Injecting Procedure to another process

[ricardo]

One tip: Size Of the structure IMAGE_OPTIONAL_HEADER32 is your answer.

*Dont ask me how to do it I dont know

[thefool]

nice code!

[thefool]

and if someone wonders what to do with this here is an example:

Inject hooking code, that will shift out an api command. That way the command that gets the code can execute it. Very nice for copy and cracking protection if you are a little creative!


edit: of course this have bad uses too, but much have. I wont tell what the bad idea is, but its a real nasty one of course i wont use it for that bad idea.. but again, every code have good and bad sides! this code can be VERY helpfull for programmers wanting to avoid crackers. btw does it work on 9x too? Anyone can test?

[Dare2]

Aha. Starting to see.

[FreeThought]

dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...

2. doesnt work with debugger for some reason i dont know

I hope this works for you
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.

[okasvi]

dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...

2. doesnt work with debugger for some reason i dont know

I hope this works for you
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.

Thanks, it works

I would like to know if this works on 9x/2k

edit: updated code on first post

[ricardo]

The problem is that in the Thread you cant run any kind of code.

I test with msgbox and works, but can make any other call to make it work, tried some API calls or PB functions and all fails.

This is the most i can make run atm from mspaint.exe:

Code: Select all

Procedure RemoteThread() 
    ;MessageRequester("Success","Injection worked.")
    ;Delay(1500)
    Repeat
        Beep(1999,1) ;Just to know its running
        Delay(320)
        cont+1
        If cont = 20
            a$ = "hello world"
            MessageRequester("",a$)
            cont = 0
        EndIf
    ForEver
EndProcedure 

[okasvi]

ill try something more complex and post it when i get it ready...

[FreeThought]

deleted by freethought

[dracflamloc]

This has its legitimate uses. Very nice. Similar to what I did on my DesktopRightMenu program.

[okasvi]

please forgive me, but I still don't understand the code, GetModuleHandle_(0) should
return the handle to the calling process.why virtualalloc a region that is already allocated. it is nice of you ,if you can clarify .thanks
regards

im not sure since im still learning this stuff myself...
have you done this before?

[Henrik]

@okasvi
it Fails on win98

Code: Select all

;RemoteProcedureInjection :D
;credits goes for D-oNe for original code in C++, for Pupil for pointing out that i should use long with pbModule, for FreeThought way to get dwSize dynamically... thanks :D
;okasvi
Procedure RemoteThread()
   MessageRequester("Success","Injection worked.")
EndProcedure
Procedure InjectCode(Process.s, *lpCodeToInject)
   RunProgram(Process)
   dwPID = GetPidProcess(GetFilePart(Process))
   Debug Hex(dwPID)
   hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, dwPID)   
   Debug hProcess
   dwWritten.l = #Null :
   pbModule.l = GetModuleHandle_(#Null)
   Debug pbModule.l
   DwSize.l =PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
   Debug DwSize.l
   
   ;******************************
   TestRelease.l= VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE) ;<<-- *** TestRelease.l = 0
   
   Debug TestRelease.l ;<- ***  Fails here ** TestRelease.l is 0  ***
    
   lpBuffer.l = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE) ;<<-- ***  lpBuffer.l = 0
  
 Debug lpBuffer.l ; <- ***  And obviously here too NULL  ***

   ;******************************
   
    
   If lpBuffer = #Null :   ProcedureReturn #False : EndIf
   If WriteProcessMemory_(hProcess, lpBuffer, pbModule, dwSize, dwWritten) = 0
      ProcedureReturn #False
   EndIf
   hThread.l = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
   If hThread=#Null : ProcedureReturn #False : EndIf
   CloseHandle_(hThread) : CloseHandle_(hProcess) : ProcedureReturn #True
EndProcedure

If InjectCode("notepad.exe", @RemoteThread()) = #False
   MessageRequester("Error!", "Injection failed!")
EndIf
End

Best regrads
Henrik

[okasvi]

yes, thefool noticed it too and he found out from msn that createremotethread doesnt work in win9x

[thefool]

true we need another thingy that CreateRemoteThread.!

[DoubleDutch]

I wonder if what would happen if you injected into msn messenger then start a server app, will a firewall trigger alarms - or will it assume that msn is creating the server and let it work okay...