Jump to content

PE Self Injection Not Working


senuzulme99

Recommended Posts

senuzulme99

I'm working on different PE Injection technique. I want inject PE file into virtual memory of current executable. After that, I want execute injected PE file, I wrote inject code but my method is not working. Dos header and NT header parse correct, I write correctly sections and create new thread on the entrypoint of the .text section, but thread not working. What is the problem here?

#include <iostream>
#include <windows.h>

int main()
{
    DWORD* ImageBase;
    void* pImageBase;
    IMAGE_NT_HEADERS* NTHeader;
    IMAGE_DOS_HEADER* DOSHeader;
    IMAGE_NT_HEADERS* mem_NTHeader;
    IMAGE_DOS_HEADER* mem_DOSHeader;
    IMAGE_SECTION_HEADER* SecHeader;
    unsigned char memory_pe[] = { 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, ........} // This is binary of PE file.
    DOSHeader = PIMAGE_DOS_HEADER(memory_pe);
    NTHeader = PIMAGE_NT_HEADERS(DWORD(memory_pe) + DOSHeader->e_lfanew);
    pImageBase = VirtualAlloc(NULL, NTHeader->OptionalHeader.SizeOfImage, 0x3000, PAGE_EXECUTE_READWRITE);
    memcpy(pImageBase, memory_pe, NTHeader->OptionalHeader.SizeOfHeaders);
    for (int i = 0; i < NTHeader->FileHeader.NumberOfSections; i++) {
        SecHeader = (PIMAGE_SECTION_HEADER)(DWORD(memory_pe) + DOSHeader->e_lfanew + 248 + (i * 40));
        memcpy(LPVOID(DWORD(pImageBase) + SecHeader->VirtualAddress), LPVOID(DWORD(memory_pe) + SecHeader->PointerToRawData), SecHeader->SizeOfRawData);
    }
    mem_DOSHeader = PIMAGE_DOS_HEADER(pImageBase);
    mem_NTHeader = PIMAGE_NT_HEADERS(DWORD(pImageBase) + mem_DOSHeader->e_lfanew);
    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)(DWORD(pImageBase) + mem_NTHeader->OptionalHeader.BaseOfCode), NULL, 0, NULL);
    return 0;
}

 

Link to comment

BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. :)

EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable.

Edited by kao
Link to comment
HostageOfCode

Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler.

Link to comment
senuzulme99
2 hours ago, kao said:

BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. :)

EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable.

I tried put AddressOfEntryPoint instead BaseOfCode but, issue still continues. 

Link to comment
senuzulme99
1 hour ago, HostageOfCode said:

Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler.

How can I find Titan Engine, and how can I add exception handler to thread?

Link to comment
senuzulme99
4 hours ago, kao said:

BaseOfCode is not the correct field, try using AddressOfEntryPoint instead. :)

EDIT: another guess: some anti-malware solution might hate "read+write+execute" memory pages and deny access to them. Try changing memory access rights to "read+execute" after copying your executable.

 

3 hours ago, HostageOfCode said:

Doubt it will work this way you will have to add exeption handler to this thread... I would try with titan engine it can statically load pe image and run it with it's own debugger and exception handler.

I grab exception message. It's look like: 

image.png.178e8d2c711a37b26a0cf5af902f2ff1.png

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...