flat assembler
Message board for the users of flat assembler.

Index > Windows > Why does my code injection not work

Author
Thread Post new topic Reply to topic
badc0de02



Joined: 25 Nov 2013
Posts: 216
Location: %x
badc0de02
I tried it several ways every time my targed program crashes

Code:
format PE GUI 4.0
include 'win32ax.inc'
entry main_p

section '.text' code executable readable

strlen: push eax
        xor ecx,ecx
        cmp byte [eax],0
        je strlen.end
    strlen.counter:
                inc eax
                inc ecx
                cmp byte [eax],0x00
                jne strlen.counter
    strlen.end:
                pop eax
                ret

exitProgram: invoke ExitProcess,1

main_p: call [GetCommandLineA]
        mov [pidstr],eax
        call strlen
   main_p.loop1:
             cmp byte [eax],0x20
             je main_p.found
             inc eax
             loop main_p.loop1
   main_p.notf:
             invoke MessageBoxA,0,errormsg,0,0
             jmp exitProgram
   main_p.found:
             inc eax
             xor ecx,ecx
             cinvoke atoi,eax
             invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax
             cmp eax,0
             je main_p.notf
             mov [phandle],eax
             mov eax,[GetModuleHandleA]
             mov [injcode.modh],eax
             mov eax,[GetProcAddress]
             mov [injcode.proca],eax
             mov eax,[endsize]
             mov ecx,[phandle]
             invoke VirtualAllocEx,ecx,0,eax,MEM_COMMIT,PAGE_READWRITE
             cmp eax,0
             je main_p.notf
             mov [pbaddr],eax
             mov eax,[endsize]
             mov ecx,[phandle]
             mov ebx,[pbaddr]
             invoke WriteProcessMemory,ecx,ebx,injcode,eax,tmpint
             invoke GetModuleHandleA,injcode.dlls
             invoke GetProcAddress,eax,injcode.procz
             mov [injcode.msgb],eax
             mov eax,[endsize]
             mov ecx,[phandle]
             mov ebx,[pbaddr]
             invoke CreateRemoteThread,ecx,0,0,ebx,0,0,tmpint
             invoke wsprintfA,pidstr,formats,eax
             invoke MessageBoxA,0,pidstr,0,0
             invoke MessageBoxA,0,sucmsg,0,0
             jmp exitProgram



section '.data' data readable writeable
        injcode:
                mov eax,[injcode.modh]
                push injcode.dlls
                call eax
                push injcode.procz eax
                mov eax,injcode.proca
                call eax
                ;mov eax,[injcode.msgb]
                push 0 injcode.datas injcode.datas 0
                call eax
                ret
            injcode.modh: dd 0
            injcode.msgb: dd 0
            injcode.proca: dd 0
            injcode.dlls: db "user32.dll",0
            injcode.procz: db "MessageBoxA",0
            injcode.datas: db "Process hook success.",0
        endsize: dd endsize-injcode
        tmpint: dd 0
        formats: db "size: %d",0
        pidstr: times 30 db 0
        sucmsg: db "process opened",0
        errormsg: db "Sorry cannot open process.",0
        phandle: dd 0
        pbaddr: dd 0

section '.import' import data readable writeable
        library  kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll'
        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'
        import msvcrt,atoi,'atoi'    
Post 20 Mar 2016, 15:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
In x86 memory addresses are absolute so your injected code is accessing incorrect locations when copied to another memory address.

You will either need to "relocate" the injected section to match the target address before inserting it, or make the injected code position independent code (PIC).
Post 20 Mar 2016, 15:59
View user's profile Send private message Visit poster's website Reply with quote
badc0de02



Joined: 25 Nov 2013
Posts: 216
Location: %x
badc0de02
can you send me an Example of a PIC?
Post 20 Mar 2016, 16:08
View user's profile Send private message Reply with quote
badc0de02



Joined: 25 Nov 2013
Posts: 216
Location: %x
badc0de02
thanks for helping anyway
Post 20 Mar 2016, 17:27
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
Something like this perhaps:
Code:
;...
        call    .reference
    .reference:
        pop     ebx
        mov     eax,[ebx - .reference + .variable1]  ;<--- PIC memory read
;...
    .variable1:
        dd      0x12345678
;...    
Post 20 Mar 2016, 20:26
View user's profile Send private message Visit poster's website Reply with quote
badc0de02



Joined: 25 Nov 2013
Posts: 216
Location: %x
badc0de02
ah thanks. i have to recalculate the delta offset i did that on previously projects.
Post 21 Mar 2016, 06:28
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.