flat assembler
Message board for the users of flat assembler.

Index > Tutorials and Examples > FASM Win32 code injection sample

Author
Thread Post new topic Reply to topic
badc0de02



Joined: 25 Nov 2013
Posts: 215
Location: %x
badc0de02 25 Mar 2016, 08:04
Code:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Code Injection Sample from badc0de02            March 14th, 2016 ;
;                   Arguments: injector [PID]                      ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

format PE GUI 4.0
include 'win32ax.inc'
entry main_p

section '.text' code executable readable

strlen: push eax
        xor ecx,ecx
        cmp byte [eax],0
        je .ends
    .counter:
                inc eax
                inc ecx
                cmp byte [eax],0x00
                jne .counter
    .ends:
                pop eax
                ret

exitProgram: invoke ExitProcess,1

main_p: call [GetCommandLineA]
        mov [pidstr],eax
        call strlen ; get argument lenght
   .loop1:
             cmp byte [eax],0x20  ;find the next argument out
             je main_p.found
             inc eax
             loop .loop1
   .error:   ;Error goes here
             invoke MessageBoxA,0,errormsg,0,0
             jmp exitProgram
   .found:
             inc eax
             xor ecx,ecx
             cinvoke atoi,eax ; string to integer

             invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax  ;open our remote process
             cmp eax,0
             je .error
             mov [phandle],eax

             ;prepare our code for injection load the necesary functions
             mov eax,[GetModuleHandleA]
             mov [injcode.modh],eax

             mov eax,[GetProcAddress]
             mov [injcode.proca],eax

             mov edx,[MessageBoxA]
             mov [injcode.msgb],edx
             ;;

             invoke VirtualAllocEx,dword [phandle],0,dword [endsize],MEM_COMMIT,PAGE_READWRITE  ; Allocate memory in remote process
             cmp eax,0
             je .error
             mov [pbaddr],eax

             invoke WriteProcessMemory,dword [phandle],dword [pbaddr],injcode,dword [endsize],tmpint ;write it to the process
             invoke MessageBoxA,0,pidstr,0,0

             invoke CreateRemoteThread,dword [phandle],0,0,dword [pbaddr],0,0,0 ; execute it !
             cmp eax,0
             je .error

             invoke MessageBoxA,0,sucmsg,0,0 ; everything worked.
             jmp exitProgram ;exit



section '.data' data readable writeable
        injcode:
                call .getdelta ;Get offest from stack this called the Delta Offset Trick
            .getdelta:
                pop ebp
                sub ebp, .getdelta ;ebp = delta offset

                mov eax, [ebp+.msgb] ;MessageBox Function

                lea ecx, [ebp+.datas]
                push 0 ecx ecx 0
                call eax
                ret
            .modh: dd 0
            .msgb: dd 0
            .proca: dd 0
            .datas: db "Process injection execute success.",0
        endsize: dd endsize-injcode

        tmpint: dd 0
        pidstr: times 30 db 0
        sucmsg: db "process opened",0
        errormsg: db "Sorry cannot open process.",0
        phandle: dd 0
        pbaddr: dd 0

section '.import' import data readable writeable
        library  kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll'
        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'
        import msvcrt,atoi,'atoi'    


Description:
Download
Filename: injector.zip
Filesize: 2.21 KB
Downloaded: 1987 Time(s)

Post 25 Mar 2016, 08:04
View user's profile Send private message Reply with quote
badc0de02



Joined: 25 Nov 2013
Posts: 215
Location: %x
badc0de02 29 Mar 2016, 19:38
Code:
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Code Injection Sample from badc0de02            March 20th, 2016 ;
;                   Arguments: injector64 [PID]                    ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

format PE64 GUI 4.0
include 'win64ax.inc'
entry main_p

section '.text' code executable readable

strlen: push rax
        xor rcx,rcx
        cmp byte [rax],0
        je .ends
    .counter:
                inc rax
                inc rcx
                cmp byte [rax],0x00
                jne .counter
    .ends:
                pop rax
                ret

exitProgram: invoke ExitProcess,1

msgB:        ;r8 = title , rdx = text
             mov     r9d,0
             mov     rcx,0
             call [MessageBoxA]
             ret

main_p:
        call [GetCommandLineA]
        mov [pidstr],rax
        call strlen ; get argument lenght
   .loop1:
             cmp byte [rax],0x20  ;find the next argument out
             je main_p.found
             inc rax
             loop .loop1
   .error:   ;Error goes here
             mov rdx,errormsg
             mov r8,errormsg
             call msgB
             jmp exitProgram
   .found:
             inc rax
             xor rcx,rcx
             cinvoke atoi,rax ; string to integer

             ;invoke GetCurrentProcessId
             invoke OpenProcess,PROCESS_ALL_ACCESS,0,rax  ;open our remote process
             cmp rax,0
             je .error
             mov [phandle],rax

             ;prepare our code for injection load the necesary functions
             mov rax,[GetModuleHandleA]
             mov [injcode.modh],rax

             mov rax,[GetProcAddress]
             mov [injcode.proca],rax

             mov rdx,[MessageBoxA]
             mov [injcode.msgb],rdx
             ;;

             invoke VirtualAllocEx,qword [phandle],0,qword [endsize],MEM_COMMIT,PAGE_EXECUTE_READWRITE  ; Allocate memory in remote process
             cmp rax,0
             je .error
             mov [pbaddr],rax

             invoke WriteProcessMemory,qword [phandle],qword [pbaddr],injcode,qword [endsize],tmpint ;write it to the process
             ;invoke MessageBoxA,0,pidstr,0,0

             invoke CreateRemoteThread,qword [phandle],0,0,qword [pbaddr],0,0,0 ; execute it !
             cmp rax,0
             je .error
             mov r8,sucmsg
             mov rdx,sucmsg
             jmp exitProgram ;exit



section '.data' data readable writeable
        injcode:
                call .getdelta ;Get offest from stack this called the Delta Offset Trick
            .getdelta:
                pop rbp
                sub rbp, .getdelta ;rbp = delta offset
                sub     rsp,8*5


            .agn:mov rax, [rbp+.msgb] ;MessageBox Function
                mov     r9d,0
                lea     r8,[rbp+.datas]
                lea     rdx,[rbp+.datas]
                mov     rcx,0
                call rax
                lea rcx, [rbp+.agn]
                push rcx
                ret
            .modh: dq 0
            .msgb: dq 0
            .proca: dq 0
            .basedelta: dq 0
            .datas: db "Process injection execute success.",0
        endsize: dq endsize-injcode

        tmpint: dq 0
        pidstr: times 30 db 0
        sucmsg: db "process opened",0
        errormsg: db "Sorry cannot open process.",0
        phandle: dq 0
        pbaddr: dq 0

section '.import' import data readable writeable
        library  kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll'
        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'
        import msvcrt,atoi,'atoi'    
Post 29 Mar 2016, 19:38
View user's profile Send private message Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 09 May 2016, 14:16
Those techniques are so old man.
Post 09 May 2016, 14:16
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 09 May 2016, 16:11
typedef wrote:
Those techniques are so old man.
And ... what? Does old mean it won't work? Please explain what you mean.
Post 09 May 2016, 16:11
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 09 May 2016, 20:36
revolution wrote:
typedef wrote:
Those techniques are so old man.
And ... what? Does old mean it won't work? Please explain what you mean.


Yup. I knew it. Smile
Post 09 May 2016, 20:36
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 10 May 2016, 01:33
typedef wrote:
Yup. I knew it. Smile
So you don't actually have a point then?
Post 10 May 2016, 01:33
View user's profile Send private message Visit poster's website Reply with quote
typedef



Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000
typedef 10 May 2016, 02:19
revolution wrote:
typedef wrote:
Those techniques are so old man.
And ... what? Does old mean it won't work? Please explain what you mean.


There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry.
Post 10 May 2016, 02:19
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20299
Location: In your JS exploiting you and your system
revolution 10 May 2016, 02:27
typedef wrote:
There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry.
Thanks for the clarification. This scatter brain thought you had some other deeper meaning than what was said. Sorry for the noise.
Post 10 May 2016, 02:27
View user's profile Send private message Visit poster's website Reply with quote
swank



Joined: 07 Nov 2018
Posts: 6
swank 06 Jan 2020, 09:43
The x64 version on w10 runs the code but breaks the injected process in the end. Any thoughts on this? Perhaps some new protection?
Post 06 Jan 2020, 09:43
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.