PureBasic Forums - English

Posted: **Sun Sep 04, 2005 7:19 am**

One tip: Size Of the structure IMAGE_OPTIONAL_HEADER32 is your answer.

*Dont ask me how to do it

I dont know

Posted: **Sun Sep 04, 2005 3:41 pm**

nice code!

Posted: **Sun Sep 04, 2005 3:46 pm**

and if someone wonders what to do with this here is an example:

Inject hooking code, that will shift out an api command. That way the command that gets the code can execute it. Very nice for copy and cracking protection if you are a little creative!

edit: of course this have bad uses too, but much have. I wont tell what the bad idea is, but its a real nasty one

of course i wont use it for that bad idea.. but again, every code have good and bad sides! this code can be VERY helpfull for programmers wanting to avoid crackers. btw does it work on 9x too? Anyone can test?

Posted: **Sun Sep 04, 2005 4:45 pm**

Aha. Starting to see.

Posted: **Sun Sep 04, 2005 5:51 pm**

okasvi wrote: dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...

2. doesnt work with debugger for some reason i dont know

I hope this works for you
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.

Posted: **Sun Sep 04, 2005 6:36 pm**

FreeThought wrote:
okasvi wrote: dwSize = ((PIMAGE_NT_HEADERS)(pbModule+((PIMAGE_DOS_HEADER)pbModule)->e_lfanew))->OptionalHeader.SizeOfImage;[/code] to get dwSize I am using just "32768" which works with this example. anyway depending (this is how I see it ) on filesize of created executable you need to change that.
eg. I stopped using Droopylib and got filesize from around 22,5kb to 7,5kb so injection didnt work any more but it can be fixed with replacing "32768" with "32768/2"...

2. doesnt work with debugger for some reason i dont know
I hope this works for you
DwSize.l=PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
regards.

Thanks, it works

I would like to know if this works on 9x/2k

edit: updated code on first post

Posted: **Sun Sep 04, 2005 7:44 pm**

The problem is that in the Thread you cant run any kind of code.

I test with msgbox and works, but can make any other call to make it work, tried some API calls or PB functions and all fails.

This is the most i can make run atm from mspaint.exe:

Code: Select all

Procedure RemoteThread() 
    ;MessageRequester("Success","Injection worked.")
    ;Delay(1500)
    Repeat
        Beep(1999,1) ;Just to know its running
        Delay(320)
        cont+1
        If cont = 20
            a$ = "hello world"
            MessageRequester("",a$)
            cont = 0
        EndIf
    ForEver
EndProcedure

Posted: **Sun Sep 04, 2005 7:49 pm**

ill try something more complex and post it when i get it ready...

Posted: **Sun Sep 04, 2005 8:26 pm**

deleted by freethought

Posted: **Sun Sep 04, 2005 8:45 pm**

This has its legitimate uses. Very nice. Similar to what I did on my DesktopRightMenu program.

Posted: **Sun Sep 04, 2005 8:59 pm**

FreeThought wrote:please forgive me, but I still don't understand the code, GetModuleHandle_(0) should
return the handle to the calling process.why virtualalloc a region that is already allocated. it is nice of you ,if you can clarify .thanks
regards

im not sure

since im still learning this stuff myself...
have you done this before?

Posted: **Sun Sep 04, 2005 9:41 pm**

@okasvi
it Fails on win98

Code: Select all

;RemoteProcedureInjection :D
;credits goes for D-oNe for original code in C++, for Pupil for pointing out that i should use long with pbModule, for FreeThought way to get dwSize dynamically... thanks :D
;okasvi
Procedure RemoteThread()
   MessageRequester("Success","Injection worked.")
EndProcedure
Procedure InjectCode(Process.s, *lpCodeToInject)
   RunProgram(Process)
   dwPID = GetPidProcess(GetFilePart(Process))
   Debug Hex(dwPID)
   hProcess = OpenProcess_(#PROCESS_ALL_ACCESS, #False, dwPID)   
   Debug hProcess
   dwWritten.l = #Null :
   pbModule.l = GetModuleHandle_(#Null)
   Debug pbModule.l
   DwSize.l =PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
   Debug DwSize.l
   
   ;******************************
   TestRelease.l= VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE) ;<<-- *** TestRelease.l = 0
   
   Debug TestRelease.l ;<- ***  Fails here ** TestRelease.l is 0  ***
    
   lpBuffer.l = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE) ;<<-- ***  lpBuffer.l = 0
  
 Debug lpBuffer.l ; <- ***  And obviously here too NULL  ***

   ;******************************
   
    
   If lpBuffer = #Null :   ProcedureReturn #False : EndIf
   If WriteProcessMemory_(hProcess, lpBuffer, pbModule, dwSize, dwWritten) = 0
      ProcedureReturn #False
   EndIf
   hThread.l = CreateRemoteThread_(hProcess, #Null, 0, *lpCodeToInject, pbModule, #Null, #Null)
   If hThread=#Null : ProcedureReturn #False : EndIf
   CloseHandle_(hThread) : CloseHandle_(hProcess) : ProcedureReturn #True
EndProcedure

If InjectCode("notepad.exe", @RemoteThread()) = #False
   MessageRequester("Error!", "Injection failed!")
EndIf
End

Best regrads
Henrik

Posted: **Sun Sep 04, 2005 9:53 pm**

yes, thefool noticed it too and he found out from msn that createremotethread doesnt work in win9x

Posted: **Sun Sep 04, 2005 9:53 pm**

true we need another thingy that CreateRemoteThread.!

Posted: **Sun Sep 04, 2005 10:36 pm**

I wonder if what would happen if you injected into msn messenger then start a server app, will a firewall trigger alarms - or will it assume that msn is creating the server and let it work okay...

PureBasic Forums - English

Injecting Procedure to another process

Re: Injecting Procedure to another process

Re: Injecting Procedure to another process