what the problem with this injection code

[Pushad]

what the problem with this injection code

00412148    .  73 68 65 6C 6C 33 32 2E 64>ASCII "shell32.dll",0
00412154       00                         DB 00
00412155    .  53 68 65 6C 6C 45 78 65 63>ASCII "ShellExecuteA",0
00412163       00                         DB 00
00412164    .  6F 70 65 6E 00             ASCII "open",0
00412169       00                         DB 00
0041216A    .  73 61 61 64 69 2E 65 78 65>ASCII "test1.exe",0
00412174       00                         DB 00
00412175    >  68 48214100                PUSH KeyGEn6.00412148                           ; /FileName = "shell32.dll"
0041217A    .  E8 FCFB3E7C                CALL kernel32.LoadLibraryA                      ; \LoadLibraryA
0041217F    .  A3 B07F4100                MOV DWORD PTR DS:[417FB0],EAX    ' Crash Here               ;  shell32.7C9C0000
00412184    .  68 55214100                PUSH KeyGEn6.00412155                           ; /ProcNameOrOrdinal = "ShellExecuteA"
00412189    .  FF35 B07F4100              PUSH DWORD PTR DS:[417FB0]                      ; |hModule = NULL
0041218F    .  E8 AC8C3F7C                CALL kernel32.GetProcAddress                    ; \GetProcAddress
00412194    .  A3 AD214100                MOV DWORD PTR DS:[4121AD],EAX                   ;  shell32.7C9C0000
00412199    .  68 6A214100                PUSH KeyGEn6.0041216A                           ;  ASCII "test1.exe"
0041219E    .  68 64214100                PUSH KeyGEn6.00412164                           ;  ASCII "open"
004121A3    .  6A 00                      PUSH 0
004121A5    .  FF15 AD214100              CALL DWORD PTR DS:[4121AD]
004121AB    .  E8 CE8A3F7C                CALL kernel32.FreeLibrary                       ; |\FreeLibrary
004121B0    .  E8 439F3F7C                CALL kernel32.ExitThread                        ; \ExitThread
004121B5    .  53                         PUSH EBX   ' Restore Original Code
004121B6    .  56                         PUSH ESI
004121B7    .  57                         PUSH EDI
004121B8    .  83CB FF                    OR EBX,FFFFFFFF
004121BB    .^ E9 3CD0FFFF                JMP KeyGEn6.0040F1FC ' Return to code

[quosego]

You don't have access right to write to 417FB0. At least that will be the most likely problem.

Use virtualprotect to gain access rights.

[Killboy]

You try to get the address of ShellExecuteA with GetProcAddress, but that's pointless when you hardcoded the calls to LoadLibrary and GetProcAddress. This will pretty much explode on another machine.

You will need to find the addresses of LoadLibrary nad GetProcAddress dynamically, too. Either you can find the two APIs in the IAT of the injected process (this should be easy since you're already accessing the process's imagebase at 417FB0). If they're not in the IAT you will have to pull some tricks like finding kernel32 base through PEB and manually parsing the export table. There's a full blown example for x64 here: http://mcdermottcybersecurity.com/articles/windows-x64-shellcode#api-lookup-overview

But you might wanna google yourself for better suited ones

[N1ghtm4r3]

Clearly the address you want save the dll handle there, is protected or invalid.

This is working for me:

00401006      68 20304000                                  PUSH console.00403020                                        ;  ASCII "shell32.dll"
0040100B      E8 6B0D407C                                  CALL kernel32.LoadLibraryA
00401010      A3 2C304000                                  MOV DWORD PTR DS:[40302C],EAX                                ;  shell32.#599

00403020  73 68 65 6C 6C 33 32 2E 64 6C 6C 00 00 00 9C 7C  shell32.dll...œ|

Edited May 9, 2011 by N1ghtm4r3