senuzulme99 Posted March 1, 2021 Share Posted March 1, 2021 I'm working on different PE Injection technique. I want inject PE file into virtual memory of current executable. After that, I want execute injected PE file, I wrote inject code but my method is not working. Dos header and NT header parse correct, I write correctly sections and create new thread on the entrypoint of the .text section, but thread not working. What is the problem here? #include <iostream> #include <windows.h> int main() { DWORD* ImageBase; void* pImageBase; IMAGE_NT_HEADERS* NTHeader; IMAGE_DOS_HEADER* DOSHeader; IMAGE_NT_HEADERS* mem_NTHeader; IMAGE_DOS_HEADER* mem_DOSHeader; IMAGE_SECTION_HEADER* SecHeader; unsigned char memory_pe[] = { 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, ........} // This is binary of PE file. DOSHeader = PIMAGE_DOS_HEADER(memory_pe); NTHeader = PIMAGE_NT_HEADERS(DWORD(memory_pe) + DOSHeader->e_lfanew); pImageBase = VirtualAlloc(NULL, NTHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE); memcpy(pImageBase, memory_pe, NTHeader->OptionalHeader.SizeOfHeaders); for (int i = 0; i < NTHeader->FileHeader.NumberOfSections; i++) { SecHeader = (PIMAGE_SECTION_HEADER)(DWORD(memory_pe) + DOSHeader->e_lfanew + 248 + (i * 40)); memcpy(LPVOID(DWORD(pImageBase) + SecHeader->VirtualAddress), LPVOID(DWORD(memory_pe) + SecHeader->PointerToRawData), SecHeader->SizeOfRawData); } mem_DOSHeader = PIMAGE_DOS_HEADER(pImageBase); mem_NTHeader = PIMAGE_NT_HEADERS(DWORD(pImageBase) + mem_DOSHeader->e_lfanew); CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)(DWORD(pImageBase) + mem_NTHeader->OptionalHeader.BaseOfCode), NULL, 0, NULL); return 0; } Link to comment Share on other sites More sharing options...
kao Posted March 1, 2021 Share Posted March 1, 2021 (edited) BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable. Edited March 1, 2021 by kao Link to comment Share on other sites More sharing options...
HostageOfCode Posted March 1, 2021 Share Posted March 1, 2021 Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler. Link to comment Share on other sites More sharing options...
senuzulme99 Posted March 1, 2021 Author Share Posted March 1, 2021 2 hours ago, kao said: BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable. I tried put AddressOfEntryPoint instead BaseOfCode but, issue still continues. Link to comment Share on other sites More sharing options...
senuzulme99 Posted March 1, 2021 Author Share Posted March 1, 2021 1 hour ago, HostageOfCode said: Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler. How can I find Titan Engine, and how can I add exception handler to thread? Link to comment Share on other sites More sharing options...
HostageOfCode Posted March 1, 2021 Share Posted March 1, 2021 https://github.com/x64dbg/TitanEngine https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler Link to comment Share on other sites More sharing options...
senuzulme99 Posted March 1, 2021 Author Share Posted March 1, 2021 10 minutes ago, HostageOfCode said: https://github.com/x64dbg/TitanEngine https://docs.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-addvectoredexceptionhandler Thanks for supply sources. Link to comment Share on other sites More sharing options...
senuzulme99 Posted March 1, 2021 Author Share Posted March 1, 2021 4 hours ago, kao said: BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable. 3 hours ago, HostageOfCode said: Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler. I grab exception message. It's look like: Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now