Jump to content
Tuts 4 You

[C++/Help] Injecting Hello World into a program


Recommended Posts

This is my code so far!!!


I'm using a PE Library called "PE Bliss" its quite an extensive and nice and rich in features Library as far as I've seen, but given my novice skills with this, I've been running into a problem lately, I want to inject code to a file this are the steps I have gathered used to do that manually:


- Get & Store OEP
- Add Section
- Replace old OEP to new Section OEP
- Write MessageBoxA Structrue to new Section & Jump to old entry point
- Rebuild PE
- Save PE

However in my code as shown below when I try to write such data, I can't, it writes the first few bytes into the section, and I still don't know why it's happening?

#include <iostream>
#include <fstream>
#include <pe_bliss.h>
#include "lib.h"
#include "main.h"
#include <basetsd.h>

#define PAUSE system("pause");

using namespace pe_bliss;

int main(int argc, char* argv[])
	std::ifstream pe_file("1.exe", std::ios::in | std::ios::binary);

	if (!pe_file)
		//Problems problems problems...
		std::cout << "PE File Could Not Be Opened!" << std::endl;

		return -1;

		//////////////////READ OEP//////////////////////////////
		std::cout << "[+] Reading OEP ..." << std::endl;

		pe_base image(pe_factory::create_pe(pe_file)); // Create stub image based on PE File
		int oep = image.get_ep(); // Get Image Entry Point for later redirection (TODO: NOT DONE YET!)

		////////////////////ADD NEW SECTION//////////////////////
		std::cout << "[+] Adding New Section ..." << std::endl;

		char data[24] = {
			0x6A, 0x10, 0x68, 0x18, 0x70, 0x62, 0x00, 0x68, 0x26, 0x70, 0x62, 0x00, 0x6A, 0x00, 0xE8, 0xD3,
			0x8D, 0xA9, 0x76, 0xE9, 0x14, 0xA4, 0xFA, 0xFF
		section new_section; // New section declaration

		new_section.set_name(".hw"); // New Section Name (.hw aka Hello World :D)
		new_section.readable(true).executable(true).writeable(true); // Making New Section R/E/W
		new_section.set_size_of_raw_data(100); // Size of Section
		new_section.set_raw_data(data); //  Data to be Written

		std::cout << "[+] Injecting Data to PE ..." << std::endl;

		image.add_section(new_section); // Adding Image

		std::cout << "[+] New Section Added to the Image!" << std::endl;

		///////////////////////GENERATING NEW PE///////////////////////////////////

		//Create new PE file
		//Get the name of original file without directory
		std::string base_file_name("1");
		std::string file_extension(".exe");
		std::string dir_name;
		std::string::size_type slash_pos;
		if ((slash_pos = base_file_name.find_last_of("/\\")) != std::string::npos)
			dir_name = base_file_name.substr(0, slash_pos + 1); //Source File Directory
			base_file_name = base_file_name.substr(slash_pos + 1); //Source File Name

		//Give a name to a new file
		//Concatenate it with original directory name to save it to a folder where
		//original file is stored
		base_file_name = dir_name + base_file_name + "+" + file_extension;
		//Create file
		std::ofstream new_pe_file(base_file_name.c_str(), std::ios::out | std::ios::binary | std::ios::trunc);
		if (!new_pe_file)
			//If failed to create file - display an error message
			std::cout << "Cannot create " << base_file_name << std::endl;
			return -1;

		//Rebuild PE image
		//Strip DOS header, writing NT headers over it
		//(second parameter (true) is responsible for this)
		//Do not recalculate SizeOfHeaders - third parameter is responsible for this
		rebuild_pe(image, new_pe_file, true, false);

		//Alert the user that file is successfully injected
		std::cout << "[+] New File Saved to: " << base_file_name << std::endl;

		return 1;
	catch (const std::exception& e)
		//Woops? Something wrong?
		std::cout  << e.what() << std::endl;

		return 0;

	return 0;

Soo, this is how it looks after it's been finished and served:



Any ideas, suggestions, recommendations? They will be highly appreciated!



I think I know why it's happening! I found out that, whenever the data gets to 0x00 it terminates writing to the section!

You see:

		char data[24] = {
			0x6A, 0x10, 0x68, 0x18, 0x70, 0x62, 0x00, 0x68, 0x26, 0x70, 0x62, 0x00, 0x6A, 0x00, 0xE8, 0xD3,
			0x8D, 0xA9, 0x76, 0xE9, 0x14, 0xA4, 0xFA, 0xFF

The first 6 bytes are good until it gets to the 7th byte which is 0x00, I think that's a null terminator? as data gets written needs to be null terminated, so if it sees a null termination it ceases to write?

I have managed to bypass the null termination by changing 0x00 to 0x90 :S it somehow works, but now I need to see why when the data gets written it appends some garbage at the end of that data...

*EDIT 2*

Oh wow! I'm amazed how some times things can be simple! :D

I just followed the same principles and now by adding that last null terminator it doesn't adds that garbage! :D


It's all done :D thanks for any further help!

Edited by 0xNOP
Link to comment

Some of the worst behaviors in a library you can have :D probable documented but shit anyway (should have used a size buffer or std containers)...

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...