flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Examples and Tutorials > FASM Win32 code injection sample

Author
Thread Post new topic Reply to topic
badc0de02



Joined: 25 Nov 2013
Posts: 210
Location: %x
FASM Win32 code injection sample

Code:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Code Injection Sample from badc0de02            March 14th, 2016 ;
;                   Arguments: injector [PID]                      ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

format PE GUI 4.0
include 'win32ax.inc'
entry main_p

section '.text' code executable readable

strlenpush eax
        xor ecx,ecx
        cmp byte [eax],0
        je .ends
    .counter:
                inc eax
                inc ecx
                cmp byte [eax],0x00
                jne .counter
    .ends:
                pop eax
                ret

exitPrograminvoke ExitProcess,1

main_pcall [GetCommandLineA]
        mov [pidstr],eax
        call strlen ; get argument lenght
   .loop1:
             cmp byte [eax],0x20  ;find the next argument out
             je main_p.found
             inc eax
             loop .loop1
   .error:   ;Error goes here
             invoke MessageBoxA,0,errormsg,0,0
             jmp exitProgram
   .found:
             inc eax
             xor ecx,ecx
             cinvoke atoi,eax ; string to integer

             invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax  ;open our remote process
             cmp eax,0
             je .error
             mov [phandle],eax

             ;prepare our code for injection load the necesary functions
             mov eax,[GetModuleHandleA]
             mov [injcode.modh],eax

             mov eax,[GetProcAddress]
             mov [injcode.proca],eax

             mov edx,[MessageBoxA]
             mov [injcode.msgb],edx
             ;;

             invoke VirtualAllocEx,dword [phandle],0,dword [endsize],MEM_COMMIT,PAGE_READWRITE  ; Allocate memory in remote process
             cmp eax,0
             je .error
             mov [pbaddr],eax

             invoke WriteProcessMemory,dword [phandle],dword [pbaddr],injcode,dword [endsize],tmpint ;write it to the process
             invoke MessageBoxA,0,pidstr,0,0

             invoke CreateRemoteThread,dword [phandle],0,0,dword [pbaddr],0,0,0 ; execute it !
             cmp eax,0
             je .error

             invoke MessageBoxA,0,sucmsg,0,0 ; everything worked.
             jmp exitProgram ;exit



section '.data' data readable writeable
        injcode:
                call .getdelta ;Get offest from stack this called the Delta Offset Trick
            .getdelta:
                pop ebp
                sub ebp.getdelta ;ebp = delta offset

                mov eax, [ebp+.msgb;MessageBox Function

                lea ecx, [ebp+.datas]
                push 0 ecx ecx 0
                call eax
                ret
            .modhdd 0
            .msgbdd 0
            .procadd 0
            .datasdb "Process injection execute success.",0
        endsizedd endsize-injcode

        tmpintdd 0
        pidstrtimes 30 db 0
        sucmsgdb "process opened",0
        errormsgdb "Sorry cannot open process.",0
        phandledd 0
        pbaddrdd 0

section '.import' import data readable writeable
        library  kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll'
        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'
        import msvcrt,atoi,'atoi'



Description:
Download
Filename: injector.zip
Filesize: 2.21 KB
Downloaded: 702 Time(s)

Post 25 Mar 2016, 08:04
View user's profile Send private message Reply with quote
badc0de02



Joined: 25 Nov 2013
Posts: 210
Location: %x
Sample64

Code:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Code Injection Sample from badc0de02            March 20th, 2016 ;
;                   Arguments: injector64 [PID]                    ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

format PE64 GUI 4.0
include 'win64ax.inc'
entry main_p

section '.text' code executable readable

strlenpush rax
        xor rcx,rcx
        cmp byte [rax],0
        je .ends
    .counter:
                inc rax
                inc rcx
                cmp byte [rax],0x00
                jne .counter
    .ends:
                pop rax
                ret

exitPrograminvoke ExitProcess,1

msgB:        ;r8 = title , rdx = text
             mov     r9d,0
             mov     rcx,0
             call [MessageBoxA]
             ret

main_p:
        call [GetCommandLineA]
        mov [pidstr],rax
        call strlen ; get argument lenght
   .loop1:
             cmp byte [rax],0x20  ;find the next argument out
             je main_p.found
             inc rax
             loop .loop1
   .error:   ;Error goes here
             mov rdx,errormsg
             mov r8,errormsg
             call msgB
             jmp exitProgram
   .found:
             inc rax
             xor rcx,rcx
             cinvoke atoi,rax ; string to integer

             ;invoke GetCurrentProcessId
             invoke OpenProcess,PROCESS_ALL_ACCESS,0,rax  ;open our remote process
             cmp rax,0
             je .error
             mov [phandle],rax

             ;prepare our code for injection load the necesary functions
             mov rax,[GetModuleHandleA]
             mov [injcode.modh],rax

             mov rax,[GetProcAddress]
             mov [injcode.proca],rax

             mov rdx,[MessageBoxA]
             mov [injcode.msgb],rdx
             ;;

             invoke VirtualAllocEx,qword [phandle],0,qword [endsize],MEM_COMMIT,PAGE_EXECUTE_READWRITE  ; Allocate memory in remote process
             cmp rax,0
             je .error
             mov [pbaddr],rax

             invoke WriteProcessMemory,qword [phandle],qword [pbaddr],injcode,qword [endsize],tmpint ;write it to the process
             ;invoke MessageBoxA,0,pidstr,0,0

             invoke CreateRemoteThread,qword [phandle],0,0,qword [pbaddr],0,0,0 ; execute it !
             cmp rax,0
             je .error
             mov r8,sucmsg
             mov rdx,sucmsg
             jmp exitProgram ;exit



section '.data' data readable writeable
        injcode:
                call .getdelta ;Get offest from stack this called the Delta Offset Trick
            .getdelta:
                pop rbp
                sub rbp.getdelta ;rbp = delta offset
                sub     rsp,8*5


            .agn:mov rax, [rbp+.msgb;MessageBox Function
                mov     r9d,0
                lea     r8,[rbp+.datas]
                lea     rdx,[rbp+.datas]
                mov     rcx,0
                call rax
                lea rcx, [rbp+.agn]
                push rcx
                ret
            .modhdq 0
            .msgbdq 0
            .procadq 0
            .basedeltadq 0
            .datasdb "Process injection execute success.",0
        endsizedq endsize-injcode

        tmpintdq 0
        pidstrtimes 30 db 0
        sucmsgdb "process opened",0
        errormsgdb "Sorry cannot open process.",0
        phandledq 0
        pbaddrdq 0

section '.import' import data readable writeable
        library  kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll'
        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'
        import msvcrt,atoi,'atoi'

Post 29 Mar 2016, 19:38
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
Those techniques are so old man.
Post 09 May 2016, 14:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 14671
Location: Origae-6

typedef wrote:
Those techniques are so old man.

And ... what? Does old mean it won't work? Please explain what you mean.
Post 09 May 2016, 16:11
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

revolution wrote:

typedef wrote:
Those techniques are so old man.

And ... what? Does old mean it won't work? Please explain what you mean.



Yup. I knew it. Smile
Post 09 May 2016, 20:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 14671
Location: Origae-6

typedef wrote:
Yup. I knew it. Smile

So you don't actually have a point then?
Post 10 May 2016, 01:33
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

revolution wrote:

typedef wrote:
Those techniques are so old man.

And ... what? Does old mean it won't work? Please explain what you mean.



There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry.
Post 10 May 2016, 02:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 14671
Location: Origae-6

typedef wrote:
There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry.

Thanks for the clarification. This scatter brain thought you had some other deeper meaning than what was said. Sorry for the noise.
Post 10 May 2016, 02:27
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2016, Tomasz Grysztar.