateUserThread() in the dll too; i don't know why but it is so.
The implementation is:
typedef struct ID{
PVOID UniqueProcess;
PVOID UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef long (*myRtlCreateUserThread)
(HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN, ULONG, PULONG, PULONG, PVOID, PVOID, PHANDLE, PCLIENT_ID);
myRtlCreateUserThread RtlCreateUserThread;
RtlCreateUserThread=(myRtlCreateUserThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlCreateUserThread");
This function is much more different from the others (
http://waleedassar.b...ethread-vs.html) and requires different other functions (NT functions) to check the result thread, like: NtSetInformationThread, NT_ERROR, NtTerminateThread, NtResumeThread, NtWaitForSingleObject, NtClose...
[B - CODE INJECTION USING SetWindowsHookEx]Setting hooks is a tipical action of keyloggers over WH_KEYBOARD hook type.
This method makes them perfect in capturing key strokes BUT if we inject a dll using hooks the program that set the hook must keep running otherwise the dll is suddenly unloaded.
To perform this type of injection we don't need directly the PID of the process but the Thread ID of it.
We obtain the Thread ID from the PID:
DWORD GetThreadID(DWORD pid){
HANDLE hsnap;
THREADENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
pt.dwSize = sizeof(THREADENTRY32);
while (Thread32Next(hsnap, &pt)){
if(pt.th32OwnerProcessID == pid){
DWORD Thpid = pt.th32ThreadID;
CloseHandle(hsnap);
return Thpid;
}
};
CloseHandle(hsnap);
return 0;
}
Now let's jot down some code about SetWindowsHookEx()
#include <cstdlib>
#include <iostream>
#include "windows.h"
#include "tlhelp32.h"
using namespace std;
DWORD getPid(string procName);
DWORD GetThreadID(DWORD pid);
int main(int argc, char *argv[])
{
HHOOK hproc;
HOOKPROC cbt;
HMODULE dll = LoadLibrary("DllHook.dll"); //the dll tha we will inject that contains the hook procedure
cbt = (HOOKPROC)GetProcAddress(dll, "MyProcedure"); //get the address of our Procedure
DWORD id = GetThreadID(getPid("notepad.exe")); //in this example we want to set the hook in a specific target
if (id == 0) return 0; //if id == 0 means that the process isn't running
hproc = SetWindowsHookEx(WH_KEYBOARD, cbt, dll, id); //if we wanted to set the hook in every process we could replace 'id' with 0
cin.get();
UnhookWindowsHookEx(hproc); //When we want to remove the hook
return EXIT_SUCCESS;
}
DWORD GetThreadID(DWORD pid){
HANDLE hsnap;
THREADENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
pt.dwSize = sizeof(THREADENTRY32);
while (Thread32Next(hsnap, &pt)){
if(pt.th32OwnerProcessID == pid){
DWORD Thpid = pt.th32ThreadID;
CloseHandle(hsnap);
return Thpid;
}
};
CloseHandle(hsnap);
return 0;
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
Now the our Dll that contains the hook procedure (in this case is named DllHook.dll)
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
__declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp);
__declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp){
//here goes our code
return CallNextHookEx(NULL, code, wp, lp); //this is needed to let other applications set other hooks on this target
}
BOOL APIENTRY DllMain (HINSTANCE hInst,
DWORD reason,
LPVOID reserved)
{
switch (reason)
{
case DLL_PROCESS_ATTACH:
break;
case DLL_PROCESS_DETACH:
break;
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
}
/* Returns TRUE on success, FALSE on failure */
return TRUE;
}
[C - CODE INJECTION MODIFYING THE MAIN THREAD]This part is a bit more complicated, but works on any version of WINDOWS and doesn't need to keep the injector running
steps:
- Open the target Process through the PID (Api used: OpenProcess())
- Allocate space in the remote process for our function and parameters (Api used: VirtualAllocEx())
- Get the target process's thread ID
- Open the remote thread and suspend it (Api used: OpenThread() and SupendThread())
- Get the remote thread context (Api used: GetThreadContext())
- Saving the current Eip and setting it to the address of our injected function
- Write our function and parameters in the remote process (Api used: WriteProcessMemory())
- PATCH IN RUNTIME the injected function with the addresses of our parameters (Api used: WriteProcessMemory())
- Set the new remote thread context (Api used: SetThreadContext())
- Resume the remote thread and optionally free the memory (Api used: ResumeThread())
- Close the Handles (Api used: CloseHandle())
Before seeing the code i want to explain what our function will be.
It is an assembly code (or shellcode) that performs our operation, while coding we can't know the addresses of our parameters so we put placeholders, in other words, we put a label that will be replaced during execution with the right addresses.
the assembly function is:
push 0xACEACEAC ;-> placeholder for the address of our old EIP
pushfd ;->save all flags registers
pushad ;-> save all registers
push 0xACEACEAC ;->placeholder for the address of the string 'User32.dll'
mov ecx, 0xACEACEAC ;->placeholder for the address of LoadLibraryA
call ecx ;-> traslated in c++: LoadLibrary("User32.dll")
;now the address of the LOADED LIBRARY User32.dll is in eax register
push 0xACEACEAC ;->placeholder for the address of the string MessageBoxA
push eax ;->push User32.dll into the stack
mov edx,0xACEACEAC ;->placeholder for the address of GetProcAddress
call edx ;translated in c++: GetProcAddress(LoadLibrary("User32.dll"), "MessageBoxA")
;now the address of MessageBoxA is in eax register
push 0 ;push the fourth parameter of MessageBoxA (MB_OK)
push 0xACEACEAC ;->placeholder for the address of the text (3 parameter)
push 0xACEACEAC ;->placeholder for the address of the caption (2 parameter)
push 0 ;push the first parameter into the stack (don't bother)
call eax ;translated in c++: MessageBox(0, "caption", "text", MB_OK)
popad ;restore all the registers
popfd ;restore all the flags
ret ;get back to right execution
as i said before we can inject an assembly code or shellcode (they behave in the same way), so that assembly code converted in shellcode is:
char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb9\xac\xce\xea\xac\xff\xd1\x68\xac\xce\xea\xac\x50\xba\xac\xce\xea\xac\xff\xd2\x6a\x00\x68\xac\xce\xea\xac\x68\xac\xce\xea\xac\x6a\x00\xff\xd0\x61\x9d\xc3";
now lets see the real full code:
#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
using namespace std;
int privileges();
DWORD getPid(string procName);
DWORD GetThreadID(DWORD pid);
__declspec() void myFunc(); //if you use Dev-C++ put static before __declspec()
__declspec() void Useless(); //if you use Dev-C++ put static before __declspec()
int _tmain()
{
privileges();
unsigned long oldIP;
DWORD pid = getPid("notepad.exe");
if (pid==0) return 1;
cout<<pid<<endl;
HANDLE p;
p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (p==NULL) return 1; //error
char * user32 = "User32.dll";
char * MsgBox = "MessageBoxA";
char * testo = "REPORT";
char * mex = "INJECTION THREAD: SUCCESS!";
unsigned long size_myFunc = (unsigned long)Useless - (unsigned long)myFunc;
unsigned long GetProcAdr = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "GetProcAddress");
unsigned long Load = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");
void * mexAddress = VirtualAllocEx(p, NULL, strlen(mex)+1, MEM_COMMIT, PAGE_READWRITE);
void * testoAddress = VirtualAllocEx(p, NULL, strlen(testo)+1, MEM_COMMIT, PAGE_READWRITE);
void * MsgboxAddress = VirtualAllocEx(p, NULL, strlen(MsgBox)+1, MEM_COMMIT, PAGE_READWRITE);
void * DataAddress = VirtualAllocEx(p, NULL, strlen(user32)+1, MEM_COMMIT, PAGE_READWRITE);
void * MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(p, DataAddress, user32, strlen(user32), NULL); //string user32.dll
WriteProcessMemory(p, MsgboxAddress, MsgBox, strlen(MsgBox), NULL); //string MessageBoxA
WriteProcessMemory(p, testoAddress, testo, strlen(testo), NULL); //string for caption
WriteProcessMemory(p, mexAddress, mex, strlen(mex), NULL); //string for text
DWORD thID = GetThreadID(pid);
HANDLE hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID);
SuspendThread(hThread);
CONTEXT ctx;
ctx.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &ctx);
oldIP = ctx.Eip;
ctx.Eip = (DWORD)MyFuncAddress;
ctx.ContextFlags = CONTEXT_CONTROL;
WriteProcessMemory(p, MyFuncAddress, myFunc, size_myFunc, NULL);
//After writing the function we patch it with the right addresses
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL); //Old EIP
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DataAddress, 4, NULL); //USER32.DLL
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load, 4, NULL); //LoadLibraryA
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 20), &MsgboxAddress, 4, NULL); //MessageBoxA
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 26), &GetProcAdr, 4, NULL); //GetProcAddress
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 35), &testoAddress, 4, NULL); //caption
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 40), &mexAddress, 4, NULL); //text
SetThreadContext(hThread, &ctx);
ResumeThread(hThread);
Sleep(1000); //wait a second!
//if we want to free the used memory and the injected code that will take a short time of execution,
//we can of course wait for it for a certain period with Sleep();
//but if the code will keep running with no ending we cannot free the memory otherwise it will crash the target application
//VirtualFreeEx(p, MyFuncAddress, size_myFunc, MEM_DECOMMIT);
//VirtualFreeEx(p, DataAddress, strlen(mytext)+1, MEM_DECOMMIT);
CloseHandle(p);
CloseHandle(hThread);
system("PAUSE");
return EXIT_SUCCESS;
}
DWORD GetThreadID(DWORD pid){
HANDLE hsnap;
THREADENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
pt.dwSize = sizeof(THREADENTRY32);
while (Thread32Next(hsnap, &pt)){
if(pt.th32OwnerProcessID == pid){
DWORD Thpid = pt.th32ThreadID;
CloseHandle(hsnap);
return Thpid;
}
};
CloseHandle(hsnap);
return 0;
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
static __declspec(naked) void myFunc(){
_asm {
push 0xACEACEAC
pushfd
pushad
push 0xACEACEAC
mov ecx, 0xACEACEAC
call ecx
push 0xACEACEAC
push eax
mov edx,0xACEACEAC
call edx
push 0
push 0xACEACEAC
push 0xACEACEAC
push 0
call eax
popad
popfd
ret
}
}
static __declspec(naked) void Useless(){ //this let's us calculate the address of MyFunc
_asm ret;
}
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
//Note the use of 'static': VisualC++ in debug mode put Useless() before of myFunc() because of
//name order from Z to A, so when we try to calculate the size of my func with
//DWORD size_myFunc = (PBYTE)Useless - (PBYTE) myFunc;
//the result is negative and so when we try the injection the target app crashes.
//So to avoid any problem remember to put 'static' to those functions (adpted to your compiler)
Now i want to explain a bit for who didn't understand how to patch the function.Before i stated that i put placeholders that will be replaced with the right addresses, to help you i posted the shellcode that come handy when looking for the offset(position) of the placeholders.
take a look at it, we want to patch the first item (oldIP), the placeholder is 0xACEACEAC that translated in hex is "\xac\xce\xea\xac".
Now, you need to know that "\xXX" you see is a traslated value, and the first time we meet "\xac\xce\xea\xac" is after 1 "\xXX"...
you have to consider any "\xXX" a posistion, so:
// . 0 . 1 . 2 . 3 . 4 . 5 . 6 . ...
//"\x68\xac\xce\xea\xac\x9c\x60...
so, the beginning address of MyFuncAddress corrisponds to . 0 . ( = \x68 ), and the beginning of the placeholder to . 1 . ( = \xac), so at MyFuncAddress + 1 we write the right address that will replace the first "\xac\xce\xea\xac"
if we look for the second we find it in the eighth position so MyFuncAddress + 8... so on until we patch them all.
we convent MyFuncAddress from void* to unsigned long so to do an aritmethic sum, then we convert the result back to void*
(void*)((unsigned long) MyFuncAddress + each_offset)
I noticed that people that use Dev-C++ get an error because it doesn't find OpenThread() and an error with asm tags, well i suggest you to get VisualC++...
By the way now i show you in a DLL INJECTION how you can get dinamically OpenThread() from kernel32.dll and use the shellcode instead of an asm tags:
#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>
#include <shlwapi.h>
#pragma comment(lib, "shlwapi.lib")
using namespace std;
char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb8\xac\xce\xea\xac\xff\xd0\x61\x9d\xc3";
typedef HANDLE (WINAPI* OpenThreadfunc)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwThreadId);
OpenThreadfunc myOpenThread;
void setOpenThread();
int privileges();
DWORD getPid(string procName);
DWORD GetThreadID(DWORD pid);
int injectLibrary(char * process, char * dll);
HMODULE kernel;
int main(int argc, char *argv[])
{
injectLibrary("notepad.exe", "C:\\fullpath\\myDll.dll");
system("PAUSE");
return EXIT_SUCCESS;
}
int injectLibrary(char * process, char * dll){
setOpenThread();
if (myOpenThread == NULL){
cout<<"Error with OpenThread()"<<endl;
return 1;
}
unsigned long oldIP;
if (privileges()==1){ //if you want to check privileges you can, but some times if you are administrator you can perform injection without setting them
cout<<"Error couldn't get privileges..."<<endl;
}
DWORD pid = getPid("notepad.exe");
if (pid==0) return 1;
HANDLE p;
p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
if (p==NULL) return 1; //error
char * dllName = dll;
unsigned long shsize = strlen(shellcode);
unsigned long Load = (unsigned long)GetProcAddress(kernel, "LoadLibraryA");
void * DllAddress = VirtualAllocEx(p, NULL, strlen(dllName)+ 1, MEM_COMMIT,PAGE_READWRITE);
void * MyFuncAddress = VirtualAllocEx(p, NULL, shsize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(p, DllAddress, dllName, strlen(dllName), NULL);
DWORD thID = GetThreadID(pid);
HANDLE hThread = myOpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID);
SuspendThread(hThread);
CONTEXT ctx;
ctx.ContextFlags = CONTEXT_CONTROL;
GetThreadContext(hThread, &ctx);
oldIP = ctx.Eip;
ctx.Eip = (DWORD)MyFuncAddress;
ctx.ContextFlags = CONTEXT_CONTROL;
WriteProcessMemory(p, MyFuncAddress, &shellcode, shsize, NULL);
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL);
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DllAddress, 4, NULL);
WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load, 4, NULL);
SetThreadContext(hThread, &ctx);
ResumeThread(hThread);
CloseHandle(p);
CloseHandle(hThread);
FreeLibrary(kernel);
return 0;
}
void setOpenThread(){
kernel = LoadLibrary("kernel32.dll");
if (kernel != NULL) myOpenThread = (OpenThreadfunc)GetProcAddress(kernel, "OpenThread");
}
DWORD getPid(string procName){
HANDLE hsnap;
PROCESSENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
pt.dwSize = sizeof(PROCESSENTRY32);
do{
if(!strcmp(pt.szExeFile, procName.c_str())){
DWORD pid = pt.th32ProcessID;
CloseHandle(hsnap);
return pid;
}
} while(Process32Next(hsnap, &pt));
CloseHandle(hsnap);
return 0;
}
DWORD GetThreadID(DWORD pid){
HANDLE hsnap;
THREADENTRY32 pt;
hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
pt.dwSize = sizeof(THREADENTRY32);
while (Thread32Next(hsnap, &pt)){
if(pt.th32OwnerProcessID == pid){
DWORD Thpid = pt.th32ThreadID;
CloseHandle(hsnap);
return Thpid;
}
};
CloseHandle(hsnap);
return 0;
}
int privileges(){
HANDLE Token;
TOKEN_PRIVILEGES tp;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
{
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
tp.PrivilegeCount = 1;
tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
return 1; //FAIL
}else{
return 0; //SUCCESS
}
}
return 1;
}
ENJOY CODING! I hope it will come handy somehow!
![:)]()
//(Thanks to Napalm that let me correct the errors)
