flat assembler
Message board for the users of flat assembler.

Index > Windows > Inject process problem

Author
Thread Post new topic Reply to topic
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp
Hello everybody.
I want to inject a process to run my codes in there.
But I can't use the DLL and some Windows Api functions to injected.
Also,CreateRemoteThread could not used.

So,problem is difficult to solve,but it's very funny,isn't it?

I tried to hook some functions,write shellcode to target process,then modified the function address,although the success,but this way is not good solution.

Who can help me think about it how to realize ,thanks. Smile
Post 15 Dec 2011, 20:28
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
DLL Proxies.. They work all the time, unless if the target process checks it (the DLL)before loading(i.e by way of CRC checksums) But you can still patch it.
Post 15 Dec 2011, 21:57
View user's profile Send private message Reply with quote
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp
Thanks for typedef reply.

I've tested DLL proxy,but it's not ok.
WriteProcessMemory,CreateRemoteThread,Dll proxy,all are not allowed.
Very abnormal condition,Very Happy

Is there any other way?
Post 16 Dec 2011, 06:05
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
There is another way called FWB (Firewall Bypass). Idea is something like this:
Code:
1) CreateProcess with CREATE_SUSPENDED flag.
2) GetThreadContext
3) VirtualProtect
4) UnmapViewOfFile/CreateFileMapping/MapViewOfFile
5) WriteProcessMemory
6) SetThreadContext
7) ResumeThread    

If you want to run both (Injected code and original application), then try to search "Reflective DLL Injection", It's the best method ever for now Smile
Post 16 Dec 2011, 09:04
View user's profile Send private message Reply with quote
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp
Thanks for Overflowz reply.
I'll go to search about 'Reflective DLL Injection'.
The example above you said I have tried, but still be blocked.........
But Thanks everybody!
I will continue to find way!
Post 16 Dec 2011, 14:50
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
hihelp wrote:
The example above you said I have tried, but still be blocked.........
Make sure you are logged in as an administrator. Many of the interprocess functions will fail for ordinary user access accounts.
Post 16 Dec 2011, 15:05
View user's profile Send private message Visit poster's website Reply with quote
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp
Yea,my mean is the Antivirus software intercept it.
Post 16 Dec 2011, 20:19
View user's profile Send private message Reply with quote
Overflowz



Joined: 03 Sep 2010
Posts: 1046
Overflowz
hihelp
Reflective DLL Injection is more advanced technique thus, AV's detect it really hard Wink
Post 16 Dec 2011, 22:04
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2913
Location: 0x77760000
typedef
Ok. The other way is to patch the process's entry point with a jump or find somewhere like a menu event and patch it with a jump to a LoadLibraryA API, that way the DLL can do the job.
Post 16 Dec 2011, 23:06
View user's profile Send private message Reply with quote
hihelp



Joined: 15 Dec 2011
Posts: 17
hihelp
@Overflowz
I've seen the Reflective DLL Injection article,but very hard to read...
Thank you so much!
@typedef
You said patch process,I've try it,^_^,Thannnks
Post 17 Dec 2011, 06:18
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.