flat assembler
Message board for the users of flat assembler.

Index > Windows > DLL Injection - Need help translating from MASM32

Author
Thread Post new topic Reply to topic
CFJ0



Joined: 06 Jun 2007
Posts: 9
CFJ0
I would like to inject a dll into a specified process, I found an example in MASM but I can't translate it Embarassed

This is the example, I tried translating it but ended up with crash after crash.
Code:
.386
.model flat, stdcall
option casemap:none
include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\user32.lib

.data
szKernel32 byte 'kernel32.dll', 0
szLoadLibrary byte 'LoadLibrary', 0
szTarget byte 'Notepad', 0
szDll byte 'example.dll', 0

.data?
hModule dword ?
hProcess dword ?
dwSize dword ?
dwPid dword ?
dwBytesWritten dword ?
dwTid dword ?

.code
_entrypoint:
invoke FindWindow, addr szTarget, 0
invoke GetWindowThreadProcessId, eax, addr dwPid
invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, dwPid
mov hProcess, eax
invoke VirtualAllocEx, hProcess, 0, sizeof szDll, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE 
mov hModule, eax
invoke WriteProcessMemory, hProcess, hModule, addr szDll, sizeof szDll, addr dwBytesWritten
invoke GetModuleHandle, addr szKernel32
invoke GetProcAddress, eax, addr szLoadLibrary
invoke CreateRemoteThread, hProcess, 0, 0, eax, hModule, 0, addr dwTid
invoke ExitProcess, 0
end _entrypoint    


I was wondering if anyone would be kind enough to translate or show me another example.

This is my code, but it crashes.
Code:
 invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, ProcessEntry.th32ProcessID
 mov    [hProcess], eax
 
 invoke VirtualAllocEx, hProcess, 0, 11, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE 
 mov    [hModule], eax
 
 invoke WriteProcessMemory, hProcess, hModule, szDLLName, sizeof szDLLName, dwBytes
 
 invoke GetModuleHandle, "kernel32.dll"
 invoke GetProcAddress, eax, "LoadLibrary"
 invoke CreateRemoteThread, hProcess, 0, 0, eax, hModule, 0, dwTid    
Post 07 Apr 2008, 18:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
A few simple changes to just the part you posted. You will have to translate the rest yourself following this suggestion
Code:
szDll db 'example.dll', 0
sizeof.szDLLName = $ - szDll - 1

invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, [ProcessEntry.th32ProcessID]
 mov    [hProcess], eax
 
 invoke VirtualAllocEx, [hProcess], 0, 11, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE 
 mov    [hModule], eax
 
 invoke WriteProcessMemory, [hProcess], [hModule], szDLLName, sizeof.szDLLName, dwBytes
 
 invoke GetModuleHandle, "kernel32.dll"
 invoke GetProcAddress, eax, "LoadLibrary"     


Last edited by revolution on 08 Apr 2008, 01:32; edited 1 time in total
Post 08 Apr 2008, 00:22
View user's profile Send private message Visit poster's website Reply with quote
Remy Vincent



Joined: 16 Sep 2005
Posts: 155
Location: France
Remy Vincent
It is not very funny to have a program working exactly as needed, BUT WITH messages like :
- "no error found Very Happy Very Happy".
- "zero errors found Very Happy Very Happy".
- "Program loaded correctly Very Happy Very Happy".
- "All needed DLLs founded Very Happy Very Happy".
- "No debugger needed Very Happy Very Happy".
Post 08 Apr 2008, 01:27
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
Remy Vincent wrote:
It is not very funny to have a program working exactly as needed, BUT WITH messages like :
- "no error found Very Happy Very Happy".
- "zero errors found Very Happy Very Happy".
- "Program loaded correctly Very Happy Very Happy".
- "All needed DLLs founded Very Happy Very Happy".
- "No debugger needed Very Happy Very Happy".
Where do you see those messages? Is it related to this thread?
Post 08 Apr 2008, 01:33
View user's profile Send private message Visit poster's website Reply with quote
CFJ0



Joined: 06 Jun 2007
Posts: 9
CFJ0
Thanks for your help.
I just can't get it to work :S
This is what I have:
(szDLLName is "C:\example.dll")
Code:
Inject:   
 invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, ProcessID
 mov    [hProcess], eax
 invoke VirtualAllocEx, [hProcess], 0, sizeof.szDLLName, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE 
 mov    [hModule], eax
 invoke WriteProcessMemory, [hProcess], [hModule], szDLLName, sizeof.szDLLName, dwBytes 
 invoke GetModuleHandle, "kernel32.dll"
 invoke GetProcAddress, eax, "LoadLibrary" 
 invoke CreateRemoteThread, hProcess, 0, 0, eax, hModule, 0, dwThreadID
 invoke MessageBox, 0, "DLL Injected!", ProcessEntry.szExeFile, MB_ICONQUESTION
 invoke Sleep, 1000 
 jmp    Exit    


It injects something since Kaspersky goes off but even when I click "Skip" my DLL is not injected :S
Post 08 Apr 2008, 13:59
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
CFJ0: You have to make sure you use the square brackets [] correctly. Without the square brackets you are using the address of the variable, with the square brackets you are sending the value of the variable.
Post 08 Apr 2008, 15:26
View user's profile Send private message Visit poster's website Reply with quote
CFJ0



Joined: 06 Jun 2007
Posts: 9
CFJ0
Thanks, I didn't know that.
Makes alot more sense now.

Working code:
Code:
Inject:   
 invoke OpenProcess, PROCESS_ALL_ACCESS, FALSE, [ProcessEntry.th32ProcessID]
 mov    [hProcess], eax
 invoke VirtualAllocEx, [hProcess], 0, sizeof.szDLLName, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE 
 mov    [hModule], eax
 invoke WriteProcessMemory, [hProcess], [hModule], szDLLName, sizeof.szDLLName, dwBytes 
 invoke GetModuleHandle, "kernel32.dll"
 invoke GetProcAddress, eax, "LoadLibrary" 
 invoke CreateRemoteThread, [hProcess], 0, 0, eax, [hModule], 0, dwThreadID
 invoke MessageBox, 0, "DLL Injected!", ProcessEntry.szExeFile, MB_ICONQUESTION    


Last edited by CFJ0 on 08 Apr 2008, 15:42; edited 1 time in total
Post 08 Apr 2008, 15:30
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17714
Location: In your JS exploiting you and your system
revolution
CFJ0 wrote:
So when do I have to use the addresses and when do I have to use the values :S?
You have to check the individual API spec to see what each needs. But generally you would pass values to an API function, and if it returns some data back to the caller (that's you) then you would pass the address of where you want the API to save those data.
Post 08 Apr 2008, 15:37
View user's profile Send private message Visit poster's website Reply with quote
CFJ0



Joined: 06 Jun 2007
Posts: 9
CFJ0
Thanks alot, got it semi-working Smile
Post 08 Apr 2008, 15:42
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.