flat assembler
Message board for the users of flat assembler.

flat assembler > Examples and Tutorials > FASM Win32 code injection sample

Author
Thread Post new topic Reply to topic
badc0de02



Joined: 25 Nov 2013
Posts: 216
Location: %x
Code:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Code Injection Sample from badc0de02 March 14th, 2016 ; ; Arguments: injector [PID] ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; format PE GUI 4.0 include 'win32ax.inc' entry main_p section '.text' code executable readable strlen: push eax xor ecx,ecx cmp byte [eax],0 je .ends .counter: inc eax inc ecx cmp byte [eax],0x00 jne .counter .ends: pop eax ret exitProgram: invoke ExitProcess,1 main_p: call [GetCommandLineA] mov [pidstr],eax call strlen ; get argument lenght .loop1: cmp byte [eax],0x20 ;find the next argument out je main_p.found inc eax loop .loop1 .error: ;Error goes here invoke MessageBoxA,0,errormsg,0,0 jmp exitProgram .found: inc eax xor ecx,ecx cinvoke atoi,eax ; string to integer invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax ;open our remote process cmp eax,0 je .error mov [phandle],eax ;prepare our code for injection load the necesary functions mov eax,[GetModuleHandleA] mov [injcode.modh],eax mov eax,[GetProcAddress] mov [injcode.proca],eax mov edx,[MessageBoxA] mov [injcode.msgb],edx ;; invoke VirtualAllocEx,dword [phandle],0,dword [endsize],MEM_COMMIT,PAGE_READWRITE ; Allocate memory in remote process cmp eax,0 je .error mov [pbaddr],eax invoke WriteProcessMemory,dword [phandle],dword [pbaddr],injcode,dword [endsize],tmpint ;write it to the process invoke MessageBoxA,0,pidstr,0,0 invoke CreateRemoteThread,dword [phandle],0,0,dword [pbaddr],0,0,0 ; execute it ! cmp eax,0 je .error invoke MessageBoxA,0,sucmsg,0,0 ; everything worked. jmp exitProgram ;exit section '.data' data readable writeable injcode: call .getdelta ;Get offest from stack this called the Delta Offset Trick .getdelta: pop ebp sub ebp, .getdelta ;ebp = delta offset mov eax, [ebp+.msgb] ;MessageBox Function lea ecx, [ebp+.datas] push 0 ecx ecx 0 call eax ret .modh: dd 0 .msgb: dd 0 .proca: dd 0 .datas: db "Process injection execute success.",0 endsize: dd endsize-injcode tmpint: dd 0 pidstr: times 30 db 0 sucmsg: db "process opened",0 errormsg: db "Sorry cannot open process.",0 phandle: dd 0 pbaddr: dd 0 section '.import' import data readable writeable library kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' import msvcrt,atoi,'atoi'


Description:
Download
Filename: injector.zip
Filesize: 2.21 KB
Downloaded: 809 Time(s)

Post 25 Mar 2016, 08:04
View user's profile Send private message Reply with quote
badc0de02



Joined: 25 Nov 2013
Posts: 216
Location: %x
Code:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Code Injection Sample from badc0de02 March 20th, 2016 ; ; Arguments: injector64 [PID] ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; format PE64 GUI 4.0 include 'win64ax.inc' entry main_p section '.text' code executable readable strlen: push rax xor rcx,rcx cmp byte [rax],0 je .ends .counter: inc rax inc rcx cmp byte [rax],0x00 jne .counter .ends: pop rax ret exitProgram: invoke ExitProcess,1 msgB: ;r8 = title , rdx = text mov r9d,0 mov rcx,0 call [MessageBoxA] ret main_p: call [GetCommandLineA] mov [pidstr],rax call strlen ; get argument lenght .loop1: cmp byte [rax],0x20 ;find the next argument out je main_p.found inc rax loop .loop1 .error: ;Error goes here mov rdx,errormsg mov r8,errormsg call msgB jmp exitProgram .found: inc rax xor rcx,rcx cinvoke atoi,rax ; string to integer ;invoke GetCurrentProcessId invoke OpenProcess,PROCESS_ALL_ACCESS,0,rax ;open our remote process cmp rax,0 je .error mov [phandle],rax ;prepare our code for injection load the necesary functions mov rax,[GetModuleHandleA] mov [injcode.modh],rax mov rax,[GetProcAddress] mov [injcode.proca],rax mov rdx,[MessageBoxA] mov [injcode.msgb],rdx ;; invoke VirtualAllocEx,qword [phandle],0,qword [endsize],MEM_COMMIT,PAGE_EXECUTE_READWRITE ; Allocate memory in remote process cmp rax,0 je .error mov [pbaddr],rax invoke WriteProcessMemory,qword [phandle],qword [pbaddr],injcode,qword [endsize],tmpint ;write it to the process ;invoke MessageBoxA,0,pidstr,0,0 invoke CreateRemoteThread,qword [phandle],0,0,qword [pbaddr],0,0,0 ; execute it ! cmp rax,0 je .error mov r8,sucmsg mov rdx,sucmsg jmp exitProgram ;exit section '.data' data readable writeable injcode: call .getdelta ;Get offest from stack this called the Delta Offset Trick .getdelta: pop rbp sub rbp, .getdelta ;rbp = delta offset sub rsp,8*5 .agn:mov rax, [rbp+.msgb] ;MessageBox Function mov r9d,0 lea r8,[rbp+.datas] lea rdx,[rbp+.datas] mov rcx,0 call rax lea rcx, [rbp+.agn] push rcx ret .modh: dq 0 .msgb: dq 0 .proca: dq 0 .basedelta: dq 0 .datas: db "Process injection execute success.",0 endsize: dq endsize-injcode tmpint: dq 0 pidstr: times 30 db 0 sucmsg: db "process opened",0 errormsg: db "Sorry cannot open process.",0 phandle: dq 0 pbaddr: dq 0 section '.import' import data readable writeable library kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' import msvcrt,atoi,'atoi'
Post 29 Mar 2016, 19:38
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2910
Location: 0x77760000
Those techniques are so old man.
Post 09 May 2016, 14:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15870
Location: 162173 Ryugu
typedef wrote:
Those techniques are so old man.
And ... what? Does old mean it won't work? Please explain what you mean.
Post 09 May 2016, 16:11
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2910
Location: 0x77760000
revolution wrote:
typedef wrote:
Those techniques are so old man.
And ... what? Does old mean it won't work? Please explain what you mean.


Yup. I knew it. Smile
Post 09 May 2016, 20:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15870
Location: 162173 Ryugu
typedef wrote:
Yup. I knew it. Smile
So you don't actually have a point then?
Post 10 May 2016, 01:33
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2910
Location: 0x77760000
revolution wrote:
typedef wrote:
Those techniques are so old man.
And ... what? Does old mean it won't work? Please explain what you mean.


There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry.
Post 10 May 2016, 02:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15870
Location: 162173 Ryugu
typedef wrote:
There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry.
Thanks for the clarification. This scatter brain thought you had some other deeper meaning than what was said. Sorry for the noise.
Post 10 May 2016, 02:27
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 2004-2018, Tomasz Grysztar.

Powered by rwasa.