Jump to content
Tuts 4 You

what the problem with this injection code


Pushad

Recommended Posts

Posted

what the problem with this injection code


00412148 . 73 68 65 6C 6C 33 32 2E 64>ASCII "shell32.dll",0
00412154 00 DB 00
00412155 . 53 68 65 6C 6C 45 78 65 63>ASCII "ShellExecuteA",0
00412163 00 DB 00
00412164 . 6F 70 65 6E 00 ASCII "open",0
00412169 00 DB 00
0041216A . 73 61 61 64 69 2E 65 78 65>ASCII "test1.exe",0
00412174 00 DB 00
00412175 > 68 48214100 PUSH KeyGEn6.00412148 ; /FileName = "shell32.dll"
0041217A . E8 FCFB3E7C CALL kernel32.LoadLibraryA ; \LoadLibraryA
0041217F . A3 B07F4100 MOV DWORD PTR DS:[417FB0],EAX ' Crash Here ; shell32.7C9C0000
00412184 . 68 55214100 PUSH KeyGEn6.00412155 ; /ProcNameOrOrdinal = "ShellExecuteA"
00412189 . FF35 B07F4100 PUSH DWORD PTR DS:[417FB0] ; |hModule = NULL
0041218F . E8 AC8C3F7C CALL kernel32.GetProcAddress ; \GetProcAddress
00412194 . A3 AD214100 MOV DWORD PTR DS:[4121AD],EAX ; shell32.7C9C0000
00412199 . 68 6A214100 PUSH KeyGEn6.0041216A ; ASCII "test1.exe"
0041219E . 68 64214100 PUSH KeyGEn6.00412164 ; ASCII "open"
004121A3 . 6A 00 PUSH 0
004121A5 . FF15 AD214100 CALL DWORD PTR DS:[4121AD]
004121AB . E8 CE8A3F7C CALL kernel32.FreeLibrary ; |\FreeLibrary
004121B0 . E8 439F3F7C CALL kernel32.ExitThread ; \ExitThread
004121B5 . 53 PUSH EBX ' Restore Original Code
004121B6 . 56 PUSH ESI
004121B7 . 57 PUSH EDI
004121B8 . 83CB FF OR EBX,FFFFFFFF
004121BB .^ E9 3CD0FFFF JMP KeyGEn6.0040F1FC ' Return to code
Posted

You don't have access right to write to 417FB0. At least that will be the most likely problem.

Use virtualprotect to gain access rights.

Posted

You try to get the address of ShellExecuteA with GetProcAddress, but that's pointless when you hardcoded the calls to LoadLibrary and GetProcAddress. This will pretty much explode on another machine.

You will need to find the addresses of LoadLibrary nad GetProcAddress dynamically, too. Either you can find the two APIs in the IAT of the injected process (this should be easy since you're already accessing the process's imagebase at 417FB0). If they're not in the IAT you will have to pull some tricks like finding kernel32 base through PEB and manually parsing the export table. There's a full blown example for x64 here: http://mcdermottcybersecurity.com/articles/windows-x64-shellcode#api-lookup-overview

But you might wanna google yourself for better suited ones

N1ghtm4r3
Posted (edited)

Clearly the address you want save the dll handle there, is protected or invalid.

This is working for me:


00401006 68 20304000 PUSH console.00403020 ; ASCII "shell32.dll"
0040100B E8 6B0D407C CALL kernel32.LoadLibraryA
00401010 A3 2C304000 MOV DWORD PTR DS:[40302C],EAX ; shell32.#599
00403020  73 68 65 6C 6C 33 32 2E 64 6C 6C 00 00 00 9C 7C  shell32.dll...œ|
Edited by N1ghtm4r3

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...