In a 64-bit process, if I want to inject code into a 32-bit process:

Do I simply export the function from a 32-bit dll and perform my standard 64-bit injection function with the 32-bit code? If not, then how does this work?

#include <Windows.h>
#include <string.h>
#include <stdio.h>
#include <tchar.h>
#include "mem_map.h"

HMODULE load_dll(const char *dll_name)
{
	HMODULE module;

	module = GetModuleHandle(dll_name);
	if (!module)
		module = LoadLibrary(dll_name);
	return module;
}

void *get_proc_address(HMODULE module, const char *proc_name)
{
	char *modb = (char *)module;

	IMAGE_DOS_HEADER *dos_header = (IMAGE_DOS_HEADER *)modb;
	IMAGE_NT_HEADERS *nt_headers = (IMAGE_NT_HEADERS *)(modb + dos_header->e_lfanew);
	IMAGE_OPTIONAL_HEADER *opt_header = &nt_headers->OptionalHeader;
	IMAGE_DATA_DIRECTORY *exp_entry = (IMAGE_DATA_DIRECTORY *)
		(&opt_header->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]);
	IMAGE_EXPORT_DIRECTORY *exp_dir = (IMAGE_EXPORT_DIRECTORY *)(modb + exp_entry->VirtualAddress);

	void **func_table = (void **)(modb + exp_dir->AddressOfFunctions);
	WORD *ord_table = (WORD *)(modb + exp_dir->AddressOfNameOrdinals);
	char **name_table = (char **)(modb + exp_dir->AddressOfNames);
	void *address = NULL;

	DWORD i;

	/* is ordinal? */
	if (((DWORD)proc_name >> 16) == 0) {
		WORD ordinal = LOWORD(proc_name);
		DWORD ord_base = exp_dir->Base;
		/* is valid ordinal? */
		if (ordinal < ord_base || ordinal > ord_base + exp_dir->NumberOfFunctions)
			return NULL;
		
		/* taking ordinal base into consideration */
		address = (void *)(modb + (DWORD)func_table[ordinal - ord_base]);
	} else {
		/* import by name */
		for (i = 0; i < exp_dir->NumberOfNames; i++) {
			/* name table pointers are rvas */
			if (strcmp(proc_name, modb + (DWORD)name_table[i]) == 0)
				address = (void *)(modb + (DWORD)func_table[ord_table[i]]);
		}
	}

	/* is forwarded? */
	if ((char *)address >= (char *)exp_dir &&
		(char *)address < (char *)exp_dir + exp_entry->Size) {
		char *dll_name, *func_name;
		HMODULE frwd_module;

		dll_name = strdup((char *)address);
		if (!dll_name)
			return NULL;
		address = NULL;
		func_name = strchr(dll_name, '.');
		*func_name++ = 0;

		if (frwd_module = load_dll(dll_name))
			address = get_proc_address(frwd_module, func_name);

		free(dll_name);
	}

	return address;
}

#define MAKE_ORDINAL(val) (val & 0xffff)
int load_imports(IMAGE_IMPORT_DESCRIPTOR *imp_desc, void *load_address)
{
	while (imp_desc->Name || imp_desc->TimeDateStamp) {
		IMAGE_THUNK_DATA *name_table, *address_table, *thunk;
		char *dll_name = (char *)load_address + imp_desc->Name;
		HMODULE module;

		module = load_dll(dll_name);
		if (!module) {
			printf("error loading %s\n", dll_name);
			return 0;
		}

		name_table = (IMAGE_THUNK_DATA *)((char *)load_address + imp_desc->OriginalFirstThunk);
		address_table = (IMAGE_THUNK_DATA *)((char *)load_address + imp_desc->FirstThunk);

		/* if there is no name table, use address table */
		thunk = name_table == load_address ? address_table : name_table;
		if (thunk == load_address)
			return 0;

		while (thunk->u1.AddressOfData) {
			unsigned char *func_name;
			/* is ordinal? */
			if (thunk->u1.Ordinal & IMAGE_ORDINAL_FLAG)
				func_name = (unsigned char *)MAKE_ORDINAL(thunk->u1.Ordinal);
			else
				func_name = ((IMAGE_IMPORT_BY_NAME *)((char *)load_address + thunk->u1.AddressOfData))->Name;

			/* address_table->u1.Function = (DWORD)GetProcAddress(module, (char *)func_name); */
			address_table->u1.Function = (DWORD)get_proc_address(module, (char *)func_name);

			thunk++;
			address_table++;
		}
		imp_desc++;
	}
	return 1;
}

void fix_relocations(IMAGE_BASE_RELOCATION *base_reloc, DWORD dir_size,
		DWORD new_imgbase, DWORD old_imgbase)
{
	IMAGE_BASE_RELOCATION *cur_reloc = base_reloc, *reloc_end;
	DWORD delta = new_imgbase - old_imgbase;	

	reloc_end = (IMAGE_BASE_RELOCATION *)((char *)base_reloc + dir_size);
	while (cur_reloc < reloc_end && cur_reloc->VirtualAddress) {
		int count = (cur_reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
		WORD *cur_entry = (WORD *)(cur_reloc + 1);
		void *page_va = (void *)((char *)new_imgbase + cur_reloc->VirtualAddress);

		while (count--) {
			/* is valid x86 relocation? */
			if (*cur_entry >> 12 == IMAGE_REL_BASED_HIGHLOW)
				*(DWORD *)((char *)page_va + (*cur_entry & 0x0fff)) += delta;
			cur_entry++;
		}
		/* advance to the next one */
		cur_reloc = (IMAGE_BASE_RELOCATION *)((char *)cur_reloc + cur_reloc->SizeOfBlock);
	}
}

IMAGE_NT_HEADERS *get_nthdrs(void *map)
{
	IMAGE_DOS_HEADER *dos_hdr;
	dos_hdr = (IMAGE_DOS_HEADER *)map;
	return (IMAGE_NT_HEADERS *)((char *)map + dos_hdr->e_lfanew);
}

/* returns EP mem address on success
* NULL on failure
*/
void *load_pe(void *fmap)
{
	IMAGE_NT_HEADERS *nthdrs;
	IMAGE_DATA_DIRECTORY *reloc_entry, *imp_entry;
	void *vmap;
	WORD nsections, i;
	IMAGE_SECTION_HEADER *sec_hdr;
	size_t hdrs_size;
	IMAGE_BASE_RELOCATION *base_reloc;

	nthdrs = get_nthdrs(fmap);
	reloc_entry = &nthdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
	/* no reloc info? */
	if (!reloc_entry->VirtualAddress)
		return NULL;
	/* allocate executable mem (.SizeOfImage) */
	vmap = VirtualAlloc(NULL, nthdrs->OptionalHeader.SizeOfImage,
		MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	if (!vmap)
		return NULL;

	/* copy the Image + Sec hdrs */
	nsections = nthdrs->FileHeader.NumberOfSections;
	sec_hdr = IMAGE_FIRST_SECTION(nthdrs);
	hdrs_size = (char *)(sec_hdr + nsections) - (char *)fmap;
	memcpy(vmap, fmap, hdrs_size);
	/* copy the sections */
	for (i = 0; i < nsections; i++) {
		size_t sec_size;
		sec_size = sec_hdr[i].SizeOfRawData;
		memcpy((char *)vmap + sec_hdr[i].VirtualAddress,
			(char *)fmap + sec_hdr[i].PointerToRawData, sec_size);
	}

	/* load dlls */
	imp_entry = &nthdrs->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT];
	if (!load_imports((IMAGE_IMPORT_DESCRIPTOR *)
		((char *)vmap + imp_entry->VirtualAddress), vmap))
		goto cleanup;
	/* fix relocations */
	base_reloc = (IMAGE_BASE_RELOCATION *)((char *)vmap + reloc_entry->VirtualAddress);
	fix_relocations(base_reloc, reloc_entry->Size,
		(DWORD)vmap, nthdrs->OptionalHeader.ImageBase);
	return (void *)((char *)vmap + nthdrs->OptionalHeader.AddressOfEntryPoint);
cleanup:
	VirtualFree(vmap, 0, MEM_RELEASE);
	return NULL;
}

int vmem_exec(void *fmap)
{
	void *ep;

	ep = load_pe(fmap);
	if (!ep)
	    return 0;

	__asm {
	mov	ebx, fs:[0x30]
	mov	eax, ep
	call	eax
	}

	return 1;
}

i am trying to execute a cmd.exe tasklist command and get the output but it doesn't work

#include <stdio.h>
#include <windows.h>

int main(int argc, char *argv[]) {
	SECURITY_ATTRIBUTES sa = {0};
	sa.nLength = sizeof(sa);
	sa.lpSecurityDescriptor = NULL;
	sa.bInheritHandle = TRUE;

	HANDLE hStdOutRd, hStdOutWr;
	HANDLE hStdErrRd, hStdErrWr;

	if (!CreatePipe(&hStdOutRd, &hStdOutWr, &sa, 0))
	{
		// error handling...
	}

	if (!CreatePipe(&hStdErrRd, &hStdErrWr, &sa, 0))
	{
		// error handling...
	}

	SetHandleInformation(hStdOutRd, HANDLE_FLAG_INHERIT, 0);
	SetHandleInformation(hStdErrRd, HANDLE_FLAG_INHERIT, 0);

	STARTUPINFOA si = {sizeof(si)};
	si.dwFlags = STARTF_USESTDHANDLES;
	si.hStdInput = GetStdHandle(STD_INPUT_HANDLE);
	si.hStdOutput = hStdOutWr;
	si.hStdError = hStdErrWr;

	PROCESS_INFORMATION pi;

	if (!CreateProcessA(NULL, "cmd.exe", NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
	{
		// error handling...
	}
	else
	{
		// read from hStdOutRd and hStdErrRd as needed until the process is terminated...

		char buff[512] = "";
		DWORD dwRead;

		ReadFile(hStdOutRd, buff, 512, &dwRead, NULL);
		printf(buff);

		DWORD b;
		char cmd[] = "tasklist\r\n";
		WriteFile(hStdOutWr, cmd, sizeof(cmd), &b, NULL);

		ReadFile(hStdOutRd, buff, 512, &dwRead, NULL);
		printf(buff);

		CloseHandle(pi.hThread);
		CloseHandle(pi.hProcess);
	}

	CloseHandle(hStdOutRd);
	CloseHandle(hStdOutWr);
	CloseHandle(hStdErrRd);
	CloseHandle(hStdErrWr);

	return 0;
}

I am not too much familiar with executables compiled throught c++ win32 atl mfc pure c or whatever that can create an executable and also i am total newbie when it comes to hacking stuff so i would like to ask for anyone that knows how to protect cause he knows how to brake this simple question.

How protected is an exe file while running as internal function processes variables conmmunications internals and externals

and what can a hacker that would like to mess around with an exe application can get out of it ?

Just lounge informative infos to get me straight into the point of some kind of protection in applications.

#include <winternl.h>
#include <windows.h>
#include <stdio.h>
#define SE_DEBUG_PRIVILEGE 20
NTSTATUS NTAPI RtlAdjustPrivilege(ULONG Privilege, BOOLEAN Enable, BOOLEAN CurrentThread, PBOOLEAN Enabled);

LONG CALLBACK VectoredHandler(PEXCEPTION_POINTERS ExceptionInfo){
	if(ExceptionInfo->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT){
		MessageBox(NULL, "DebugBreakProcess!", NULL, MB_OK);
		return EXCEPTION_CONTINUE_EXECUTION;
	}
}

VOID WinMainCRTStartup(VOID){
	DWORD ProcessId;
	scanf("%d", &ProcessId);
	BOOLEAN Enabled;
	if(NT_SUCCESS(RtlAdjustPrivilege(SE_DEBUG_PRIVILEGE, TRUE, FALSE, &Enabled))){
		if(Enabled){
			puts("What!");
		} else {
			HANDLE Handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, ProcessId);
			if(Handle){
				if(AddVectoredExceptionHandler(TRUE, VectoredHandler)){
					if(DebugBreakProcess(Handle)){ // Return Ok but doesnt trigger VEH !
						puts("Ok");
					}
					// DebugBreak(); Work fine !
				}
			}
		}
	}
	ExitProcess(0);
}

Why DebugBreakProcess doesnt trigger when OpenProcess open the current process ?

Is it possible to catch exceptions from other process since it's implementation require peb (see http://www.codereversing.com/blog/archives/207) ?

Th

is is a little lame I know, but I made this a while ago and I got a couple of crashes, but it is really hard on the cpu, gets REALLY hot!

#Coded by Mist


#include <Windows.h>
#include<stdio.h>

#define MAX_OPCODE_SIZE 16 //16-bytes

struct OPCODE_BLOB
{
	unsigned long long op_byte8;
	unsigned long long op_byte16;
};

HANDLE g_proc;
HANDLE g_thread;
HANDLE g_watcherThread;
HANDLE g_hfile;
unsigned long g_pid;
bool g_bp1_done;
bool  g_oep_set;
bool g_bp_setup;
bool g_shutdown_debugger;
bool g_restart_debugger;
char* g_lpmem;
LPVOID g_oep_entry;
CONTEXT g_snap_context;
LPVOID g_op_write_address;
OPCODE_BLOB g_OP_BLOB;
unsigned long long g_last_val;

unsigned long long GetNewRegValue(bool is_address);
bool StartDebugging(char* debuggee_name);
void ProcessDebugEvent(DEBUG_EVENT* lpDebugEvent);
OPCODE_BLOB BuildOpcode();
bool WriteMem(HANDLE hProc, LPVOID write_address, LPCVOID buffer, SIZE_T size);
void TimeoutCheck();
void ChangeRegisters();

unsigned long long GetNewRegValue(bool is_address)
{
	return 0;
}

void ChangeRegisters()
{
	////mutate the regs before we reset a new opcode into memory
	//CONTEXT mutant_context;
	////apply more kmode possible addresses
	//mutant_context.Rax = GetNewRegValue(false);
	//mutant_context.



}

void TimeoutCheck()
{
	//set the time out max at 0.2sec after which we launch a new debuggee
	g_last_val = 0;
	for (;;) {
		Sleep(100);
		if (g_OP_BLOB.op_byte8 == 0)
			Sleep(1500); //have a bigger sleep 
		if (g_last_val == g_OP_BLOB.op_byte8) {
			//its been sitting on this blob too long
			g_last_val = g_OP_BLOB.op_byte8;
			printf_s("possible tight loop @ 0x%I64x\n", g_last_val);
			//shutdown the debugger
			TerminateProcess(g_proc, 0);
			//cleanup
			CloseHandle(g_thread);
			CloseHandle(g_proc);
			CloseHandle(g_hfile);
		}
		else {
			g_last_val = g_OP_BLOB.op_byte8;
		}
	}
}

//add fuzzable inputs in this function
OPCODE_BLOB BuildOpcode()
{
	if (g_OP_BLOB.op_byte8 < 0xFFFFFFFFFFFFFFFF) {
		g_OP_BLOB.op_byte8++;
	} else {
		g_OP_BLOB.op_byte8++;
		g_OP_BLOB.op_byte16++;
	}
	return g_OP_BLOB;
}

bool WriteMem(HANDLE hProc, LPVOID write_address, LPCVOID buffer, SIZE_T size)
{
	DWORD oldProtect = 0;
	SIZE_T bytes_written = 0;
	if (VirtualProtectEx(hProc, write_address, MAX_OPCODE_SIZE, PAGE_EXECUTE_READWRITE, &oldProtect)) {
		if (WriteProcessMemory(hProc, write_address, buffer, MAX_OPCODE_SIZE, &bytes_written)) {
			if (FlushInstructionCache(hProc, write_address, MAX_OPCODE_SIZE)) {
				if (VirtualProtectEx(hProc, write_address, MAX_OPCODE_SIZE, oldProtect, &oldProtect)) {
					return true;
				}
			}
		}
	}
	return false;
}

void ProcessDebugEvent(DEBUG_EVENT* lpDebugEvent)
{
	if ((lpDebugEvent->dwDebugEventCode) == CREATE_PROCESS_DEBUG_EVENT) {
		g_oep_entry = (LPVOID)lpDebugEvent->u.CreateProcessInfo.lpStartAddress;
		g_hfile = lpDebugEvent->u.CreateProcessInfo.hFile;
	}

	//close the loaded module handles for fuzzing applications to prevent resource leaks
	if ((lpDebugEvent->dwDebugEventCode) == LOAD_DLL_DEBUG_EVENT) {
		CloseHandle((LPVOID)lpDebugEvent->u.LoadDll.hFile);
	}

	if ((lpDebugEvent->dwDebugEventCode) == EXIT_PROCESS_DEBUG_EVENT) {
		//restart the debugger and debuggee
		g_restart_debugger = true;
		return;
	}

	if ((lpDebugEvent->dwDebugEventCode) == EXCEPTION_DEBUG_EVENT) {
		DWORD PID = lpDebugEvent->dwProcessId;
		DWORD TID = lpDebugEvent->dwThreadId;
		if (lpDebugEvent->u.Exception.ExceptionRecord.ExceptionCode == EXCEPTION_BREAKPOINT && g_bp_setup == false) {
			if (g_bp1_done == true && g_oep_set == false) {
				g_op_write_address = lpDebugEvent->u.Exception.ExceptionRecord.ExceptionAddress;

				//SNAP CONTEXT HERE
				g_snap_context.ContextFlags = CONTEXT_ALL;
				GetThreadContext(g_thread, &g_snap_context);
				DWORD ec = GetLastError();
				WriteMem(g_proc, g_oep_entry, "\x00\x00\x00\x00", 4); //overwrite the instructions at the entry point to decrease tight loops executing

				g_oep_set = true;
				g_bp_setup = true;
			}
			else {

				if (g_bp1_done == false) {
					g_bp1_done = true;
					return;
				}
			}
		} else {
				//got an exception so  write a new opcode_blob and restore the context
				OPCODE_BLOB ob = BuildOpcode();

				if (ob.op_byte8 == 0xFFFFFFFFFFFFFFFF && ob.op_byte16 == 0xFFFFFFFFFFFFFFFF) {
					DebugActiveProcessStop(PID);
					//stop the watcher thread
					TerminateThread(g_watcherThread, 0);
					TerminateProcess(g_proc, 0);
					g_shutdown_debugger = true;
					return;
				}

				if((ob.op_byte8 % 0x100) == 0)
					printf_s("0x%I64x %I64x\n", ob.op_byte8, ob.op_byte16);				

				CopyMemory(g_lpmem, (const void*)&ob.op_byte8, sizeof(ob.op_byte8));
				CopyMemory(&(g_lpmem[sizeof(ob.op_byte8)]), (const void*)&ob.op_byte16, sizeof(ob.op_byte16));
				WriteMem(g_proc, g_op_write_address, g_lpmem, MAX_OPCODE_SIZE);

			    //RESTORE CONTEXT
				SetThreadContext(g_thread, &g_snap_context);
		}
	}
	return;
}

bool StartDebugging(char* debuggee_name)
{
	STARTUPINFOA si;
	PROCESS_INFORMATION pi;
	ZeroMemory(&si, sizeof(si));
	si.cb = sizeof(si);
	ZeroMemory(&pi, sizeof(pi));

	CreateProcessA(debuggee_name, NULL, NULL, NULL, FALSE, DEBUG_ONLY_THIS_PROCESS, NULL, NULL, &si, &pi);

	g_pid = pi.dwProcessId;
	g_proc = pi.hProcess;
	g_thread = pi.hThread;
	g_shutdown_debugger = false;
	g_restart_debugger = false;

	DEBUG_EVENT debug_event = { 0 };
	for (;;)
	{
		if (!WaitForDebugEvent(&debug_event, INFINITE))
			return false;
		ProcessDebugEvent(&debug_event); 
		if (g_shutdown_debugger)
			return true;
		if (g_restart_debugger) {
			ContinueDebugEvent(debug_event.dwProcessId, debug_event.dwThreadId, DBG_EXCEPTION_NOT_HANDLED);
			return false;
		}
		ContinueDebugEvent(debug_event.dwProcessId,
			debug_event.dwThreadId,
			DBG_CONTINUE);
	}
	return true;
}

int main(int argc, char *argv[])
{
	if (argc != 2)
	{
		printf_s("usage: %s [start value in hex]\n", argv[0]);
		return 0;
	} 

	if (sscanf_s(argv[1], "%I64x", &g_OP_BLOB.op_byte8) == EOF) {
		printf_s("buffer value is out of type range\n");
		return 0;
	}

	g_OP_BLOB.op_byte16 = 0;

	__try
	{
		g_watcherThread = CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)TimeoutCheck, NULL, 0, NULL);
		g_lpmem = (char*)malloc(20);

		printf_s("Starting Fuzz for fuzzoptesthost.exe\n");
		StartDebugging("C:\\fuzzoptesthost.exe");	

		while (g_restart_debugger) {
			if (g_restart_debugger && (g_OP_BLOB.op_byte8 < 0xFFFFFFFFFFFFFFFF && g_OP_BLOB.op_byte16 < 0xFFFFFFFFFFFFFFFF)) {
				g_restart_debugger = false;
				StartDebugging("C:\\fuzzoptesthost.exe");
			}
		}
		printf_s("Done \n");
	}
	__except (1) {
		printf_s("Exception hit\n");
	}
	free(g_lpmem);
	getchar();
	return 0;
}

I am trying to run maltego over tor connection but it never finishes loading. Is it an authentication problem because I am using tor? I know they have a captcha when you first sign up. Would like to hear anyones thoughts on the matter.

KUSER_SHARED_DATA is a data structure that contains a lot of Windows system information. It is always located in user mode at 0x7ffe0000, even on 64-bit Windows. At 0x7ffe0030, the full path of the Windows directory is stored there. The Windows version number is stored at 0x7ffe026c and 0x7ffe0270. 0x7ffe026c is the major version number, and 0x7ffe0270 is the minor version number.

The format of KUSER_SHARED_DATA is shown below.

typedef struct _KUSER_SHARED_DATA
{
     ULONG TickCountLowDeprecated;
     ULONG TickCountMultiplier;
     KSYSTEM_TIME InterruptTime;
     KSYSTEM_TIME SystemTime;
     KSYSTEM_TIME TimeZoneBias;
     WORD ImageNumberLow;
     WORD ImageNumberHigh;
     WCHAR NtSystemRoot[260];
     ULONG MaxStackTraceDepth;
     ULONG CryptoExponent;
     ULONG TimeZoneId;
     ULONG LargePageMinimum;
     ULONG Reserved2[7];
     NT_PRODUCT_TYPE NtProductType;
     UCHAR ProductTypeIsValid;
     ULONG NtMajorVersion;
     ULONG NtMinorVersion;
     UCHAR ProcessorFeatures[64];
     ULONG Reserved1;
     ULONG Reserved3;
     ULONG TimeSlip;
     ALTERNATIVE_ARCHITECTURE_TYPE AlternativeArchitecture;
     LARGE_INTEGER SystemExpirationDate;
     ULONG SuiteMask;
     UCHAR KdDebuggerEnabled;
     UCHAR NXSupportPolicy;
     ULONG ActiveConsoleId;
     ULONG DismountCount;
     ULONG ComPlusPackage;
     ULONG LastSystemRITEventTickCount;
     ULONG NumberOfPhysicalPages;
     UCHAR SafeBootMode;
     ULONG SharedDataFlags;
     ULONG DbgErrorPortPresent: 1;
     ULONG DbgElevationEnabled: 1;
     ULONG DbgVirtEnabled: 1;
     ULONG DbgInstallerDetectEnabled: 1;
     ULONG SystemDllRelocated: 1;
     ULONG SpareBits: 27;
     UINT64 TestRetInstruction;
     ULONG SystemCall;
     ULONG SystemCallReturn;
     UINT64 SystemCallPad[3];
     union
     {
          KSYSTEM_TIME TickCount;
          UINT64 TickCountQuad;
     };
     ULONG Cookie;
     INT64 ConsoleSessionForegroundProcessId;
     ULONG Wow64SharedInformation[16];
     WORD UserModeGlobalLogger[8];
     ULONG HeapTracingPid[2];
     ULONG CritSecTracingPid[2];
     ULONG ImageFileExecutionOptions;
     union
     {
          UINT64 AffinityPad;
          ULONG ActiveProcessorAffinity;
     };
     UINT64 InterruptTimeBias;
} KUSER_SHARED_DATA, *PKUSER_SHARED_DATA;

Reference:

http://www.nirsoft.net/kernel_struct/vista/KUSER_SHARED_DATA.html

DLL_PROCESS_DETACH and PROCESS_THREAD_DETACH notifications are sent with the LdrShutdownProcess and LdrShutdownThread function. These functions are called when processes or threads terminates themselves by calling the ExitProcess or ExitThread function.

The function prototype of LdrShutdownProcess and LdrShutdownThread is shown below.

void NTAPI LdrShutdownProcess()

void NTAPI LdrShutdownThread()

Hi This is Jenifar.Now i work in Indian visa online system.indian visa servar is now start a system.When i select appoinment Date i also give a captcha code.But this time not show captch cuz servar are so busy,That's why can't get appoinment.So i want how to vaypas captcha code in indian visa servar?If anyone want see sarvar plz notice me Thanks.I also Attach code on this page.

http://blog.eset.ie/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/

Thought some of you guys would be interested in this one. Some of the techniques used are interesting.  

How win32 Application such Google Chrome or Firefox has to design while Creating basic 

win32 application is not like that well designed. 

Thanks 

int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}

DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}

#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>

typedef int (WINAPI* MsgBoxParam)(HWND, LPCSTR, LPCSTR, UINT);
using namespace std;

struct PARAMETERS{
		  DWORD MessageBoxInj;
		  char text[50];		
		  char caption[25];
		  int buttons;
//		  HWND handle;
};

DWORD getPid(string procName);
int privileges();
DWORD myFunc(PARAMETERS * myparam); //(if you use Dev-C++ put static before DWORD)
DWORD Useless(); ////(if you use Dev-C++ put static before DWORD)

int main()
{
  privileges();  

  DWORD pid = getPid("notepad.exe");
  if (pid==0) return 1; //error

   HANDLE p;
   p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
   if (p==NULL) return 1; //error

   char * mytext = "Hello by CodeCave!";
   char * mycaption = "Injection result";

   PARAMETERS data;	  //let's fill in a PARAMETERS struct
   HMODULE user32 = LoadLibrary("User32.dll");
   data.MessageBoxInj = (DWORD)GetProcAddress(user32, "MessageBoxA");
   strcpy(data.text, mytext);
   strcpy(data.caption, mycaption);
   data.buttons = MB_OKCANCEL | MB_ICONQUESTION;


   DWORD size_myFunc = (PBYTE)Useless - (PBYTE)myFunc;  //this gets myFunc's size


   //--------now we are ready to inject


   LPVOID MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE);

   WriteProcessMemory(p, MyFuncAddress, (void*)myFunc,size_myFunc, NULL);

	
   LPVOID DataAddress = VirtualAllocEx(p,NULL,sizeof(PARAMETERS),MEM_RESERVE|MEM_COMMIT,PAGE_READWRITE);

   WriteProcessMemory(p, DataAddress, &data, sizeof(PARAMETERS), NULL);

   HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress, 0, NULL);
	
	if (thread!=0){
		//injection completed, not we can wait it to end and free the memory
		WaitForSingleObject(thread, INFINITE);   //this waits untill thread thread has finished
		VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory
		VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory
		CloseHandle(thread);
		CloseHandle(p);  //don't wait for the thread to finish, just close the handle to the process
		cout<<"Injection completed!"<<endl;
	 }else{
   				   cout<<"Error!"<<endl;
	 }

	
	system("PAUSE");
	return EXIT_SUCCESS;
}

DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}

static DWORD myFunc(PARAMETERS * myparam){
			 MsgBoxParam MsgBox = (MsgBoxParam)myparam->MessageBoxInj;
			 int result = MsgBox(0, myparam->text, myparam->caption, myparam->buttons);
			 switch(result){
		   		  case IDOK:
		   		  //your code		  
		   		  break;			
		   		  case IDCANCEL:
		   		  //your code
		   		  break;
			 }
			 return 0;
}

static DWORD Useless(){  
  return 0;
}

//this function is needed to get some extra privileges so your code will be able to work without conflicts with the system
int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}

//Note the use of 'static': VisualC++ in debug mode put Useless() before of myFunc() because of
//name order from Z to A, so when we try to calculate the size of my func with
//DWORD size_myFunc = (PBYTE)Useless - (PBYTE) myFunc;
//the result is negative and so when we try the injection the target app crashes.
//So to avoid any problem remember to put 'static' to those functions (adpted to your compiler)

#include "ntdef.h" //--> it has the definition of NTSTATUS


HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter);

typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx)
(
  OUT PHANDLE hThread,
  IN ACCESS_MASK DesiredAccess,
  IN LPVOID ObjectAttributes,
  IN HANDLE ProcessHandle,
  IN LPTHREAD_START_ROUTINE lpStartAddress,
  IN LPVOID lpParameter,
  IN BOOL CreateSuspended,
  IN DWORD StackZeroBits,
  IN DWORD SizeOfStackCommit,
  IN DWORD SizeOfStackReserve,
  OUT LPVOID lpBytesBuffer
);

struct NtCreateThreadExBuffer
{
  ULONG Size;
  ULONG Unknown1;
  ULONG Unknown2;
  PULONG Unknown3;
  ULONG Unknown4;
  ULONG Unknown5;
  ULONG Unknown6;
  PULONG Unknown7;
  ULONG Unknown8;
};

HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){
	
	HMODULE modNtDll = LoadLibrary("ntdll.dll");

	if(!modNtDll){
	   cout<<"Error loading ntdll.dll"<<endl;
	   return 0;
	}

	LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx");

	if(!funNtCreateThreadEx){
	   cout<<"Error loading NtCreateThreadEx()"<<endl;
	   return 0;
	}
	NtCreateThreadExBuffer ntbuffer;

	memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer));
	DWORD temp1 = 0;
	DWORD temp2 = 0;

	ntbuffer.Size = sizeof(NtCreateThreadExBuffer);
	ntbuffer.Unknown1 = 0x10003;
	ntbuffer.Unknown2 = 0x8;
	ntbuffer.Unknown3 = &temp2;
	ntbuffer.Unknown4 = 0;
	ntbuffer.Unknown5 = 0x10004;
	ntbuffer.Unknown6 = 4;
	ntbuffer.Unknown7 = &temp1;
   // ntbuffer.Unknown8 = 0;

	HANDLE hThread;  
	NTSTATUS status = funNtCreateThreadEx(
						&hThread,
						0x1FFFFF,
						NULL,
						process,
						(LPTHREAD_START_ROUTINE) Start,
						lpParameter,
						FALSE, //start instantly
						0, //null
						0, //null
						0, //null
						&ntbuffer
						);
						
	  
	return hThread;

}


//so to use in the above code like this:

HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)MyFuncAddress, DataAddress);
//
//

#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include "ntdef.h"
#include <tlhelp32.h>

//For Vista/Win7:
HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter);

using namespace std;

DWORD getPid(string procName);
int privileges();

int main()
{
   privileges();  //don't mind of the result, because maybe it fails because you already have that privilege

   DWORD pid = getPid("notepad.exe");
   if (pid==0) return 1; //error

   HANDLE p;
   p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
   if (p==NULL) return 1; //error

   char * dll = "C:\\mydll.dll";

   //--------now we are ready to inject

   unsigned long LoadLib = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

   LPVOID DataAddress = VirtualAllocEx(p, NULL, strlen(dll) + 1, MEM_RESERVE|MEM_COMMIT, PAGE_READWRITE);

   WriteProcessMemory(p, DataAddress, dll, strlen(dll), NULL);


   HANDLE thread = CreateRemoteThread(p, NULL, 0, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress, 0, NULL);
  //For Vista/Win7
  //HANDLE thread = NtCreateThreadEx(p, (LPTHREAD_START_ROUTINE)LoadLib, DataAddress);
	
	if (thread!=0){
			   //injection completed
			   WaitForSingleObject(thread, INFINITE);   //this waits untill thread thread has finished
			   VirtualFree(MyFuncAddress, 0, MEM_RELEASE); //free myFunc memory
			   VirtualFree(DataAddress, 0, MEM_RELEASE); //free data memory
	   		CloseHandle(thread);
			   CloseHandle(p);  //don't wait for the thread to finish, just close the handle to the process
			   cout<<"Injection completed!"<<endl;
	 }else{
			   cout<<"Error!"<<endl;
	 }

	
	system("PAUSE");
	return EXIT_SUCCESS;
}

DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}

int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}


//for VISTA/WIN7


typedef NTSTATUS (WINAPI *LPFUN_NtCreateThreadEx)
(
  OUT PHANDLE hThread,
  IN ACCESS_MASK DesiredAccess,
  IN LPVOID ObjectAttributes,
  IN HANDLE ProcessHandle,
  IN LPTHREAD_START_ROUTINE lpStartAddress,
  IN LPVOID lpParameter,
  IN BOOL CreateSuspended,
  IN DWORD StackZeroBits,
  IN DWORD SizeOfStackCommit,
  IN DWORD SizeOfStackReserve,
  OUT LPVOID lpBytesBuffer
);

struct NtCreateThreadExBuffer
{
  ULONG Size;
  ULONG Unknown1;
  ULONG Unknown2;
  PULONG Unknown3;
  ULONG Unknown4;
  ULONG Unknown5;
  ULONG Unknown6;
  PULONG Unknown7;
  ULONG Unknown8;
};

HANDLE NtCreateThreadEx(HANDLE process, LPTHREAD_START_ROUTINE Start, LPVOID lpParameter){
	
	HMODULE modNtDll = LoadLibrary("ntdll.dll");

	if(!modNtDll){
	   cout<<"Error loading ntdll.dll"<<endl;
	   return 0;
	}

	LPFUN_NtCreateThreadEx funNtCreateThreadEx = (LPFUN_NtCreateThreadEx) GetProcAddress(modNtDll, "NtCreateThreadEx");

	if(!funNtCreateThreadEx){
	   cout<<"Error loading NtCreateThreadEx()"<<endl;
	   return 0;
	}
	NtCreateThreadExBuffer ntbuffer;

	memset (&ntbuffer,0,sizeof(NtCreateThreadExBuffer));
	DWORD temp1 = 0;
	DWORD temp2 = 0;

	ntbuffer.Size = sizeof(NtCreateThreadExBuffer);
	ntbuffer.Unknown1 = 0x10003;
	ntbuffer.Unknown2 = 0x8;
	ntbuffer.Unknown3 = &temp2;
	ntbuffer.Unknown4 = 0;
	ntbuffer.Unknown5 = 0x10004;
	ntbuffer.Unknown6 = 4;
	ntbuffer.Unknown7 = &temp1;
   // ntbuffer.Unknown8 = 0;

	HANDLE hThread;  
	NTSTATUS status = funNtCreateThreadEx(
						&hThread,
						0x1FFFFF,
						NULL,
						process,
						(LPTHREAD_START_ROUTINE) Start,
						lpParameter,
						FALSE, //start instantly
						0, //null
						0, //null
						0, //null
						&ntbuffer
						);
						
	  
	return hThread;

}

int CheckOSVersion()
{
/*
* Windows XP = 1 (NT 5.0)
* Windows Vista = 2 (NT 6.0)
* Windows 7 = 3 (NT 6.1)
* Windows 8 = 4 (NT 6.2)	 --> on Windows 8 CreateRemoteThread works perfectly!!
*/
OSVERSIONINFO osver;
osver.dwOSVersionInfoSize = sizeof(osver);
if (GetVersionEx(&osver))
{
  if (!(osver.dwPlatformId == VER_PLATFORM_WIN32_NT))  
   return 0;
  if (osver.dwMajorVersion == 5)
   return 1;
  if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 0)
   return 2;
  if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 1)	
   return 3;  
  if (osver.dwMajorVersion == 6 && osver.dwMinorVersion == 2)	
   return 4;
}
else
  return 0;
}

	char type[50];
	
	int os = CheckOSVersion();
	if (os == 0) return 0;
	if (os==1) strcpy(type, "Windows XP");
	if (os==2) strcpy(type, "Windows Vista");
	if (os==3) strcpy(type, "Windows 7");
	if (os==4) strcpy(type, "Windows 8");

//the size of void* is the answer
if (sizeof(void*) == 4) //is 32bit
if (sizeof(void*) == 8) //is 64bit

typedef struct ID{
	PVOID UniqueProcess;
	PVOID UniqueThread;
} CLIENT_ID, *PCLIENT_ID;

typedef long (*myRtlCreateUserThread)
(HANDLE, PSECURITY_DESCRIPTOR, BOOLEAN, ULONG, PULONG, PULONG, PVOID, PVOID, PHANDLE, PCLIENT_ID);

myRtlCreateUserThread RtlCreateUserThread;

RtlCreateUserThread=(myRtlCreateUserThread)GetProcAddress(GetModuleHandle("ntdll.dll"),"RtlCreateUserThread");

DWORD GetThreadID(DWORD pid){
	  HANDLE hsnap;
	  THREADENTRY32 pt;
	  hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	  pt.dwSize = sizeof(THREADENTRY32);
	  while (Thread32Next(hsnap, &pt)){
		   if(pt.th32OwnerProcessID == pid){
			 DWORD Thpid = pt.th32ThreadID;
			 CloseHandle(hsnap);
			 return Thpid;
		   }
	  };
	  CloseHandle(hsnap);
	  return 0;		  
}

#include <cstdlib>
#include <iostream>
#include "windows.h"
#include "tlhelp32.h"

using namespace std;

DWORD getPid(string procName);
DWORD GetThreadID(DWORD pid);


int main(int argc, char *argv[])
{
	HHOOK hproc;
	HOOKPROC cbt;
	HMODULE dll = LoadLibrary("DllHook.dll");	//the dll tha we will inject that contains the hook procedure
	cbt = (HOOKPROC)GetProcAddress(dll, "MyProcedure");	  //get the address of our Procedure
	DWORD id = GetThreadID(getPid("notepad.exe"));	 //in this example we want to set the hook in a specific target
	
	if (id == 0) return 0; //if id == 0 means that the process isn't running
	hproc = SetWindowsHookEx(WH_KEYBOARD, cbt, dll, id);   //if we wanted to set the hook in every process we could replace 'id' with 0

	cin.get();
	UnhookWindowsHookEx(hproc); //When we want to remove the hook
	return EXIT_SUCCESS;
}

DWORD GetThreadID(DWORD pid){
	  HANDLE hsnap;
	  THREADENTRY32 pt;
	  hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	  pt.dwSize = sizeof(THREADENTRY32);
	  while (Thread32Next(hsnap, &pt)){
		   if(pt.th32OwnerProcessID == pid){
			 DWORD Thpid = pt.th32ThreadID;
			 CloseHandle(hsnap);
			 return Thpid;
		   }
	  };
	  CloseHandle(hsnap);
	  return 0;		  
}

DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>


__declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp);

__declspec(dllexport) LRESULT WINAPI MyProcedure(int code, WPARAM wp, LPARAM lp){
			
		//here goes our code
		
		return CallNextHookEx(NULL, code, wp, lp);  //this is needed to let other applications set other hooks on this target
}


BOOL APIENTRY DllMain (HINSTANCE hInst,
					   DWORD reason,
					   LPVOID reserved)
{
	switch (reason)
	{
	  case DLL_PROCESS_ATTACH:
		  
		break;

	  case DLL_PROCESS_DETACH:
		break;

	  case DLL_THREAD_ATTACH:
		break;

	  case DLL_THREAD_DETACH:
		break;
	}

	/* Returns TRUE on success, FALSE on failure */
	return TRUE;
}

	   push 0xACEACEAC ;-> placeholder for the address of our old EIP
	   pushfd ;->save all flags registers
	   pushad ;-> save all registers
	  
	   push 0xACEACEAC ;->placeholder for the address of the string 'User32.dll'
	   mov ecx, 0xACEACEAC ;->placeholder for the address of LoadLibraryA
	   call ecx ;-> traslated in c++: LoadLibrary("User32.dll")

	   ;now the address of the LOADED LIBRARY User32.dll is in eax register

	   push 0xACEACEAC ;->placeholder for the address of the string MessageBoxA
	   push eax ;->push User32.dll into the stack
	   mov edx,0xACEACEAC ;->placeholder for the address of GetProcAddress
	   call edx ;translated in c++: GetProcAddress(LoadLibrary("User32.dll"), "MessageBoxA")

	   ;now the address of MessageBoxA is in eax register

	   push 0 ;push the fourth parameter of MessageBoxA (MB_OK)
	   push 0xACEACEAC ;->placeholder for the address of the text (3 parameter)
	   push 0xACEACEAC ;->placeholder for the address of the caption (2 parameter)
	   push 0 ;push the first parameter into the stack (don't bother)
	   call eax ;translated in c++: MessageBox(0, "caption", "text", MB_OK)

	   popad ;restore all the registers
	   popfd ;restore all the flags
	   ret ;get back to right execution

char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb9\xac\xce\xea\xac\xff\xd1\x68\xac\xce\xea\xac\x50\xba\xac\xce\xea\xac\xff\xd2\x6a\x00\x68\xac\xce\xea\xac\x68\xac\xce\xea\xac\x6a\x00\xff\xd0\x61\x9d\xc3";

#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>
#include <shlwapi.h>

#pragma comment(lib, "shlwapi.lib")

using namespace std;

int privileges();
DWORD getPid(string procName);
DWORD GetThreadID(DWORD pid);
__declspec() void myFunc();  //if you use Dev-C++ put static before __declspec()
__declspec() void Useless();   //if you use Dev-C++ put static before __declspec()

int _tmain()
{
	privileges();
	unsigned long oldIP;


	DWORD pid = getPid("notepad.exe");
	if (pid==0) return 1;
	cout<<pid<<endl;

	HANDLE p;
	p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
	if (p==NULL) return 1; //error
	
	char * user32 = "User32.dll";
	char * MsgBox = "MessageBoxA";
	char * testo = "REPORT";
	char * mex = "INJECTION THREAD: SUCCESS!";

	unsigned long size_myFunc = (unsigned long)Useless - (unsigned long)myFunc;
	unsigned long GetProcAdr = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "GetProcAddress");
	unsigned long Load = (unsigned long)GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA");

	void * mexAddress  = VirtualAllocEx(p, NULL, strlen(mex)+1, MEM_COMMIT, PAGE_READWRITE);
	void * testoAddress  = VirtualAllocEx(p, NULL, strlen(testo)+1, MEM_COMMIT, PAGE_READWRITE);
	void * MsgboxAddress = VirtualAllocEx(p, NULL, strlen(MsgBox)+1, MEM_COMMIT, PAGE_READWRITE);
	void * DataAddress   = VirtualAllocEx(p, NULL, strlen(user32)+1, MEM_COMMIT, PAGE_READWRITE);
	void * MyFuncAddress = VirtualAllocEx(p, NULL, size_myFunc, MEM_COMMIT, PAGE_EXECUTE_READWRITE);



	WriteProcessMemory(p, DataAddress, user32, strlen(user32), NULL); //string user32.dll
	WriteProcessMemory(p, MsgboxAddress, MsgBox, strlen(MsgBox), NULL); //string MessageBoxA
	WriteProcessMemory(p, testoAddress, testo, strlen(testo), NULL); //string for caption
	WriteProcessMemory(p, mexAddress, mex, strlen(mex), NULL); //string for text
	
	DWORD thID = GetThreadID(pid);
	HANDLE hThread = OpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID);
  
	SuspendThread(hThread);
	
	
	CONTEXT ctx;
	ctx.ContextFlags = CONTEXT_CONTROL;
	GetThreadContext(hThread, &ctx);
	oldIP = ctx.Eip;
  
	ctx.Eip =  (DWORD)MyFuncAddress;
	ctx.ContextFlags = CONTEXT_CONTROL;

  
	WriteProcessMemory(p, MyFuncAddress, myFunc, size_myFunc, NULL);
	//After writing the function we patch it with the right addresses
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL); //Old EIP
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DataAddress, 4, NULL); //USER32.DLL
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load, 4, NULL);  //LoadLibraryA
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 20), &MsgboxAddress, 4, NULL); //MessageBoxA
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 26), &GetProcAdr, 4, NULL); //GetProcAddress
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 35), &testoAddress, 4, NULL); //caption
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 40), &mexAddress, 4, NULL); //text
	
	SetThreadContext(hThread, &ctx);
	ResumeThread(hThread);

	Sleep(1000); //wait a second!

	//if we want to free the used memory and the injected code that will take a short time of execution,
	//we can of course wait for it for a certain period with Sleep();
	//but if the code will keep running with no ending we cannot free the memory otherwise it will crash the target application
	//VirtualFreeEx(p, MyFuncAddress, size_myFunc, MEM_DECOMMIT);
	//VirtualFreeEx(p, DataAddress, strlen(mytext)+1, MEM_DECOMMIT);
	CloseHandle(p);
	CloseHandle(hThread);

	system("PAUSE");
	return EXIT_SUCCESS;
}


DWORD GetThreadID(DWORD pid){
	  HANDLE hsnap;
	  THREADENTRY32 pt;
	  hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	  pt.dwSize = sizeof(THREADENTRY32);
	  while (Thread32Next(hsnap, &pt)){
		   if(pt.th32OwnerProcessID == pid){
			 DWORD Thpid = pt.th32ThreadID;
			 CloseHandle(hsnap);
			 return Thpid;
		   }
	  };
	  CloseHandle(hsnap);
	  return 0;		  
}

DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			DWORD pid = pt.th32ProcessID;
			CloseHandle(hsnap);
			return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}


static __declspec(naked) void myFunc(){
	_asm {
	  push 0xACEACEAC
	  pushfd
	  pushad
	  
	  push 0xACEACEAC
	  mov ecx, 0xACEACEAC	  
	  call ecx

	  push 0xACEACEAC
	  push eax
	  mov edx,0xACEACEAC
	  call edx  

	  push 0
	  push 0xACEACEAC
	  push 0xACEACEAC
	  push 0
	  call eax

	  popad
	  popfd
	  ret
	}
			
}


static __declspec(naked) void Useless(){  //this let's us calculate the address of MyFunc
	_asm ret;
}



int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}

//Note the use of 'static': VisualC++ in debug mode put Useless() before of myFunc() because of
//name order from Z to A, so when we try to calculate the size of my func with
//DWORD size_myFunc = (PBYTE)Useless - (PBYTE) myFunc;
//the result is negative and so when we try the injection the target app crashes.
//So to avoid any problem remember to put 'static' to those functions (adpted to your compiler)

// . 0 . 1 . 2 . 3 . 4 . 5 . 6 .   ...
//"\x68\xac\xce\xea\xac\x9c\x60...

(void*)((unsigned long) MyFuncAddress + each_offset)

#include <windows.h>
#include <iostream>
#include <fstream>
#include <stdlib.h>
#include <tlhelp32.h>
#include <shlwapi.h>

#pragma comment(lib, "shlwapi.lib")
using namespace std;

char shellcode[] = "\x68\xac\xce\xea\xac\x9c\x60\x68\xac\xce\xea\xac\xb8\xac\xce\xea\xac\xff\xd0\x61\x9d\xc3";

typedef HANDLE (WINAPI* OpenThreadfunc)(DWORD dwDesiredAccess, BOOL bInheritHandle,  DWORD dwThreadId);
OpenThreadfunc myOpenThread;

void setOpenThread();
int privileges();
DWORD getPid(string procName);
DWORD GetThreadID(DWORD pid);
int injectLibrary(char * process, char * dll);

HMODULE kernel;

int main(int argc, char *argv[])
{

	injectLibrary("notepad.exe", "C:\\fullpath\\myDll.dll");	
	
	system("PAUSE");
	return EXIT_SUCCESS;
}

int injectLibrary(char * process, char * dll){
	
	setOpenThread();
	if (myOpenThread == NULL){
					 cout<<"Error with OpenThread()"<<endl;				
					 return 1;
	}
	
	unsigned long oldIP;
	
	if (privileges()==1){  //if you want to check privileges you can, but some times if you are administrator you can perform injection without setting them
					 cout<<"Error couldn't get privileges..."<<endl;					
	}

	DWORD pid = getPid("notepad.exe");
	if (pid==0) return 1;


	HANDLE p;
	p = OpenProcess(PROCESS_ALL_ACCESS,false,pid);
	if (p==NULL) return 1; //error
	
	
	char * dllName = dll;
	
	unsigned long shsize = strlen(shellcode);
	unsigned long Load = (unsigned long)GetProcAddress(kernel, "LoadLibraryA");
	
	void * DllAddress  = VirtualAllocEx(p, NULL, strlen(dllName)+ 1, MEM_COMMIT,PAGE_READWRITE);
	void * MyFuncAddress = VirtualAllocEx(p, NULL, shsize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
	
	WriteProcessMemory(p, DllAddress, dllName, strlen(dllName), NULL);
	
	DWORD thID = GetThreadID(pid);
	HANDLE hThread = myOpenThread((THREAD_GET_CONTEXT | THREAD_SET_CONTEXT | THREAD_SUSPEND_RESUME), false, thID);
	
	SuspendThread(hThread);
	CONTEXT ctx;
	ctx.ContextFlags = CONTEXT_CONTROL;
	GetThreadContext(hThread, &ctx);
	oldIP = ctx.Eip;
	ctx.Eip =  (DWORD)MyFuncAddress;
	ctx.ContextFlags = CONTEXT_CONTROL;
	
	WriteProcessMemory(p, MyFuncAddress, &shellcode, shsize, NULL);
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 1), &oldIP, 4, NULL);
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 8), &DllAddress, 4, NULL);
	WriteProcessMemory(p, (void*)((unsigned long)MyFuncAddress + 13), &Load, 4, NULL);
	
	SetThreadContext(hThread, &ctx);
	ResumeThread(hThread);
	
	CloseHandle(p);
	CloseHandle(hThread);
	FreeLibrary(kernel);
	return 0;
}


void setOpenThread(){
	kernel = LoadLibrary("kernel32.dll");
	if (kernel != NULL) myOpenThread = (OpenThreadfunc)GetProcAddress(kernel, "OpenThread");
}


DWORD getPid(string procName){
   HANDLE hsnap;
   PROCESSENTRY32 pt;
   hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
   pt.dwSize = sizeof(PROCESSENTRY32);
   do{
		  if(!strcmp(pt.szExeFile, procName.c_str())){
			 DWORD pid = pt.th32ProcessID;
			 CloseHandle(hsnap);
			 return pid;
		  }
   } while(Process32Next(hsnap, &pt));
   CloseHandle(hsnap);
   return 0;		  
}


DWORD GetThreadID(DWORD pid){
	  HANDLE hsnap;
	  THREADENTRY32 pt;
	  hsnap = CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0);
	  pt.dwSize = sizeof(THREADENTRY32);
	  while (Thread32Next(hsnap, &pt)){
		   if(pt.th32OwnerProcessID == pid){
				DWORD Thpid = pt.th32ThreadID;
				CloseHandle(hsnap);
				return Thpid;
		   }
	  };
	  CloseHandle(hsnap);
	  return 0;		  
}

int privileges(){
  HANDLE Token;
  TOKEN_PRIVILEGES tp;
  if(OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY,&Token))
  {
	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &tp.Privileges[0].Luid);
	tp.PrivilegeCount = 1;
	tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
		if (AdjustTokenPrivileges(Token, 0, &tp, sizeof(tp), NULL, NULL)==0){
   		 return 1; //FAIL
		}else{
   		 return 0; //SUCCESS
		}
   }	  
   return 1;
}

//(Thanks to Napalm that let me correct the errors)

They looks funny!

I am working on a patch for some an old game's dedicated server.  I have created the windows version patch but am puzzled at how to go about creating/porting the patch to the linux executable.

As far as i can tell from a weeks worth of googleing, hooking in windows and linux seems to be very similar.

Problem is I cannot seem to find anything about mid-function hooking for linux (both x86 and x64).

Here is an example of what i want to port to linux (this is the windows code..should be obvious)

Basically I have a dll that is hooked via p.e. editing. When it loads it replaces a code Mid-Function with a jump to my hook function(Original function is hooked in the middle, The issue is I do not want to replace the entire function, and i cannot trampoline from my hook to the original function because there is data that gets put into a message buffer that is newly created at the beginning of the original function)

So i figured my only viable and relativly simple way of hooking is in the middle of the function.

To get the target dll's base address i use:

static DWORD base_address = (DWORD)GetModuleHandle("dynamiclib.dll");

The main function inserts the jumps to my hooked functions like so(Note: dlurl_fix would be my relativeadress (function + base_address) and dl_urltoken would be my hooked function:

	placeJMP((BYTE*)dlurl_fix, (DWORD)dlurl_token, 6); 

This is what i have for placing jumps to a specific address (it was taken from some coding forum awhile back):

void placeJMP(BYTE *pAddress, DWORD dwJumpTo, DWORD dwLen){
	DWORD dwOldProtect, dwBkup, dwRelAddr;
	
	// Basic VirtualProtect... y'all should know this
	VirtualProtect(pAddress, dwLen, PAGE_EXECUTE_READWRITE, &dwOldProtect);
    
	// Calculate the "distance" we're gonna have to jump - the size of the JMP instruction
	dwRelAddr = (DWORD) (dwJumpTo - (DWORD) pAddress) - 5;    
	
	// Write the JMP opcode @ our jump position...
	*pAddress = 0xE9;
	
	// Write the offset to where we're gonna jump
	*((DWORD *)(pAddress + 0x1)) = dwRelAddr; 
	
	// Overwrite the rest of the bytes with NOPs
	for(DWORD x = 0x5; x < dwLen; x++)
		*(pAddress + x) = 0x90; 
	
	// Restore the default permissions
	VirtualProtect(pAddress, dwLen, dwOldProtect, &dwBkup);
	
}

The function that gets called in the middle of the targets function looks similar to this (Note: The original code that was replaced with a jmp is either replaced at the beggining of my function or at the end of the my function. I also pusha/pushf before and after my operations take place)

__declspec(naked) void Host_frame_fix()
 {
	__asm
	{
		pushad
	}
		CL_DownloadUpdate();
	__asm
	{
		popad
		call Host_CheckConnectionFailure
		call ClientDLL_CAM_Think
		jmp [hostframe_ret]
	}
 }

1st Question.)

Now to convert this to linux I am aware i need to use mprotect instead of VirtualProtect. Is that all I would need to do for this to work on linux?

2nd Question.)How do i change that to work with a 64-bit processor?

3rd Question.) How do i get a shared library's base_address in linux with my library preloaded?

Hello.

I see a few coders lately who have added a so called "anti-memory" scanner in their crypters. This, according to them, helps bypass memory scans from various antivirus software, especially NOD32.

My question is: How are they doing it?

I see a lot of C# crypters incorporating this and using the old RunPE method to run their files. We all know NOD32 hates that stuff. Anybody got any idea or a code snippet that I might find helpful? I am quite interested in this case.

Thank you.

I am having some issues with a small piece of code,

.data

XCreateFileMappingA dd 0h

XCreateFileA dd 0h

....

.code

call dword ptr [ebp+XCreateFileMappingA]

call dword ptr [ebp+XCreateFileA]

The point here is saving API OFFSETS of api calls however I do not understand how it works.

Also how exactly is this better than just simple calling the API function as is

What does ebp have to be set in order for this convention to work?

How does this calling convention even actually work? Where does the actual [call] to CreateFile get mapped to XCreateFileA etc. 

I'm just reading through some code and the writer is employing this technique but I have been puzzled over how it works because I do not find other references to CreateFile or XCreateFile other than described above, and yet he is able to call the actual CreateFile api call?

Rats are expert swimmers!