• Welcome to Valhalla Legends Archive.
 

DLL Injection With ASM

Started by PyroKid, September 13, 2003, 04:32 PM

Previous topic - Next topic

PyroKid

im injecting the following code into my application using WriteProcessBytes and then rerouting WinProc to execute it (and rerouting WinProc back to where it was afterwards of course). the code is written to the base address plus an offset of 400. here is the asm code im using:

void _declspec(naked) AsmCode(void)
{
   __asm {
    mov   eax, LOADLIBRARY
    mov   ebx, 15h //Offset to dll filename

    push   ebx
    call   eax
    pop   ebx

    int   3h   //Breakpoint
   }
}


also, heres the code in bytes:

CHAR CodePage[4096] =
{   0xB8, 0x00, 0x00, 0x00, 0x00,   // mov EAX,  Pointer to LoadLibraryA() (DWORD)
   0xBB, 0x15, 0x00, 0x00, 0x00,   // mov EBX,  offset to dllname to inject (DWORD)
   0x53,                     // push EBX
   0xFF, 0xD0,                  // call EAX
   0x5b,                     // pop EBX
   0xcc                     // INT 3h
};


when the code crashes, it breaks on some address that i dont think should be being called (aim.004019C4). this is the code above but being shown in the debugger:

004003FF    008B 4C2404E8        ADD [BYTE DS:EBX+E804244C],CL
00400405    BB 15000000            MOV EBX,15
0040040A    53                            PUSH EBX
0040040B    FFD0                        CALL EAX
0040040D    5B                            POP EBX
0040040E    CC                            INT3


the top line doesnt look like the asm im injecting. i think im doing all this right. im writing the code in an unused spot, appending the dll filename to the end of the code, and my dll offset should be correct. yet it still crashes. does anyone have an answer to my question? btw dont get mad if i did or said something stupid i am new to this :)

im using AIM for practice  ;)

TheMinistered

#1
Are you writng all the machine code to the target process?  It looks like you aren''t writing the first 5 bytes of it...

Are you writing your machine code to a place in the target process that is not being used?  It appears that you aren't...

Try showing us the code where you call WriteProcessMemory etc

PyroKid

i am writing it all to a blank spot in the target process. the base address+400 (which is what im writing to) is a blank spot.

this is what im using to write it:

// Patch in our code
WriteProcessBYTES(hprocess, PatchAddress, &AsmCode, 15);
      
// Patch in full path+filename to dll
GetCurrentDirectory(255, dllFullName);
strcat(dllFullName, "\\inject.dll");

// Write our DLL file to the end of our code
WriteProcessBYTES(hprocess, PatchAddress+15, dllFullName, strlen(dllFullName)+1);

i agree with you i think the top line is screwing up and if you look at the second line i think one of the bytes from the first line carried over to the second. when i used my memory viewer, everything looked just as i wanted it to (before winproc was intercepted and the injected code was executed).

and as you probably know, write/readprocess bytes is this:
//////////////////////////////////////////////////////////////////////
// WriteProcessBYTES()
// -------------------------------------------------------------------
// Originally mousepads code
//////////////////////////////////////////////////////////////////////
void WriteProcessBYTES(HANDLE hProcess, DWORD lpAddress, void* buf, int len)
{
   DWORD oldprot,dummy = 0;
   VirtualProtectEx(hProcess, (void*) lpAddress, len, PAGE_READWRITE, &oldprot);
   WriteProcessMemory(hProcess, (void*) lpAddress, buf, len, 0);
   VirtualProtectEx(hProcess, (void*) lpAddress, len, oldprot, &dummy);
}

//////////////////////////////////////////////////////////////////////
// ReadProcessBYTES()
// -------------------------------------------------------------------
// Originally mousepads code
//////////////////////////////////////////////////////////////////////
void ReadProcessBYTES(HANDLE hProcess, DWORD lpAddress, void* buf, int len)
{
   DWORD oldprot, dummy = 0;
   VirtualProtectEx(hProcess, (void*) lpAddress, len, PAGE_READWRITE, &oldprot);
   ReadProcessMemory(hProcess, (void*) lpAddress, buf, len, 0);
   VirtualProtectEx(hProcess, (void*) lpAddress, len, oldprot, &dummy);
}

Adron

I don't see where you set the loadlibrary address.

I don't see how 0x15 would point at anything useful.

You seem to have swapped nibbles if you get 8B instead of B8 in the disassembly.

Note that your disassembly is starting at 4003FF instead of 400400.

PyroKid

0x15 should be the offset to the dllname. the line right above it is setting eax to the location of loadlibrary.

TheMinistered

#5
Well it looks to me like you are patching in AsmCode (which should still work in theory) and not CodePage.

// Patch in our code
WriteProcessBYTES(hprocess, PatchAddress, &AsmCode, 15);


Additionally, 0x15 will not point to anything useful... I am thinking that PatchAdress+0x15 will.  Use GetProcAddress to get LoadLibraries address.   Then you can write a struct at BaseAddress+??? that contains a pointer to LoadLibrary and the dll location.  etc... etc...

Adron

Quote from: TheMinistered on September 14, 2003, 10:00 AM
Additionally, 0x15 will not point to anything useful... I am thinking that PatchAdress+0x15 will.

Exactly what I was thinking!

TheMinistered

What is the value of PatchAdress?

Banana fanna fo fanna

[ot]

Could someone give me a snippet of injecting a DLL and replacing an API call? I really can't figure it out...

iago

Quote from: St0rm.iD on September 14, 2003, 07:43 PM
[ot]

Could someone give me a snippet of injecting a DLL and replacing an API call? I really can't figure it out...

See my question on the asm forum regarding using IX86.dll files.  Adron/somebody else demonstrated how to patch over some api call.

[/ot]
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*