code injection

[ragdog]

hi all

i search a masm32 source for code injection to a running process. i found only this code this crash my target

no plan why ? can you help me or have your a good example?

.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib.data
szTarget byte 'Notepad', 0
szUser32 byte 'USER32.DLL', 0
szSharedData byte 261 dup (0).data?
hModule dword ?
hNewModule dword ?
hProcess dword ?
dwSize dword ?
dwPid dword ?
dwBytesWritten dword ?
dwTid dword ?
.codeHijackedThread proc
invoke MessageBox, 0, addr szTarget, addr szTarget, 0
invoke ExitThread, 0
ret
HijackedThread endp_entrypoint:
invoke GetModuleHandle, 0
mov hModule, eax
mov edi, eax
assume edi:ptr IMAGE_DOS_HEADER
add edi, [edi].e_lfanew
add edi, sizeof dword
add edi, sizeof IMAGE_FILE_HEADER
assume edi:ptr IMAGE_OPTIONAL_HEADER32
mov eax, [edi].SizeOfImage
mov dwSize, eax
assume edi:NOTHING
invoke GetModuleFileName, 0, addr szSharedData, 261
invoke FindWindow, addr szTarget, 0
invoke GetWindowThreadProcessId, eax, addr dwPid
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, dwPid
mov hProcess, eax
invoke VirtualFreeEx, hProcess, hModule, 0, MEM_RELEASE
invoke VirtualAllocEx, hProcess, hModule, dwSize, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
mov hNewModule, eax
invoke WriteProcessMemory, hProcess, hNewModule, hModule, dwSize, addr dwBytesWritten
invoke CreateRemoteThread, hProcess, 0, 0, addr HijackedThread, hModule, 0, addr dwTid
invoke ExitProcess, 0
end _entrypoint

[human]

dont bother with code injection its small but ****y way. better is dll injection. no need to bother with grab api address, add this to injected code. and probably on vista will fail due shifting dll adresses.

[ragdog]

thanks

I have an example with dll injection, would like but not a dll injector or a dll only use a code injector.

[high6]

thanks

I have an example with dll injection, would like but not a dll injector or a dll only use a code injector.

just go with dll's, its the same thing really just dlls are much more easily managed.

To load a dll is very easy, alloc memory in the target for the path to the dll, create a remote thread to Loadlibrary with the path as the param. free the memory associated with the path and you are done.

[calig]

;Function injection (FWB+) example by shapeless

.386

.model flat, stdcall

option casemap: none

include c:\masm32\include\windows.inc

include c:\masm32\include\kernel32.inc

include c:\masm32\include\masm32.inc

includelib c:\masm32\lib\masm32.lib

includelib c:\masm32\lib\kernel32.lib

FuncSize MACRO L1, L2

mov eax,L2

sub eax,L1

ENDM

TInjData struc

GetAddr dword ?

LoadLib dword ?

szUser32 byte 16 dup(0)

szMsgBox byte 32 dup(0)

szMsgTitle byte 16 dup(0)

szMsgText byte 16 dup(0)

TInjData ends

.data

szMsgTitle db 'Title', 0

szMsgText db 'Text', 0

szApp db "notepad.exe",0

szUsr32 db "user32.dll",0

szKrnl32 db "kernel32.dll",0

szMsgbox db "MessageBoxA",0

szLoadLib db "LoadLibraryA",0

szGetProcAddr db "GetProcAddress",0

.data

InjData TInjData <>

.data?

SInfo STARTUPINFO <>

PInfo PROCESS_INFORMATION <>

pFunc dword ?

dwThreadID dword ?

hKernel dword ?

.code

; Thanks to ksv for c++ example of this code

Inject proc uses esi hProcess:dword,dwSize:dword,Code:dword

LOCAL dwOldProtect:dword

LOCAL dwWritten:dword

invoke VirtualAllocEx,hProcess,0,dwSize,MEM_COMMIT+MEM_RESERVE,PAGE_EXECUTE_READWRITE

.if eax==0

ret

.endif

mov esi,eax

invoke VirtualProtectEx,hProcess,esi,dwSize,PAGE_EXECUTE_READWRITE,addr dwOldProtect

.if eax==0

ret

.endif

invoke WriteProcessMemory,hProcess,esi,Code,dwSize,addr dwWritten

.if eax==0

ret

.endif

mov eax,esi

ret

Inject endp

Label1:

remotefunc PROC uses esi iData:DWORD

; Code:

; invoke Loadlibrary,szUser32

; invoke GetProcAddres,hUser32,szMessagebox

; invoke Messagebox,0,0,0,0

mov esi,iData

assume esi:ptr TInjData

lea ecx,[esi].szUser32

push ecx

call [esi].LoadLib ;LoadLibrary('user32.dll');

lea ecx,[esi].szMsgBox

push ecx

push eax

call [esi].GetAddr ;GetProcAddress(ecx, MessageBoxA);

lea ebx,[esi].szMsgTitle

lea ecx,[esi].szMsgText

push 0

push ebx

push ecx

push 0

call eax

assume esi:nothing

ret

remotefunc endp

remotefunc2 PROC uses esi iData:DWORD

; Code:

; invoke Loadlibrary,szUser32

; invoke GetProcAddres,hUser32,szMessagebox

; invoke Messagebox,0,0,0,0

mov esi,iData

assume esi:ptr TInjData

lea ecx,[esi].szUser32

push ecx

call [esi].LoadLib ;LoadLibrary('user32.dll');

lea ecx,[esi].szMsgBox

push ecx

push eax

call [esi].GetAddr ;GetProcAddress(ecx, MessageBoxA);

lea ebx,[esi].szMsgTitle

lea ecx,[esi].szMsgText

push 0

push ebx

push ecx

push 0

call eax

assume esi:nothing

ret

remotefunc2 endp

Label2:

__ep:

; create new process

invoke RtlZeroMemory,addr SInfo,SizeOf STARTUPINFO

invoke CreateProcess,0,addr szApp,0,0,FALSE,0,0,0,addr SInfo,addr PInfo

; prep the structure

invoke lstrcpy,addr InjData.szUser32,addr szUsr32

invoke lstrcpy,addr InjData.szMsgBox,addr szMsgbox

invoke lstrcpy,addr InjData.szMsgTitle,addr szMsgTitle

invoke lstrcpy,addr InjData.szMsgText,addr szMsgText

invoke GetModuleHandle,addr szKrnl32

mov hKernel,eax

invoke GetProcAddress,hKernel,addr szLoadLib

mov InjData.LoadLib,eax

invoke GetProcAddress,hKernel,addr szGetProcAddr

mov InjData.GetAddr,eax

; inject function

FuncSize Label1,Label2

invoke Inject,PInfo.hProcess,eax,offset remotefunc

jz EOF

mov pFunc,eax

; inject the structure

invoke Inject,PInfo.hProcess,sizeof TInjData,offset InjData

jz EOF

invoke CreateRemoteThread,PInfo.hProcess,0,0,pFunc,eax,0,addr dwThreadID

EOF:

invoke ExitProcess,0

end __ep