Pushad Posted May 9, 2011 Posted May 9, 2011 what the problem with this injection code00412148 . 73 68 65 6C 6C 33 32 2E 64>ASCII "shell32.dll",000412154 00 DB 0000412155 . 53 68 65 6C 6C 45 78 65 63>ASCII "ShellExecuteA",000412163 00 DB 0000412164 . 6F 70 65 6E 00 ASCII "open",000412169 00 DB 000041216A . 73 61 61 64 69 2E 65 78 65>ASCII "test1.exe",000412174 00 DB 0000412175 > 68 48214100 PUSH KeyGEn6.00412148 ; /FileName = "shell32.dll"0041217A . E8 FCFB3E7C CALL kernel32.LoadLibraryA ; \LoadLibraryA0041217F . A3 B07F4100 MOV DWORD PTR DS:[417FB0],EAX ' Crash Here ; shell32.7C9C000000412184 . 68 55214100 PUSH KeyGEn6.00412155 ; /ProcNameOrOrdinal = "ShellExecuteA"00412189 . FF35 B07F4100 PUSH DWORD PTR DS:[417FB0] ; |hModule = NULL0041218F . E8 AC8C3F7C CALL kernel32.GetProcAddress ; \GetProcAddress00412194 . A3 AD214100 MOV DWORD PTR DS:[4121AD],EAX ; shell32.7C9C000000412199 . 68 6A214100 PUSH KeyGEn6.0041216A ; ASCII "test1.exe"0041219E . 68 64214100 PUSH KeyGEn6.00412164 ; ASCII "open"004121A3 . 6A 00 PUSH 0004121A5 . FF15 AD214100 CALL DWORD PTR DS:[4121AD]004121AB . E8 CE8A3F7C CALL kernel32.FreeLibrary ; |\FreeLibrary004121B0 . E8 439F3F7C CALL kernel32.ExitThread ; \ExitThread004121B5 . 53 PUSH EBX ' Restore Original Code004121B6 . 56 PUSH ESI004121B7 . 57 PUSH EDI004121B8 . 83CB FF OR EBX,FFFFFFFF004121BB .^ E9 3CD0FFFF JMP KeyGEn6.0040F1FC ' Return to code
quosego Posted May 9, 2011 Posted May 9, 2011 You don't have access right to write to 417FB0. At least that will be the most likely problem. Use virtualprotect to gain access rights.
Killboy Posted May 9, 2011 Posted May 9, 2011 You try to get the address of ShellExecuteA with GetProcAddress, but that's pointless when you hardcoded the calls to LoadLibrary and GetProcAddress. This will pretty much explode on another machine.You will need to find the addresses of LoadLibrary nad GetProcAddress dynamically, too. Either you can find the two APIs in the IAT of the injected process (this should be easy since you're already accessing the process's imagebase at 417FB0). If they're not in the IAT you will have to pull some tricks like finding kernel32 base through PEB and manually parsing the export table. There's a full blown example for x64 here: http://mcdermottcybersecurity.com/articles/windows-x64-shellcode#api-lookup-overviewBut you might wanna google yourself for better suited ones
N1ghtm4r3 Posted May 9, 2011 Posted May 9, 2011 (edited) Clearly the address you want save the dll handle there, is protected or invalid.This is working for me:00401006 68 20304000 PUSH console.00403020 ; ASCII "shell32.dll"0040100B E8 6B0D407C CALL kernel32.LoadLibraryA00401010 A3 2C304000 MOV DWORD PTR DS:[40302C],EAX ; shell32.#59900403020 73 68 65 6C 6C 33 32 2E 64 6C 6C 00 00 00 9C 7C shell32.dll...œ| Edited May 9, 2011 by N1ghtm4r3
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now