All geek questions in one place

C ++: entering code to call a function

First of all, I do not want to embed a dll. I want to enter code using WriteProcessMemory () (if possible). I already used ReadProcessMemory (), so I think that writing is not so much.
Well, let's say there is a function in TargetProgram.exe + D78C612
and let them say that it can be called like this:

push eax push [esp+08] push edx push 00 push TargetProgram.exe+AF76235 push 04 call TargetProgram.exe+D78C612

How exactly could I accomplish this with WriteProcessMemory ()?
I mean, where can I find a section in which I can enter my code without overwriting important things. And most importantly, how can I name a function? Just put the jump in my code in an active routine, bounce back and delete it later? But how do I find a routine?
So many questions, and I have no idea how to start ... I hope you can help me. :)
And if you have the time, I would really like to see an example of an injection-call-function code.

+6
source share
2 answers

You can use VirtualAllocEx to allocate memory in a remote process, and then copy the procedure to this memory.

Following are the steps to complete the injection:

 SuspendThread(hThread); // Suspend the remote thread remote_address = VirtualAllocEx(hProcess, ...) // allocate memory for your code WriteProcessMemory(hProcess, remote_address, local_address, length, NULL) // copy your code to remote process WriteProcessMemory(hProcess, remote_fixup, ...) // insert a jump to your code ResumeThread(hThread); // Resume the remote thread
+4
source

As mentioned in Max's answer, VirtualAllocEx is one way to allocate memory pages in a remote process if you have PROCESS_VM_OPERATION access to the process in question. You will also want to make sure that new pages are marked PAGE_EXECUTE_READWRITE for their level of protection during recording, and then change it later to PAGE_EXECUTE_READ using VirtualProtectEx .

Note that the branching and some call commands in x86 are IP related. This means that their encodings depend on where they are located in memory, since they use a signed relative offset from the end of the instruction. Therefore, if you plan to call an existing function from your new code, make sure that you take this into account when using the relative call command or use an indirect / immediate form.

However, not knowing exactly what you are trying to execute here, it is difficult to recommend a method to execute your new target code. Using the new code, you can simply enter the remote thread using CreateRemoteThread to execute it without having to interrupt existing threads. This would be the easiest solution to execute new code, but requires that the code you invoke is thread safe. Choosing an already running thread, pausing it, changing the EIP or introducing a detour and resuming it without any side effects (correctly maintaining the context in a nested call) is very difficult to say.

Personal note: as the author of a code coverage tool in Visual Studio 2012 that uses a bunch of tricks to rewrite third-party x86 / x86-64 code on the fly to collect coverage data, this stuff is oh-lot of fun to crack and think :)

+1
source

Source: https://habr.com/ru/post/957078/

More articles:


All Articles