flat assembler
Message board for the users of flat assembler.
Index
> Tutorials and Examples > FASM Win32 code injection sample |
Author |
|
badc0de02 25 Mar 2016, 08:04
Code: ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ; Code Injection Sample from badc0de02 March 14th, 2016 ; ; Arguments: injector [PID] ; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; format PE GUI 4.0 include 'win32ax.inc' entry main_p section '.text' code executable readable strlen: push eax xor ecx,ecx cmp byte [eax],0 je .ends .counter: inc eax inc ecx cmp byte [eax],0x00 jne .counter .ends: pop eax ret exitProgram: invoke ExitProcess,1 main_p: call [GetCommandLineA] mov [pidstr],eax call strlen ; get argument lenght .loop1: cmp byte [eax],0x20 ;find the next argument out je main_p.found inc eax loop .loop1 .error: ;Error goes here invoke MessageBoxA,0,errormsg,0,0 jmp exitProgram .found: inc eax xor ecx,ecx cinvoke atoi,eax ; string to integer invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax ;open our remote process cmp eax,0 je .error mov [phandle],eax ;prepare our code for injection load the necesary functions mov eax,[GetModuleHandleA] mov [injcode.modh],eax mov eax,[GetProcAddress] mov [injcode.proca],eax mov edx,[MessageBoxA] mov [injcode.msgb],edx ;; invoke VirtualAllocEx,dword [phandle],0,dword [endsize],MEM_COMMIT,PAGE_READWRITE ; Allocate memory in remote process cmp eax,0 je .error mov [pbaddr],eax invoke WriteProcessMemory,dword [phandle],dword [pbaddr],injcode,dword [endsize],tmpint ;write it to the process invoke MessageBoxA,0,pidstr,0,0 invoke CreateRemoteThread,dword [phandle],0,0,dword [pbaddr],0,0,0 ; execute it ! cmp eax,0 je .error invoke MessageBoxA,0,sucmsg,0,0 ; everything worked. jmp exitProgram ;exit section '.data' data readable writeable injcode: call .getdelta ;Get offest from stack this called the Delta Offset Trick .getdelta: pop ebp sub ebp, .getdelta ;ebp = delta offset mov eax, [ebp+.msgb] ;MessageBox Function lea ecx, [ebp+.datas] push 0 ecx ecx 0 call eax ret .modh: dd 0 .msgb: dd 0 .proca: dd 0 .datas: db "Process injection execute success.",0 endsize: dd endsize-injcode tmpint: dd 0 pidstr: times 30 db 0 sucmsg: db "process opened",0 errormsg: db "Sorry cannot open process.",0 phandle: dd 0 pbaddr: dd 0 section '.import' import data readable writeable library kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll' include 'API\USER32.INC' include 'API\KERNEL32.INC' import msvcrt,atoi,'atoi'
|
|||||||||||
25 Mar 2016, 08:04 |
|
typedef 09 May 2016, 14:16
Those techniques are so old man.
|
|||
09 May 2016, 14:16 |
|
revolution 09 May 2016, 16:11
typedef wrote: Those techniques are so old man. |
|||
09 May 2016, 16:11 |
|
typedef 09 May 2016, 20:36
revolution wrote:
Yup. I knew it. |
|||
09 May 2016, 20:36 |
|
revolution 10 May 2016, 01:33
typedef wrote: Yup. I knew it. |
|||
10 May 2016, 01:33 |
|
typedef 10 May 2016, 02:19
revolution wrote:
There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry. |
|||
10 May 2016, 02:19 |
|
revolution 10 May 2016, 02:27
typedef wrote: There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry. |
|||
10 May 2016, 02:27 |
|
swank 06 Jan 2020, 09:43
The x64 version on w10 runs the code but breaks the injected process in the end. Any thoughts on this? Perhaps some new protection?
|
|||
06 Jan 2020, 09:43 |
|
< Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.