flat assembler
Message board for the users of flat assembler.

Index > Windows > help? createremotethread

Author
Thread Post new topic Reply to topic
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 07 Sep 2005, 14:47
Hi, I got some errors with this...
what im trying to do is to convert my code in PureBasic (http://forums.purebasic.com/english/viewtopic.php?t=16676&start=0 <--this code) to fasm and i have learned alot from tutorials available but for some reason this just doesnt work... (i removed my "fixes" Very Happy so this wont even compile because of PB_PEEKL and PB_PEAKW)
this code tries to inject "procedure"(they are procedures in PB) to notepad.exe... thanks Very Happy
Code:
format PE gui 4.0
entry ENTRYPOINT
include 'C:\fasm\include\win32axp.inc'
include 'C:\fasm\include\urlmon.inc'
; Procedure RemoteThread()
ENTRYPOINT:
  JMP   _EndProcedure0
_Procedure0:
  PUSH   ebx
  PUSH   ecx
  PUSH   ebp
  PUSH   esi
  PUSH   edi
         MOV esi,esp
  SUB    esp,4
  MOV    eax,esp
  MOV    edx,eax
  ADD    edx,4
_ClearLoop0:
  MOV    dword [eax],0
  ADD    eax,4
  CMP    eax,edx
  JNE   _ClearLoop0
; hLibrary.l = LoadLibrary_("URLMON.DLL")
  PUSH   dword _S1
  CALL  [LoadLibrary]
  MOV    dword [esp],eax
; URLDownloadToFile_(#Null, "http://forums.purebasic.com/english/templates/subSilver/images/logo_phpBB.gif", "c:\logo_phpBB.gif", #Null, #Null)
  PUSH   dword 0
  PUSH   dword 0
  PUSH   dword _S2
  PUSH   dword _S3
  PUSH   dword 0
  CALL  [URLDownloadToFile]
; EndProcedure
  XOR    eax,eax
_EndProcedure1:
  ADD    esp,4
  POP    edi
  POP    esi
  POP    ebp
  POP    ecx
  POP    ebx
  RET
_EndProcedure0:
; CreateProcess_(0, "notepad.exe", 0, 0, 0, #CREATE_SUSPENDED, 0 , 0, @sinfo.STARTUPINFO, @pinfo.PROCESS_INFORMATION)
  PUSH   dword v_pinfo
  PUSH   dword v_sinfo
  PUSH   dword 0
  PUSH   dword 0
  PUSH   dword 4
  PUSH   dword 0
  PUSH   dword 0
  PUSH   dword 0
  PUSH   dword _S5
  PUSH   dword 0
  CALL  [CreateProcess]
; dwPID = pinfo\dwProcessId
  LEA    ebp,[v_pinfo]
  PUSH   dword [ebp+8]
  POP    dword [v_dwPID]
; hProcess = pinfo\hProcess
  PUSH   dword [ebp]
  POP    dword [v_hProcess]
; dwWritten.l = #Null
  MOV    dword [v_dwWritten],0
; pbModule.l = GetModuleHandle_(0)
  PUSH   dword 0
  CALL  [GetModuleHandle]
  MOV    dword [v_pbModule],eax
  invoke Sleep,5000
; DwSize.l = PeekL(pbmodule+PeekW(pbmodule+$3c)+$50)
  MOV    ebx,dword [v_pbModule]
  MOV    edi,dword [v_pbModule]
  ADD    edi,60
  CALL   PB_PeekW ; <------------CAUSES ERROR...
  ADD    ebx,eax
  ADD    ebx,80
  MOV    eax,[ebx+80]
  CALL   PB_PeekL ;<--------------CAUSES ERROR
  MOV    dword [v_DwSize],eax
; VirtualFreeEx_(hProcess, pbModule, 0, #MEM_RELEASE)
  PUSH   dword 32768
  PUSH   dword 0
  PUSH   dword [v_pbModule]
  PUSH   dword [v_hProcess]
  CALL  [VirtualFreeEx]
; lpBuffer.l = VirtualAllocEx_(hProcess, pbModule, dwSize, #MEM_COMMIT | #MEM_RESERVE, #PAGE_EXECUTE_READWRITE)
  PUSH   dword 64
  PUSH   dword 12288
  PUSH   dword [v_DwSize]
  PUSH   dword [v_pbModule]
  PUSH   dword [v_hProcess]
  CALL  [VirtualAllocEx]
  MOV    dword [v_lpBuffer],eax
; If lpBuffer = #Null
  MOV    ebx,dword [v_lpBuffer]
  CMP    ebx,0
  JNE   _EndIf2
; While ResumeThread_(pinfo\hThread) > 1
_While3:
  LEA    ebp,[v_pinfo]
  PUSH   dword [ebp+4]
  CALL  [ResumeThread]
  MOV    ebx,eax
  CMP    ebx,1
  JLE   _Wend3
; Wend
  JMP   _While3
_Wend3:
; CloseHandle_(hProcess)
  PUSH   dword [v_hProcess]
  CALL  [CloseHandle]
; End
  JMP   _PB_EOP_NoValue
; EndIf
_EndIf2:
; If WriteProcessMemory_(hProcess, lpBuffer, pbModule, dwSize, dwWritten) = 0
  PUSH   dword [v_dwWritten]
  PUSH   dword [v_DwSize]
  PUSH   dword [v_pbModule]
  PUSH   dword [v_lpBuffer]
  PUSH   dword [v_hProcess]
  CALL  [WriteProcessMemory]
  MOV    ebx,eax
  CMP    ebx,0
  JNE   _EndIf5
; While ResumeThread_(pinfo\hThread) > 1
_While6:
  LEA    ebp,[v_pinfo]
  PUSH   dword [ebp+4]
  CALL  [ResumeThread]
  MOV    ebx,eax
  CMP    ebx,1
  JLE   _Wend6
; Wend
  JMP   _While6
_Wend6:
; CloseHandle_(hProcess)
  PUSH   dword [v_hProcess]
  CALL  [CloseHandle]
; End
  JMP   _PB_EOP_NoValue
; EndIf
_EndIf5:
; hThread.l = CreateRemoteThread_(hProcess, #Null, 0, @RemoteThread(), pbModule, #Null, #Null)
  PUSH   dword 0
  PUSH   dword 0
  PUSH   dword [v_pbModule]
  LEA    eax,[_Procedure0]
  PUSH   eax
  PUSH   dword 0
  PUSH   dword 0
  PUSH   dword [v_hProcess]
  CALL  [CreateRemoteThread]
  MOV    dword [v_hThread],eax
; If hThread=#Null
  MOV    ebx,dword [v_hThread]
  CMP    ebx,0
  JNE   _EndIf8
; CloseHandle_(hProcess)
  PUSH   dword [v_hProcess]
  CALL  [CloseHandle]
; End
  JMP   _PB_EOP_NoValue
; EndIf
_EndIf8:
; While ResumeThread_(pinfo\hThread) > 1
_While9:
  LEA    ebp,[v_pinfo]
  PUSH   dword [ebp+4]
  CALL  [ResumeThread]
  MOV    ebx,eax
  CMP    ebx,1
  JLE   _Wend9
; Wend
  JMP   _While9
_Wend9:
; CloseHandle_(hThread)
  PUSH   dword [v_hThread]
  CALL  [CloseHandle]
; End
  JMP   _PB_EOP_NoValue

_PB_EOP_NoValue:
_PB_EOP:
_PB_EndFunctions:
  RET

section '.idata' import data readable writeable
  library kernel32, 'KERNEL32.DLL'
  library kernel32, 'USER32.DLL'

include 'C:\fasm\include\APIA\KERNEL32.INC'
include 'C:\fasm\include\APIA\USER32.INC'

section '.data' data readable writeable
;
_PB_DataSection:
_PB_DEBUGGER_LineNumber: dd -1
_PB_DEBUGGER_IncludedFiles: dd 0
_PBV_ExecutableType: dd 0
_S1: db "URLMON.DLL",0
_S2: db "c:\logo_phpBB.gif",0
_S3: db "http://forums.purebasic.com/english/templates/subSilver/images/logo_phpBB.gif",0
_S4: db "c:\notepad.exe",0
_S5: db "notepad.exe",0
v_dwPID rd 1
v_DwSize rd 1
v_dwWritten rd 1
v_hProcess rd 1
v_hThread rd 1
v_lpBuffer rd 1
v_pbModule rd 1
v_pinfo rb 16
v_sinfo rb 68      

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 07 Sep 2005, 14:47
View user's profile Send private message MSN Messenger Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 07 Sep 2005, 23:58
solution 1: inject.exe a DLL into a running process

solutino 2: loader.exe a DLL into a process that has not yet been run

solution 3: patch.exe an executable file so that it loads a DLL before it runs


Description: solution 3: patch.exe oldfile newfile dllname
Download
Filename: patch.rar
Filesize: 12.93 KB
Downloaded: 359 Time(s)

Description: solution 2: loader.exe exefile dllfile
Download
Filename: loader.asm
Filesize: 6.54 KB
Downloaded: 368 Time(s)

Description: solution 1: inject.exe pid dllfile
inject.exe -p *processname.exe dllfile

Download
Filename: inject.asm
Filesize: 7.68 KB
Downloaded: 365 Time(s)


_________________
comrade (comrade64@live.com; http://comrade.ownz.com/)
Post 07 Sep 2005, 23:58
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
comrade



Joined: 16 Jun 2003
Posts: 1150
Location: Russian Federation
comrade 07 Sep 2005, 23:59
you might need these include files if you want to recompile the sources:

http://comrade.ownz.com/sources/includes.zip
Post 07 Sep 2005, 23:59
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 08 Sep 2005, 00:54
Thank you. its 03:54am here so ill take a look at those tomorrow morning and hopefully learn something new so i can fix my injection Very Happy


thanks again Very Happy

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 08 Sep 2005, 00:54
View user's profile Send private message MSN Messenger Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav 08 Sep 2005, 16:00
use searching feature, i've posted createremotethread example
Post 08 Sep 2005, 16:00
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 09 Sep 2005, 00:30
Vasilev Vjacheslav wrote:
use searching feature, i've posted createremotethread example


Sad

before posting i tried injection&injecting and didnt found anything useful atleast...

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 09 Sep 2005, 00:30
View user's profile Send private message MSN Messenger Reply with quote
Vasilev Vjacheslav



Joined: 11 Aug 2004
Posts: 392
Vasilev Vjacheslav 09 Sep 2005, 16:45
Post 09 Sep 2005, 16:45
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.