PE Self Injection Not Working

[senuzulme99]

I'm working on different PE Injection technique. I want inject PE file into virtual memory of current executable. After that, I want execute injected PE file, I wrote inject code but my method is not working. Dos header and NT header parse correct, I write correctly sections and create new thread on the entrypoint of the .text section, but thread not working. What is the problem here?

#include <iostream>
#include <windows.h>

int main()
{
    DWORD* ImageBase;
    void* pImageBase;
    IMAGE_NT_HEADERS* NTHeader;
    IMAGE_DOS_HEADER* DOSHeader;
    IMAGE_NT_HEADERS* mem_NTHeader;
    IMAGE_DOS_HEADER* mem_DOSHeader;
    IMAGE_SECTION_HEADER* SecHeader;
    unsigned char memory_pe[] = { 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, ........} // This is binary of PE file.
    DOSHeader = PIMAGE_DOS_HEADER(memory_pe);
    NTHeader = PIMAGE_NT_HEADERS(DWORD(memory_pe) + DOSHeader->e_lfanew);
    pImageBase = VirtualAlloc(NULL, NTHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
    memcpy(pImageBase, memory_pe, NTHeader->OptionalHeader.SizeOfHeaders);
    for (int i = 0; i < NTHeader->FileHeader.NumberOfSections; i++) {
        SecHeader = (PIMAGE_SECTION_HEADER)(DWORD(memory_pe) + DOSHeader->e_lfanew + 248 + (i * 40));
        memcpy(LPVOID(DWORD(pImageBase) + SecHeader->VirtualAddress), LPVOID(DWORD(memory_pe) + SecHeader->PointerToRawData), SecHeader->SizeOfRawData);
    }
    mem_DOSHeader = PIMAGE_DOS_HEADER(pImageBase);
    mem_NTHeader = PIMAGE_NT_HEADERS(DWORD(pImageBase) + mem_DOSHeader->e_lfanew);
    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)(DWORD(pImageBase) + mem_NTHeader->OptionalHeader.BaseOfCode), NULL, 0, NULL);
    return 0;
}

 

[kao]

BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. 

EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable.

Edited March 1, 2021 by kao

[HostageOfCode]

Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler.

[senuzulme99]

2 hours ago, kao said:

BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. 

EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable.

I tried put AddressOfEntryPoint instead BaseOfCode but, issue still continues. 

[senuzulme99]

1 hour ago, HostageOfCode said:

Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler.

How can I find Titan Engine, and how can I add exception handler to thread?

[HostageOfCode]

https://github.com/x64dbg/TitanEngine

 

https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler

[senuzulme99]

10 minutes ago, HostageOfCode said:

https://github.com/x64dbg/TitanEngine

 

https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler

Thanks for supply sources.

[senuzulme99]

4 hours ago, kao said:

BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. 

EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable.

 

3 hours ago, HostageOfCode said:

Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler.

I grab exception message. It's look like: