high6 Posted June 15, 2008 Posted June 15, 2008 So I want to inject a call into a remote process that I can call with CreateRemoteThread. Problem is that if a few of the api calls aren't to the same place in memory with the target and the compiled stub then it wont work.Whats an easy way to compile a C++ stub and fix its api calls? I rather not make a 2d array of where the call is in the stub and what api it is, to fix it.All I can think of is have an array that is pointers to the apis instead and have my stub call those. Then when I inject it I fix the pointers. If thats what I should do can someone give an example?
Nacho_dj Posted June 15, 2008 Posted June 15, 2008 So I want to inject a call into a remote process that I can call with CreateRemoteThread. Problem is that if a few of the api calls aren't to the same place in memory with the target and the compiled stub then it wont work.I actually don't understand what your problem is.Are you talking about NT systems?Since you could have repeated handles in a IAT (it would work), I don't see the problem if any of the handles is in another section of memory. In fact, hooking a IAT involves moving the function handles to another area.You should give your stub the PAGE_EXECUTE_READWRITE access, and unprotect for access using VirtualProtectEx the area of code where you want to inject your call.Was your issue related to something of this?CheersNacho_dj
Loki Posted June 15, 2008 Posted June 15, 2008 So I want to inject a call into a remote process that I can call with CreateRemoteThread. Problem is that if a few of the api calls aren't to the same place in memory with the target and the compiled stub then it wont work.Whats an easy way to compile a C++ stub and fix its api calls? I rather not make a 2d array of where the call is in the stub and what api it is, to fix it. All I can think of is have an array that is pointers to the apis instead and have my stub call those. Then when I inject it I fix the pointers. If thats what I should do can someone give an example? I think I know what you're talking about so here goes You're talking about injecting code into a process and calling it, rather than injecting a dll? (If so then perhaps reconsider doing it via dll injection). Your solution is to get the injected code to use GetProcAddress (and perhaps LoadLibrary) to determine the correct location and call it that way. Read up on dll injection - the principles you are discussing are the same.
high6 Posted June 15, 2008 Author Posted June 15, 2008 well what I was thinking was making an array of pointers to the calls I want and calling from that array instead, so when I build my stub and inject it all I need to do is fix all the pointers in the array.
Loki Posted June 16, 2008 Posted June 16, 2008 Give it a try but it seems like a long way of doing it. Be interested to know if you get it working though
high6 Posted June 16, 2008 Author Posted June 16, 2008 Give it a try but it seems like a long way of doing it.Be interested to know if you get it working though Well I would make a dll but what I am doing is injecting a stub to load other dlls XD. Just a pain to load dlls that you don't need to.
high6 Posted July 2, 2008 Author Posted July 2, 2008 I have a question, what is a relocation section used for? Would it be to relocate calls easily?
GamingMasteR Posted July 2, 2008 Posted July 2, 2008 relocation is used to fix executable images when ImageBase changes (like in dll files) .for example if a dll is based @ 0x01000000 , a simple "mov" or "push" instruction would be like that :mov eax, 0x01003000push 0x01001000if the dll file is based @ 0x05000000 , the relocation tables tell the loader what RVAs need to be fixed :mov eax, 0x01007000push 0x01005000
ahmadmansoor Posted July 3, 2008 Posted July 3, 2008 relocation is used to fix executable images when ImageBase changes (like in dll files) .for example if a dll is based @ 0x01000000 , a simple "mov" or "push" instruction would be like that :mov eax, 0x01003000push 0x01001000if the dll file is based @ 0x05000000 , the relocation tables tell the loader what RVAs need to be fixed :mov eax, 0x01007000push 0x01005000Hi GamingMasteR : nice explain ..بس عندك شرح عن كيفية تعديل الريلكويشين بعد ما نعمل دامب لملف الدي إل إل ....بحيث نجعل لودر الويندوز يصلح هي الريلكويشين خلال تحميل الدي إل إل ...وشكرا كتير ألك
GamingMasteR Posted July 3, 2008 Posted July 3, 2008 ساعطيك الخلاصة ومن ثم حاول توظيفها لمرادك : One of the Data Directories is the "Relocation Directory" , it's RVA points to array of IMAGE_BASE_RELOCATION structures : IMAGE_BASE_RELOCATION STRUCT VirtualAddress dd ? SizeOfBlock dd ? IMAGE_BASE_RELOCATION ENDS every structure is followed by n WORDs (the n is calculated from the SizeOfBlock member = ((SizeOfBlock -8)/2) ) . the high 4-bit of the WORD describes how to fix an RVA and it's usually = 3(IMAGE_REL_BASED_HIGHLOW) . the lower 12-bit + VirtualAddress gives you the RVA which need to be fixed . I think i made it more complicated sorry
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now