Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 441
  • Last Modified:

process injection, maybe madshi can answer?

{$IMAGEBASE $13140000}

function InjectExe(Process: LongWord; EntryPoint: Pointer): BOOL;
  Module, NewModule: Pointer;
  Size, BytesWritten, TID: LongWord;
  Result := False;
  Module := Pointer(GetModuleHandle(nil));
  Size := PImageOptionalHeader(Pointer(integer(Module) + PImageDosHeader(Module)._lfanew + SizeOf(dword) + SizeOf(TImageFileHeader))).SizeOfImage;
  xVirtualFreeEx(Process, Module, 0, MEM_RELEASE);
  NewModule := xVirtualAllocEx(Process, Module, Size, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE);
  WriteProcessMemory(Process, NewModule, Module, Size, BytesWritten);
  if xCreateRemoteThread(Process, nil, 0, EntryPoint, Module, 0, @TID) <> 0 then Result := True;


the idea is to take the current running PE image and copy it exactly into another process and create a thread for it. this works perfectly in NT/2K/XP using both native api AND elicz's RT which allows xCreateRemoteThread etc to work on 95/98/ME.

the result is the PE image running inside another process.

now assuming elicz's code works perfectly, what would be the reason this doesn't work on 95/98/ME. does it have something to do with the image base being so high? (my guess)

let me know what other info you need to understand this better. I don't mind raising the points if anyone can fix it but I really just want to know why it doesn't work.
1 Solution
In the NT family you can tell Windows at which address you want the memory to be allocated, even if you allocate memory in another process. In the 9x family you (normally) can't even allocate memory in another process at all. Only using undocumented stuff you can do that in 9x - and in this case you can't specify where exactly it is allocated. Most probably it will be > $80000000. As a result your EntryPoint is not valid anymore. You have to calculate the new entry point. Another problem is that if you copy the DLL image data to another base address, it needs to be relocated. So it's not that easy in 9x. And btw, even in NT you will run into problems if the specified image base address is already in use in the other process. In that case your code will fail, too.

Regards, Madshi.
OpenSourceDeveloperAuthor Commented:
ahh ok you are right. if you specify a starting address then xVAE fails on 9x. if you specify nil then it works.

it would be nice if elicz had documented that.

thanks for your brilliance as usual. :)

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now