Blizzhackers

Home of the Dupe since 2001

* Login   * Register    * FAQ    * Search

Join us on IRC: #bh@irc.synirc.net (or Mibbit Web IRC)


It is currently Thu Apr 19, 2018 4:42 pm


All times are UTC [ DST ]





Post new topic Reply to topic  [ 68 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
 Post subject:
PostPosted: Wed May 07, 2008 9:17 am 
 
User
User

Joined: Wed May 07, 2008 8:55 am
Nice tutorial! I learned a lot out of it.
I had a small problem tough, the same as obijohn.
The injector would only inject my dll's if I gave it the full paths.
I fixed it by calling GetFullPathName like this:
   
struct stat buf;
if(stat("BapPoxy.dll", &buf) < 0)
   {
      MessageBox(NULL, "BapProxy.dll not found!\nMake sure it's in the same directory as BapProxy.exe.", "BapProxy", MB_ICONERROR);
      return 0;
   }
char buffer[2048] = "";
GetFullPathName("BapProxy.dll", 2048, buffer, NULL);
InjectDLL( dwPid, buffer )


Again, thank you very much for taking the time to write this tutorial.

PS: Sorry for the bump, but it's stickied anyway.

Top
 Profile  
 Post subject:
PostPosted: Tue Aug 05, 2008 4:27 pm 
 
User
User

Joined: Fri May 20, 2005 7:24 pm
I am getting this error with my injected DLL within the application thread - should I be declaring these methods? What are the default implementations? Why are they being called?

The methods that are being called are FlsAlloc, FlsGetValue, FlsSetValue, and FlsFree. They should have been provided by <WinBase.h> but they seem not to have been.

Any ideas?

DELETEME2_DLL.DLL is my dll which I injected into calc.exe.


Loaded "DELETEME2_DLL.DLL" at address 0x10000000.  Successfully hooked module.
DllMain(0x10000000, DLL_PROCESS_ATTACH, 0x00000000) in "DELETEME2_DLL.DLL" called.
GetProcAddress(0x7C800000 [KERNEL32.DLL], "InitializeCriticalSectionAndSpinCount") called from "DELETEME2_DLL.DLL" at address 0x1001FF47 and returned 0x7C80B829.
GetProcAddress(0x7C800000 [KERNEL32.DLL], "FlsAlloc") called from "DELETEME2_DLL.DLL" at address 0x10013402 and returned NULL. Error: The specified procedure could not be found (127).
GetProcAddress(0x7C800000 [KERNEL32.DLL], "FlsGetValue") called from "DELETEME2_DLL.DLL" at address 0x10013416 and returned NULL. Error: The specified procedure could not be found (127).
GetProcAddress(0x7C800000 [KERNEL32.DLL], "FlsSetValue") called from "DELETEME2_DLL.DLL" at address 0x1001342A and returned NULL. Error: The specified procedure could not be found (127).
GetProcAddress(0x7C800000 [KERNEL32.DLL], "FlsFree") called from "DELETEME2_DLL.DLL" at address 0x1001343E and returned NULL. Error: The specified procedure could not be found (127).


Edit: here's a picture:

Image


Last edited by Zed03 on Tue Aug 05, 2008 6:38 pm, edited 1 time in total.
Top
 Profile  
 Post subject:
PostPosted: Tue Aug 05, 2008 6:36 pm 
 
User
User

Joined: Fri May 20, 2005 7:24 pm
2nd question...

I have a dll which I injected into a process. The dll is able to access local memory of whatever it is injected to. For example,

int *time = (int*)0x100579C;
MessageBox(0, itoa(*time, buf, 10), "The time", 0);

0x100579C is the offset to where Minesweeper keeps track of its time. The MessageBox will print it.

Sticking the the minesweeper example, you can see that winmine.exe imports and experts from dozens of DLLs which provide their functions:

Image


So this is where my question comes in,

I know the function name and the offset, but how I do call a function which is exported from another DLL? (for example, I want to call PlaySoundW from WINMM.DLL - what is it's return value type? what are the arguments?)

I would assume it would require creating a function declaration, but for that I would need to know the signature... how do I find that out? And after the function declaration I would have to somehow relate it to the pointer, etc...

Edit:

So I fired up IDA pro which shows me all the function definitions nicely.

Lets use

BOOL __stdcall _imp__MoveWindow(HWND hWnd,int X,int Y,int nWidth,int nHeight,BOOL bRepaint)


as an example.

How would I go about calling this function using c/cpp? I assume I can use assembly to pop the arguments onto the stack then CALL the offset where this function lives, but is there a simpler method?

Edit again:

I've successfuly managed to call the functions by using

mov eax, <address>
call eax

now I just need to find a way to call them using c code, instead of asm calls :)

Top
 Profile  
 Post subject:
PostPosted: Wed Aug 06, 2008 7:28 pm 
 
User
User

Joined: Fri May 20, 2005 7:24 pm
I did a bit more experimenting, and turns out this pattern works, which is really cool:

typedef UINT (CALLBACK* LPFNDLLFUNC1)();
...

LPFNDLLFUNC1 lpfnDllFunc1; //declare a lpfnDLLFunc1
...

lpfnDllFunc1 = (LPFNDLLFUNC1)0x1003D1D; //assign to memory address of DoAbout() function in memory
uReturnVal = lpfnDllFunc1(); //call function in memory and get return value

This results in Minesweeper showing it's About dialogue box.

Now I've noticed from calling a lot of these functions is the application hangs right after the function call. I would assume this is because the thread I am executing these function under doesn't get killed automatically?

For example, in the DoAbout() case, Minesweeper will display it's About box, and after clicking 'ok', control is returned to Minesweeper main window, but it is hung.

Any hints to whats going wrong?

Top
 Profile  
 Post subject:
PostPosted: Tue Aug 19, 2008 5:58 pm 
 
User
User

Joined: Tue Aug 19, 2008 5:44 pm
Hi Folks.. Though I know this thread is pretty old , but just to try all all options , I am posting my query.
Actually I am new to this dll injection n api hooking implementations but have zeal to learn. I wrote a small code but it is failing in createremotethread. Can anyone help me plz..

I think reading my unindented code would be a bit hectic. So I would like to tell you my intention. I have written a dll called sum.dll . I have written one exe which used this dll.
Now my I want to write one app and keep a hook in this exe and call a method from sum.dll .
I know that hooking kernel apis is nice try as kernel32.dll will be loaded in the same base memory address in all processes. But as I am trying for other Dll , I have called LoadLibrary and GetProcAdress in exe in which I want to call.
WriteProcessmemory and Readprocessmemory apis are working fine as I could read the data which I have written . But execution of createremotethread is not working fine. I copy pasted my code . Plz check it.


#include<stdio.h>
#include<conio.h>
#include<windows.h>

typedef FARPROC (__stdcall *PGetProcAddress)(HMODULE, char*);
typedef HMODULE (__stdcall *PLoadLibrary)(char *);
typedef DWORD (__stdcall *PGetLastError)();
typedef DWORD (__stdcall *sumfunc)(int , int);
struct data
{
HMODULE processHModule;
PGetProcAddress procGetProcAddress;
PLoadLibrary procLoadLibrary;
sumfunc procAddition;
char dllPath[512];
PGetLastError procGetLastError;
char lpFunctionName[256];
DWORD result;
int param1;
int param2;
DWORD procLastError1;
DWORD procLastError2;
}mydata;
void myfunc(struct data *mydata);
DWORD err;
int ret;


int main()
{

DWORD processID = 516;
DWORD SIZE_PAGE = 4096;
HANDLE processhandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processID );
err = GetLastError();
LUID priviliges;
TOKEN_PRIVILEGES tkp;


HANDLE handleToken;

HANDLE processtokenhandle;

ret = OpenProcessToken(processhandle,TOKEN_ALL_ACCESS,&processtokenhandle);

err = GetLastError();

PTOKEN_GROUPS ptg = NULL;

DWORD process_token_len;

ret = GetTokenInformation(processtokenhandle,TokenGroups,(LPVOID)ptg,0,&process_token_len);

err = GetLastError();

SetLastError(0);

ptg = (PTOKEN_GROUPS)malloc(process_token_len*sizeof(TOKEN_GROUPS));

err = GetLastError();

ret = GetTokenInformation(processtokenhandle,TokenGroups,(LPVOID)ptg,process_token_len,&process_token_len);

err = GetLastError();

LUID luid;

TOKEN_PRIVILEGES tp;

ret = LookupPrivilegeValue(NULL,SE_DEBUG_NAME,&luid);

err = GetLastError();

tp.PrivilegeCount = 1;

tp.Privileges[0].Luid = luid;

tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

ret = AdjustTokenPrivileges(processtokenhandle,false,&tp,sizeof(TOKEN_PRIVILEGES),NULL,NULL);

err = GetLastError();


void *func;
func = VirtualAllocEx(processhandle,0,SIZE_PAGE,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
err = GetLastError();
struct data *funcdata;


funcdata = (struct data *)VirtualAllocEx(processhandle,0,SIZE_PAGE,MEM_COMMIT,PAGE_EXECUTE_READWRITE);
err = GetLastError();
SetLastError(0);
ret = WriteProcessMemory(processhandle,func,&myfunc,SIZE_PAGE,0);
err = GetLastError();

struct data func_data , ret_func_data;
strcpy(func_data.dllPath,"C:\\CpProj\\sumDll\\Debug\\sumDll.dll");
err = GetLastError();

strcpy(func_data.lpFunctionName,"addition");
err = GetLastError();

HMODULE hkernel32;
hkernel32 = LoadLibrary("kernel32.dll");
err = GetLastError();

func_data.procLoadLibrary = (PLoadLibrary )GetProcAddress(hkernel32,"LoadLibraryW");
err = GetLastError();

func_data.procGetProcAddress = (PGetProcAddress )GetProcAddress(hkernel32,"GetProcAddress");
err = GetLastError();

func_data.procGetLastError = (PGetLastError)GetProcAddress(hkernel32,"GetLastError");

func_data.param1 = 10;
func_data.param2 = 20;

ret = WriteProcessMemory(processhandle,funcdata,&func_data,SIZE_PAGE,0);
err = GetLastError();

HANDLE thid;
DWORD rc;
thid = CreateRemoteThread(processhandle,0,0,(LPTHREAD_START_ROUTINE)func,funcdata,0,&rc);

err = GetLastError();


rc = WaitForSingleObject(thid,5000); // even I tried keeping Infinite //instead of 5 secs.

err = GetLastError();




ret = ReadProcessMemory(processhandle,funcdata,&ret_func_data,sizeof(ret_func_data),0);
err = GetLastError();




return 1;
}
void myfunc(struct data *mydata)
{
mydata->processHModule = (HMODULE )(mydata->procLoadLibrary)(mydata->dllPath);
mydata->procLastError1 = (mydata->procGetLastError)();


mydata->procAddition = (sumfunc )(mydata->procGetProcAddress)(mydata->processHModule,mydata->lpFunctionName);
mydata->procLastError2 = (mydata->procGetLastError)();

mydata->result = (mydata->procAddition)(mydata->param1,mydata->param2);
err = GetLastError();

}

Top
 Profile  
 Post subject:
PostPosted: Sat Nov 01, 2008 11:10 am 
 
User
User

Joined: Sat Nov 01, 2008 10:33 am
To gopikrishnakomanduri

Have command line option ?

if detect "/GZ" or "/RTC" you may to delete
[
"/GZ" command in C/C++ Project Option (if your code compile by vc++6)
"/RTC" command in VC 2005 - 2008
]

reference : http://msdn.microsoft.com/en-us/library/hddybs7t(VS.80).aspx

Top
 Profile  
 Post subject:
PostPosted: Tue Nov 04, 2008 1:15 am 
 
Banned
Banned
User avatar

Joined: Sat Sep 06, 2008 7:18 am
Location: USA, TX
Edkung wrote:
To gopikrishnakomanduri

Have command line option ?

if detect "/GZ" or "/RTC" you may to delete
[
"/GZ" command in C/C++ Project Option (if your code compile by vc++6)
"/RTC" command in VC 2005 - 2008
]

reference : http://msdn.microsoft.com/en-us/library/hddybs7t(VS.80).aspx


This last post was from September? Aside from this and your own.

_________________
Image

Top
 Profile  
 Post subject:
PostPosted: Thu Dec 11, 2008 6:43 pm 
 
User
User

Joined: Thu Dec 11, 2008 4:59 pm
Just as a thought, would any of these methods work on services running under the local system account? Would a limited/administrative account make a difference to this? I'd imagine that access to a system process from a user process is at least limited to read only.

Top
 Profile  
 Post subject:
PostPosted: Sun Dec 28, 2008 12:09 pm 
 
User
User

Joined: Wed Oct 15, 2008 4:20 pm
Can somebody please explain why it's loadDLL +1, loadDLL +8 and LoadDLL +13? I think it's the position of the asm cmd but then +13 would be wrong.

Thanks in advance.

Top
 Profile  
 Post subject: Thanks!
PostPosted: Sun Mar 29, 2009 7:23 pm 
 
User
User

Joined: Sat Mar 28, 2009 1:08 am
Darawk just wanted to say a bit thanks for this post - it cleared up a lot of questions I had and helped to solve my problem. The internet needs more people like you! :)

Top
 Profile  
 Post subject:
PostPosted: Fri Apr 10, 2009 8:16 am 
 
User
User

Joined: Fri Apr 10, 2009 8:13 am
Thank you for your useful information you have given :D

maison de credit

Top
 Profile  
 Post subject: The code cave method PROBLEM!!!
PostPosted: Sun May 10, 2009 1:57 pm 
 
User
User

Joined: Sun May 10, 2009 8:49 am
Hello

First thanks for really great tuorial.

1.) I have some problems with the code cave method you described. It's really weird. Sometimes the method DO WORK, but most cases DO NOT!. Speaking more clearly most cases i use your's injector i just got "Only part of a ReadProcessMemory or WriteProcessMemory request was completed" error from ReadProcessMemory call from GetTargetThreadIdFromWindow.

What do You think the problem might be???


2.) Can You explain me why must we use this asm code

mov eax, fs:[0x18]
add eax, 36
mov [pTID], eax

in GetTargetThreadIdFromWindow function & what it is used for???

Why can't we just take thread ID returned by GetWindowThreadProcessId???


GREETINGS from Poland :wink:

Top
 Profile  
 Post subject:
PostPosted: Tue May 12, 2009 3:10 am 
 
User
User

Joined: Tue May 12, 2009 3:07 am
simulation credit auto
Mulligun007, I'm not an expert in this field
Anyone can help? :roll:

Top
 Profile  
 Post subject:
PostPosted: Fri May 22, 2009 6:45 pm 
 
User
User

Joined: Fri May 22, 2009 6:31 pm
this is an interesting discussion.. thank you for sharing :)
simulation rachat de credit

Top
 Profile  
 Post subject:
PostPosted: Fri May 22, 2009 7:13 pm 
 
User
User
User avatar

Joined: Fri May 22, 2009 5:41 pm
Location: 127.0.0.1
Excellent Discussion keep up the good work.

Top
 Profile  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 68 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next

All times are UTC [ DST ]


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
cron