FASM Win32 code injection sample

Index > Tutorials and Examples > FASM Win32 code injection sample

Author

Thread

badc0de02

Joined: 25 Nov 2013
Posts: 215
Location: %x

badc0de02 25 Mar 2016, 08:04

Code:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Code Injection Sample from badc0de02            March 14th, 2016 ;
;                   Arguments: injector [PID]                      ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

format PE GUI 4.0
include 'win32ax.inc'
entry main_p

section '.text' code executable readable

strlen: push eax
        xor ecx,ecx
        cmp byte [eax],0
        je .ends
    .counter:
                inc eax
                inc ecx
                cmp byte [eax],0x00
                jne .counter
    .ends:
                pop eax
                ret

exitProgram: invoke ExitProcess,1

main_p: call [GetCommandLineA]
        mov [pidstr],eax
        call strlen ; get argument lenght
   .loop1:
             cmp byte [eax],0x20  ;find the next argument out
             je main_p.found
             inc eax
             loop .loop1
   .error:   ;Error goes here
             invoke MessageBoxA,0,errormsg,0,0
             jmp exitProgram
   .found:
             inc eax
             xor ecx,ecx
             cinvoke atoi,eax ; string to integer

             invoke OpenProcess,PROCESS_ALL_ACCESS,0,eax  ;open our remote process
             cmp eax,0
             je .error
             mov [phandle],eax

             ;prepare our code for injection load the necesary functions
             mov eax,[GetModuleHandleA]
             mov [injcode.modh],eax

             mov eax,[GetProcAddress]
             mov [injcode.proca],eax

             mov edx,[MessageBoxA]
             mov [injcode.msgb],edx
             ;;

             invoke VirtualAllocEx,dword [phandle],0,dword [endsize],MEM_COMMIT,PAGE_READWRITE  ; Allocate memory in remote process
             cmp eax,0
             je .error
             mov [pbaddr],eax

             invoke WriteProcessMemory,dword [phandle],dword [pbaddr],injcode,dword [endsize],tmpint ;write it to the process
             invoke MessageBoxA,0,pidstr,0,0

             invoke CreateRemoteThread,dword [phandle],0,0,dword [pbaddr],0,0,0 ; execute it !
             cmp eax,0
             je .error

             invoke MessageBoxA,0,sucmsg,0,0 ; everything worked.
             jmp exitProgram ;exit



section '.data' data readable writeable
        injcode:
                call .getdelta ;Get offest from stack this called the Delta Offset Trick
            .getdelta:
                pop ebp
                sub ebp, .getdelta ;ebp = delta offset

                mov eax, [ebp+.msgb] ;MessageBox Function

                lea ecx, [ebp+.datas]
                push 0 ecx ecx 0
                call eax
                ret
            .modh: dd 0
            .msgb: dd 0
            .proca: dd 0
            .datas: db "Process injection execute success.",0
        endsize: dd endsize-injcode

        tmpint: dd 0
        pidstr: times 30 db 0
        sucmsg: db "process opened",0
        errormsg: db "Sorry cannot open process.",0
        phandle: dd 0
        pbaddr: dd 0

section '.import' import data readable writeable
        library  kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll'
        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'
        import msvcrt,atoi,'atoi'

Description:		Download
Filename:	injector.zip
Filesize:	2.21 KB
Downloaded:	2070 Time(s)

25 Mar 2016, 08:04

badc0de02

Joined: 25 Nov 2013
Posts: 215
Location: %x

badc0de02 29 Mar 2016, 19:38

Code:

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Code Injection Sample from badc0de02            March 20th, 2016 ;
;                   Arguments: injector64 [PID]                    ;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

format PE64 GUI 4.0
include 'win64ax.inc'
entry main_p

section '.text' code executable readable

strlen: push rax
        xor rcx,rcx
        cmp byte [rax],0
        je .ends
    .counter:
                inc rax
                inc rcx
                cmp byte [rax],0x00
                jne .counter
    .ends:
                pop rax
                ret

exitProgram: invoke ExitProcess,1

msgB:        ;r8 = title , rdx = text
             mov     r9d,0
             mov     rcx,0
             call [MessageBoxA]
             ret

main_p:
        call [GetCommandLineA]
        mov [pidstr],rax
        call strlen ; get argument lenght
   .loop1:
             cmp byte [rax],0x20  ;find the next argument out
             je main_p.found
             inc rax
             loop .loop1
   .error:   ;Error goes here
             mov rdx,errormsg
             mov r8,errormsg
             call msgB
             jmp exitProgram
   .found:
             inc rax
             xor rcx,rcx
             cinvoke atoi,rax ; string to integer

             ;invoke GetCurrentProcessId
             invoke OpenProcess,PROCESS_ALL_ACCESS,0,rax  ;open our remote process
             cmp rax,0
             je .error
             mov [phandle],rax

             ;prepare our code for injection load the necesary functions
             mov rax,[GetModuleHandleA]
             mov [injcode.modh],rax

             mov rax,[GetProcAddress]
             mov [injcode.proca],rax

             mov rdx,[MessageBoxA]
             mov [injcode.msgb],rdx
             ;;

             invoke VirtualAllocEx,qword [phandle],0,qword [endsize],MEM_COMMIT,PAGE_EXECUTE_READWRITE  ; Allocate memory in remote process
             cmp rax,0
             je .error
             mov [pbaddr],rax

             invoke WriteProcessMemory,qword [phandle],qword [pbaddr],injcode,qword [endsize],tmpint ;write it to the process
             ;invoke MessageBoxA,0,pidstr,0,0

             invoke CreateRemoteThread,qword [phandle],0,0,qword [pbaddr],0,0,0 ; execute it !
             cmp rax,0
             je .error
             mov r8,sucmsg
             mov rdx,sucmsg
             jmp exitProgram ;exit



section '.data' data readable writeable
        injcode:
                call .getdelta ;Get offest from stack this called the Delta Offset Trick
            .getdelta:
                pop rbp
                sub rbp, .getdelta ;rbp = delta offset
                sub     rsp,8*5


            .agn:mov rax, [rbp+.msgb] ;MessageBox Function
                mov     r9d,0
                lea     r8,[rbp+.datas]
                lea     rdx,[rbp+.datas]
                mov     rcx,0
                call rax
                lea rcx, [rbp+.agn]
                push rcx
                ret
            .modh: dq 0
            .msgb: dq 0
            .proca: dq 0
            .basedelta: dq 0
            .datas: db "Process injection execute success.",0
        endsize: dq endsize-injcode

        tmpint: dq 0
        pidstr: times 30 db 0
        sucmsg: db "process opened",0
        errormsg: db "Sorry cannot open process.",0
        phandle: dq 0
        pbaddr: dq 0

section '.import' import data readable writeable
        library  kernel32,'kernel32.dll',user32,'user32.dll',msvcrt,'msvcrt.dll'
        include 'API\USER32.INC'
        include 'API\KERNEL32.INC'
        import msvcrt,atoi,'atoi'

29 Mar 2016, 19:38

typedef

Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

typedef 09 May 2016, 14:16

Those techniques are so old man.

09 May 2016, 14:16

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20577
Location: In your JS exploiting you and your system

revolution 09 May 2016, 16:11

typedef wrote:

Those techniques are so old man.

And ... what? Does old mean it won't work? Please explain what you mean.

09 May 2016, 16:11

typedef

Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

typedef 09 May 2016, 20:36

revolution wrote:

typedef wrote:
Those techniques are so old man.
And ... what? Does old mean it won't work? Please explain what you mean.

Yup. I knew it. Smile

09 May 2016, 20:36

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20577
Location: In your JS exploiting you and your system

revolution 10 May 2016, 01:33

typedef wrote:

Yup. I knew it.

So you don't actually have a point then?

10 May 2016, 01:33

typedef

Joined: 25 Jul 2010
Posts: 2909
Location: 0x77760000

typedef 10 May 2016, 02:19

revolution wrote:

typedef wrote:
Those techniques are so old man.
And ... what? Does old mean it won't work? Please explain what you mean.

There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry.

10 May 2016, 02:19

revolution
When all else fails, read the source

Joined: 24 Aug 2004
Posts: 20577
Location: In your JS exploiting you and your system

revolution 10 May 2016, 02:27

typedef wrote:

There's nothing to explain. That was as clear as day. I simply said that's an old technique. If you're finding it hard to understand such a simple sentence then I'm sorry.

Thanks for the clarification. This scatter brain thought you had some other deeper meaning than what was said. Sorry for the noise.

10 May 2016, 02:27

swank

Joined: 07 Nov 2018
Posts: 6

swank 06 Jan 2020, 09:43

The x64 version on w10 runs the code but breaks the injected process in the end. Any thoughts on this? Perhaps some new protection?

06 Jan 2020, 09:43

< Last Thread | Next Thread >

Forum Rules:

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum