Jump to content
Tuts 4 You

injecting calls?


high6

Recommended Posts

Posted

So I want to inject a call into a remote process that I can call with CreateRemoteThread. Problem is that if a few of the api calls aren't to the same place in memory with the target and the compiled stub then it wont work.

Whats an easy way to compile a C++ stub and fix its api calls? I rather not make a 2d array of where the call is in the stub and what api it is, to fix it.

All I can think of is have an array that is pointers to the apis instead and have my stub call those. Then when I inject it I fix the pointers. If thats what I should do can someone give an example?

Posted
So I want to inject a call into a remote process that I can call with CreateRemoteThread. Problem is that if a few of the api calls aren't to the same place in memory with the target and the compiled stub then it wont work.

I actually don't understand what your problem is.

Are you talking about NT systems?

Since you could have repeated handles in a IAT (it would work), I don't see the problem if any of the handles is in another section of memory. In fact, hooking a IAT involves moving the function handles to another area.

You should give your stub the PAGE_EXECUTE_READWRITE access, and unprotect for access using VirtualProtectEx the area of code where you want to inject your call.

Was your issue related to something of this?

Cheers

Nacho_dj

Posted
So I want to inject a call into a remote process that I can call with CreateRemoteThread. Problem is that if a few of the api calls aren't to the same place in memory with the target and the compiled stub then it wont work.

Whats an easy way to compile a C++ stub and fix its api calls? I rather not make a 2d array of where the call is in the stub and what api it is, to fix it.

All I can think of is have an array that is pointers to the apis instead and have my stub call those. Then when I inject it I fix the pointers. If thats what I should do can someone give an example?

I think I know what you're talking about so here goes ;)

You're talking about injecting code into a process and calling it, rather than injecting a dll? (If so then perhaps reconsider doing it via dll injection).

Your solution is to get the injected code to use GetProcAddress (and perhaps LoadLibrary) to determine the correct location and call it that way. Read up on dll injection - the principles you are discussing are the same.

Posted

well what I was thinking was making an array of pointers to the calls I want and calling from that array instead, so when I build my stub and inject it all I need to do is fix all the pointers in the array.

Posted

Give it a try but it seems like a long way of doing it.

Be interested to know if you get it working though :)

Posted
Give it a try but it seems like a long way of doing it.

Be interested to know if you get it working though :)

Well I would make a dll but what I am doing is injecting a stub to load other dlls XD.

Just a pain to load dlls that you don't need to.

  • 3 weeks later...
Posted

I have a question, what is a relocation section used for? Would it be to relocate calls easily?

GamingMasteR
Posted

relocation is used to fix executable images when ImageBase changes (like in dll files) .

for example if a dll is based @ 0x01000000 , a simple "mov" or "push" instruction would be like that :

mov eax, 0x01003000
push 0x01001000

if the dll file is based @ 0x05000000 , the relocation tables tell the loader what RVAs need to be fixed :

mov eax, 0x01007000
push 0x01005000
ahmadmansoor
Posted
relocation is used to fix executable images when ImageBase changes (like in dll files) .

for example if a dll is based @ 0x01000000 , a simple "mov" or "push" instruction would be like that :

mov eax, 0x01003000
push 0x01001000

if the dll file is based @ 0x05000000 , the relocation tables tell the loader what RVAs need to be fixed :

mov eax, 0x01007000
push 0x01005000

Hi GamingMasteR : nice explain ..

بس عندك شرح عن كيفية تعديل الريلكويشين بعد ما نعمل دامب لملف الدي إل إل ....بحيث نجعل لودر الويندوز يصلح هي الريلكويشين خلال تحميل الدي إل إل ...

وشكرا كتير ألك

GamingMasteR
Posted

ساعطيك الخلاصة ومن ثم حاول توظيفها لمرادك :

One of the Data Directories is the "Relocation Directory" , it's RVA points to array of IMAGE_BASE_RELOCATION structures :

IMAGE_BASE_RELOCATION STRUCT

VirtualAddress dd ?

SizeOfBlock dd ?

IMAGE_BASE_RELOCATION ENDS

every structure is followed by n WORDs (the n is calculated from the SizeOfBlock member = ((SizeOfBlock -8)/2) ) .

the high 4-bit of the WORD describes how to fix an RVA and it's usually = 3(IMAGE_REL_BASED_HIGHLOW) .

the lower 12-bit + VirtualAddress gives you the RVA which need to be fixed .

I think i made it more complicated :bangin:

sorry

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...