PureBasic Forums - English

http://www.purebasic.com
https://www.purebasic.fr/english/

weird InjectDll >> purebasic

https://www.purebasic.fr/english/viewtopic.php?t=65404

Page 1 of 1

weird InjectDll >> purebasic

Posted: Tue Apr 05, 2016 4:17 pm
by callroot

Code: Select all


NTSYSAPI NTSTATUS NTAPI 
  KeUserModeCallback(
  IN ULONG ApiNumber,
  IN PVOID InputBuffer,
  IN ULONG InputLength,
  OUT PVOID *OutputBuffer,
  IN PULONG OutputLength
  );
typedef struct _CLientLoadLibraryParam
{
  DWORD dwSize;//+0
  DWORD dwStringLength; //+4
  DWORD ReservedZero1;//+8
  DWORD ReservedZero2;//+C
  DWORD ReservedZero3;//+10
  DWORD ReservedZero4;//+14
  DWORD ReservedZero5;//+18 () +1A () //不需要!
  DWORD ptrDllString;//+1C
  DWORD ReservedZero6;//+20
  DWORD ptrApiString;//+24
  WCHAR szDllName[MAX_PATH];
  WCHAR szApiName[MAX_PATH];
}CLientLoadLibraryParam,*PCLientLoadLibraryParam;

NTSTATUS InjectDll(LPCWSTR lpszDll,LPCWSTR lpszApi)
{
  PVOID Return;
  ULONG RetLen;
  PVOID BaseAddress = NULL;
  SIZE_T size = sizeof(CLientLoadLibraryParam);
  NTSTATUS ns;
  ns = ZwAllocateVirtualMemory(NtCurrentProcess(),
    &BaseAddress,
    0,
    &size,
    MEM_COMMIT,
    PAGE_EXECUTE_READWRITE);
  if (NT_SUCCESS(ns))
  {
    PCLientLoadLibraryParam p = (PCLientLoadLibraryParam)BaseAddress;
    RtlZeroMemory(p,sizeof(CLientLoadLibraryParam));
    p->dwSize = sizeof(CLientLoadLibraryParam);
    p->ReservedZero4 = 1;//
    wcsncpy(p->szApiName,lpszApi,MAX_PATH);
    wcsncpy(p->szDllName,lpszDll,MAX_PATH);
    p->ptrApiString = (DWORD)p->szApiName;
    p->ptrDllString = (DWORD)p->szDllName;
    
    ns = KeUserModeCallback(0x42,//Win7  0x41
      BaseAddress,
      sizeof(CLientLoadLibraryParam),
      &Return,
      &RetLen
      );
  }
  return ns;
}

Re: weird InjectDll >> purebasic

Posted: Tue Apr 05, 2016 6:23 pm
by User_Russian
This code from kernel driver.

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 2:18 am
by callroot
User_Russian wrote:This code from kernel driver.

R3 CAN'NOT ?

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 6:47 am
by Keya
User_Russian wrote:This code from kernel driver.
he's very lucky then that you've developed that package for writing kernel drivers in Purebasic! :) (hows the 64bit version coming along btw!?!? heehee)

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 7:43 am
by callroot
Keya wrote:
User_Russian wrote:This code from kernel driver.
he's very lucky then that you've developed that package for writing kernel drivers in Purebasic! :) (hows the 64bit version coming along btw!?!? heehee)

Could you translate it into PUreBasic

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 12:28 pm
by User_Russian

Code: Select all

IncludePath #PB_Compiler_Home+"DDK\"
XIncludeFile "ntddk.pbi"
XIncludeFile "ntstatus.pbi"
XIncludeFile "ntfunct.pbi"

Import "ntoskrnl.lib"
  KeUserModeCallback(ApiNumber,*InputBuffer,InputLength,*OutputBuffer,OutputLength)
  RtlZeroMemory(*p,len)
EndImport

CompilerIf #PB_Compiler_Unicode = 0
  CompilerError "Please enable unicode mode."
CompilerEndIf

Structure CLientLoadLibraryParam
  dwSize.l;//+0
  dwStringLength.l; //+4
  ReservedZero1.l;//+8
  ReservedZero2.l;//+C
  ReservedZero3.l;//+10
  ReservedZero4.l;//+14
  ReservedZero5.l;//+18 () +1A () //不需要!
  ptrDllString.l;//+1C
  ReservedZero6.l;//+20
  ptrApiString.l;//+24
  szDllName.s{#MAX_PATH};
  szApiName.s{#MAX_PATH};
EndStructure

Macro NtCurrentProcess()
  -1
EndMacro

Procedure InjectDll(lpszDll.s, lpszApi.s)
  *Ret=0;
  RetLen.l;
  *BaseAddress = #Null;
  size = SizeOf(CLientLoadLibraryParam);
  ns.i=0;
  
  ns = ZwAllocateVirtualMemory(NtCurrentProcess(),
                               @*BaseAddress,
                               0,
                               @size,
                               #MEM_COMMIT,
                               #PAGE_EXECUTE_READWRITE);
  
  If ns = #STATUS_SUCCESS
    *p.CLientLoadLibraryParam = *BaseAddress
    RtlZeroMemory(*p,SizeOf(CLientLoadLibraryParam));
    *p\dwSize = SizeOf(CLientLoadLibraryParam)      ;
    *p\ReservedZero4 = 1                            ;//
    *p\szApiName = lpszApi
    *p\szDllName = lpszDll;
    *p\ptrApiString = @*p\szApiName;
    *p\ptrDllString = @*p\szDllName;
    
    ns = KeUserModeCallback($42, ;//Win7  0x41
                            *BaseAddress,
                            SizeOf(CLientLoadLibraryParam),
                            @*Ret,
                            @RetLen);
  EndIf
  
    ProcedureReturn ns
EndProcedure
Compile in http://www.purebasic.fr/english/viewtop ... 34#p458334

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 1:26 pm
by callroot
User_Russian wrote:

Code: Select all

IncludePath #PB_Compiler_Home+"DDK\"
XIncludeFile "ntddk.pbi"
XIncludeFile "ntstatus.pbi"
XIncludeFile "ntfunct.pbi"

Import "ntoskrnl.lib"
  KeUserModeCallback(ApiNumber,*InputBuffer,InputLength,*OutputBuffer,OutputLength)
  RtlZeroMemory(*p,len)
EndImport

CompilerIf #PB_Compiler_Unicode = 0
  CompilerError "Please enable unicode mode."
CompilerEndIf

Structure CLientLoadLibraryParam
  dwSize.l;//+0
  dwStringLength.l; //+4
  ReservedZero1.l;//+8
  ReservedZero2.l;//+C
  ReservedZero3.l;//+10
  ReservedZero4.l;//+14
  ReservedZero5.l;//+18 () +1A () //不需要!
  ptrDllString.l;//+1C
  ReservedZero6.l;//+20
  ptrApiString.l;//+24
  szDllName.s{#MAX_PATH};
  szApiName.s{#MAX_PATH};
EndStructure

Macro NtCurrentProcess()
  -1
EndMacro

Procedure InjectDll(lpszDll.s, lpszApi.s)
  *Ret=0;
  RetLen.l;
  *BaseAddress = #Null;
  size = SizeOf(CLientLoadLibraryParam);
  ns.i=0;
  
  ns = ZwAllocateVirtualMemory(NtCurrentProcess(),
                               @*BaseAddress,
                               0,
                               @size,
                               #MEM_COMMIT,
                               #PAGE_EXECUTE_READWRITE);
  
  If ns = #STATUS_SUCCESS
    *p.CLientLoadLibraryParam = *BaseAddress
    RtlZeroMemory(*p,SizeOf(CLientLoadLibraryParam));
    *p\dwSize = SizeOf(CLientLoadLibraryParam)      ;
    *p\ReservedZero4 = 1                            ;//
    *p\szApiName = lpszApi
    *p\szDllName = lpszDll;
    *p\ptrApiString = @*p\szApiName;
    *p\ptrDllString = @*p\szDllName;
    
    ns = KeUserModeCallback($42, ;//Win7  0x41
                            *BaseAddress,
                            SizeOf(CLientLoadLibraryParam),
                            @*Ret,
                            @RetLen);
  EndIf
  
    ProcedureReturn ns
EndProcedure
Compile in http://www.purebasic.fr/english/viewtop ... 34#p458334

Seek examples and tools package

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 1:38 pm
by User_Russian
http://pure-basic.narod.ru/forum_files/ ... k_v2.2.zip

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 2:00 pm
by callroot
thank you

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 2:42 pm
by callroot
Thank you very much.


InjectDll(lpszDll.s, lpszApi.s)


Can you see how to use this function?


Have time to write a call to Li

InjectDll(lpszDll.s, lpszApi.s)

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 3:20 pm
by callroot
thank you

Have time to write a call example?

InjectDll(lpszDll.s, lpszApi.s)


How to use this function

Re: weird InjectDll >> purebasic

Posted: Wed Apr 06, 2016 6:49 pm
by User_Russian
callroot wrote:Have time to write a call example?
InjectDll(lpszDll.s, lpszApi.s)
I have translated the code from C++ to PB. But I do not know with what parameters need to call the procedure. See the C++ code for an example.

Re: weird InjectDll >> purebasic

Posted: Sun Apr 17, 2016 12:56 pm
by callroot
User_Russian wrote:
callroot wrote:Have time to write a call example?
InjectDll(lpszDll.s, lpszApi.s)
I have translated the code from C++ to PB. But I do not know with what parameters need to call the procedure. See the C++ code for an example.


https://github.com/rwfpl/rewolf-wow64ext


C++ CODE to be translated into PUB


Code is not a lot, who can help translate the following
http://www.purebasic.fr/english/viewto ... 13&t=65513
All times are UTC+01:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited